Edit tour

Windows Analysis Report
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Overview

General Information

Sample name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Analysis ID:	1585896
MD5:	3aaa7d691a22ec1b7f9d03d63c7017a3
SHA1:	b4a38d0c4b81a50fb40e407e4d439fd18cca89c2
SHA256:	f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
Tags:	exeuser-threatcat_ch
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Sample has a suspicious name (potential lure to open the executable)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe (PID: 1072 cmdline: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe" MD5: 3AAA7D691A22EC1B7F9D03D63C7017A3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Virustotal: Detection: 23%			Perma Link
Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.7% probability

Machine Learning detection for sample

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Joe Sandbox ML: detected

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405861
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_0040639C FindFirstFileA,FindClose,	0_2_0040639C
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052FE

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Source: initial sample	Static PE information: Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Sample has a suspicious name (potential lure to open the executable)

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_033921E4 NtAllocateVirtualMemory,

0_2_033921E4

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_0040330D

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00406725	0_2_00406725
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00404B3D	0_2_00404B3D
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_03392404	0_2_03392404
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_03365667	0_2_03365667

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/8@0/0

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

0_2_0040330D

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_004045CA GetDlgItem,SetWindowTextA,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_004045CA

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_004020CB LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,

0_2_004020CB

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsw8FA.tmp

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Virustotal: Detection: 23%
Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File read: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_10001A5D LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_10002D20 push eax; ret	0_2_10002D4E
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_03047594 push ds; retf	0_2_03047598
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_0304A594 push ds; retf	0_2_0304A598

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

RDTSC instruction interceptor: First address: 3356176 second address: 3356176 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F19B0D3B691h 0x00000006 cmp bx, dx 0x00000009 cmp edx, 75070339h 0x0000000f inc ebp 0x00000010 inc ebx 0x00000011 rdtsc

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405861
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_0040639C FindFirstFileA,FindClose,	0_2_0040639C
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4578
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4407

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_00401759 lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA,

0_2_00401759

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

0_2_10001A5D

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

0_2_0040330D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	24%	Virustotal	Browse
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	13%	ReversingLabs
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585896
Start date and time:	2025-01-08 13:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll	asXlZG3aW6.exe	Get hash	malicious	Remcos, GuLoader	Browse
	asXlZG3aW6.exe	Get hash	malicious	GuLoader	Browse
	aMfizaMilo.exe	Get hash	malicious	GuLoader	Browse
	1ppvR5VRT6.exe	Get hash	malicious	GuLoader	Browse
	Ozb8aojWew.exe	Get hash	malicious	GuLoader	Browse
	aMfizaMilo.exe	Get hash	malicious	GuLoader	Browse
	1ppvR5VRT6.exe	Get hash	malicious	GuLoader	Browse
	Ozb8aojWew.exe	Get hash	malicious	GuLoader	Browse
	Documents.com.exe	Get hash	malicious	GuLoader	Browse
	Documents.com.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Biri.skr

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	126219
Entropy (8bit):	1.2476140630029537
Encrypted:	false
SSDEEP:	768:ypw+1R1HmrJqSpqHt8wu/Uc8A82XMK80Wnseb5duoe2njOg5X/G7:yEpmwKm
MD5:	BE1AEA45CD04BE1806BE5777F6529ECE
SHA1:	B3E4893ADB16D8677032B9B8C3B419FB6F9040D2
SHA-256:	34DDE02E575CF514C32DF1108FB8D83E22831B5A13733793C7B00C1B119320DE
SHA-512:	9649E9AB3AB9C3290E118E4E8F4354B067259B96E06753E9F1EC97AD4A5A41EE3438411D0166B7F390EA41489629D8338AF00FAB7964C5C91EEDE4978AFC7FC8
Malicious:	false
Reputation:	low
Preview:	......@.......................................................=...................................J..............................................................+...v....U......S...+)..........................................................l...........................7.......l.h..................H...^...<....................................................8..................................................v..............................._..............X....>...................{...H.......................h.........................................[.............................Rh... ..................6..............................................^............................................u....a............T......\|}............................................~..............S......v.........................................u......................................................................../.................................................l............................>..........3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Bolledejenes.Oct

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	160111
Entropy (8bit):	4.61177827745717
Encrypted:	false
SSDEEP:	1536:OCVoX8mo2OJSJ1Raq+jUcN07YmT8NIhUXhjTBZk/UlwxXOvo8xvC57V4:OCR2oSPsqE5N07KIejTBW/UlTnh0u
MD5:	DAC8AD7A61DA75BF3FD4CFD961B59785
SHA1:	E6ABF71F06625242C8A9C259432366CF157E80A1
SHA-256:	2FF1149DAB333F24B706F052FEF92B2E1A10A83228581E4D299439C54C6873E5
SHA-512:	6D561D2C74B045B65DE3BCE219E16A1EBDC04D5496E7C8C5978DBE2B7CF121AB6C4D28C71E046E07E992F7A72CB50D895E35548E796458EDC32125A8E2EBD4B3
Malicious:	false
Reputation:	low
Preview:	.....A.......................555................O.e...9...........r..^^^....tt....).....__.ee...v.1.....i......FF........rrr.....R.RRR..aa..........9.AAAA..s.......... .............n...```......."".........kkk.`........44..................e................u...:.........}}."...$............+....Q.....dd............................qq.......................h..qq.DD........ccc.....AA.............77.PPP..................!...................o................................`..Q.K.1.[.......................i...7..........rrr.........SS....3....LLLL.)............}}...........E............88...............]..222....f.....!......cccccc.....K..M.....;..................GG....:.{{{{...........{{..!!.........J....................\........_.........................ppp.4......PP....(((............SSSS........................\|\|\|...#.[[.........,,."".........f.........BB......R..........................................M...........&&&&&&&&.....&&&&&&&............................;;.E.i.(.NN.F....^.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Skrabs.Alv23

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	297766
Entropy (8bit):	7.644164061387471
Encrypted:	false
SSDEEP:	6144:lb1onEt4p7W93cV7+AyxJIF+0W8I1zP8BekEfy7BBb7AeceH5T:f1I7s3W411zP8Bekl7b7qiT
MD5:	4D5E9D327B3D4081201FF7EC1187EEFE
SHA1:	9DB6378CAC8481F34726E268B4EF7B56C2DEB488
SHA-256:	DE01E2CF5805708FDFDD3EBE15D6ECBC3F455324CA014148D88893917A7B42F4
SHA-512:	A6B695ADBD375C6A393145DD19FBB8703974FF8297274151AA683DB79938B244CECB4C400D914C96F4A06FCA3AB47E48E3E3FAD62086C4A79B06B4D170BBCB0B
Malicious:	false
Reputation:	low
Preview:	............................jj......................2222.....ooooo......cc.}}.............2...(((((....................<...s..[[.............uu............~~~~~......R..............!........jjjj..........))))........u.l..........>>>>........................................OO..lll.............`...............u...VV....................................@............s......7.........+..........................L.l.............^......G.g.............RR..................nn.......................T.BBBB...........nn.....L.11.. .9...99...........B.....b.y.................".........E...............................???........P................................G................ ...........bb.~...<<..PP.....1111..WWW..............nn.{{....................''.j.EEEEE....TT...._......].............0.......&&.!!!!!.......{{.......Q................hh.....A..222...............................T.......i...c............1.....ggggg.................l........l.................................V.....AA......66.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\cambalo.inh

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	37896
Entropy (8bit):	1.200616357643719
Encrypted:	false
SSDEEP:	192:GGByFFg5xUFtU4WnCLunXiPBK+34PvQ27JnTpFsxxa:GGByFFg5xU/U4WsunXiE+3gvQ2fFsxxa
MD5:	0B216F5A8151B9C6EB9AD7F89A9BC030
SHA1:	3F34D9DFA023843C1B66155ADD4E5C311F07DCA0
SHA-256:	FD8DE6BF1B5A69687911C500A12D5BA3092569611844CDED241563AB9E611A32
SHA-512:	EFB2C8919AF7A0D618085DF35557CDAA59C350FDFE617A5F18BFA449AD09B105DC3CA8F4467C69763CD2AEBB376F8122FF7116B9D3DE85391E3462C2FD59966A
Malicious:	false
Reputation:	low
Preview:	.....J...................T......H......].....j..........@..............................?................................}.................................,.F...............n...............................*.....................a..........................................................................2......................................................................,.............................................._{.......................................t...................V.............................................V..............................................................;..........................}...]6..........O........T........oz.......................................................................cb.................................................................}b....................................i...........................................e.....&........................p..........................................................6..#................P.................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\oink.tyk

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	214335
Entropy (8bit):	1.2476323095361204
Encrypted:	false
SSDEEP:	768:99C7iXwL7CwdtIlUUoJOtkhmD6bddfwlR6eng3tDfGXU41X8Kbfjl+f7KoZ3pkmY:eiRa7POSx67/L
MD5:	59874EF8405969406DE4B3A1C90793D4
SHA1:	C3A8B546FA78D9218E8355756B12921E6419E69E
SHA-256:	24F7B3739548CFA16CB005CD467F26C369EBCA40B4867C197BF4A90DD8939079
SHA-512:	F6BC59CC92DD6660662193A49D2C1023DC42141948E9361CB6FA122BA796FE2175C9A3CF68F4318BA728315DD1BCBAE0DB925C03D6EED8540C4FB5A961E7BEE9
Malicious:	false
Reputation:	low
Preview:	.....................w.......].........................X..!.......p.....{................................t............................~...........................................j................................w..........L....................+.................................P...2T...........[.........................2..................................................................e...........................................................................P..............................}..........$..................................................... ....................................................................................M.............................................................a.......................................\|..........=..............................................M.....!......g.........d................i...d...E................................................................................*..........................................................w.......

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\nsw8FB.tmp

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	852876
Entropy (8bit):	4.693141672071345
Encrypted:	false
SSDEEP:	6144:7Gb1onEt4p7W93cV7+AyxJIF+0W8I1zP8BekEfy7BBb7AeceH5yOoSBojTBTniPd:S1I7s3W411zP8Bekl7b7qit/Bo/eV3
MD5:	3FD736680EDD9E357A6F72C5F3C6EE7C
SHA1:	659E7F9DDE6374C99CA149A97CC8BC2A6F0A89B7
SHA-256:	B2C02E3D580279A64FD5211B4C88D4990EECDACB59DE3855A49C33FC0DB8140E
SHA-512:	A51F875657A5BAA36929E5E5E244EE58D5409439D5E0157FAC58E4721B86EC4A8A475AE6B96A67A4EBD35BAF7D1B6A6797B3F30C214BE26BC564A91AFB8F7506
Malicious:	false
Reputation:	low
Preview:	........,...................V...,...........................................................................................................................................................................................................................................................J...Y...............j...............................................................................................................................k...................4...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.76781505116372
Encrypted:	false
SSDEEP:	192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
MD5:	55A26D7800446F1373056064C64C3CE8
SHA1:	80256857E9A0A9C8897923B717F3435295A76002
SHA-256:	904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
SHA-512:	04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: asXlZG3aW6.exe, Detection: malicious, Browse Filename: asXlZG3aW6.exe, Detection: malicious, Browse Filename: aMfizaMilo.exe, Detection: malicious, Browse Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse Filename: Ozb8aojWew.exe, Detection: malicious, Browse Filename: aMfizaMilo.exe, Detection: malicious, Browse Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse Filename: Ozb8aojWew.exe, Detection: malicious, Browse Filename: Documents.com.exe, Detection: malicious, Browse Filename: Documents.com.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...R..Y...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.963084706950689
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File size:	429'842 bytes
MD5:	3aaa7d691a22ec1b7f9d03d63c7017a3
SHA1:	b4a38d0c4b81a50fb40e407e4d439fd18cca89c2
SHA256:	f214476db64248c82861c7b27fd55186beaf2e292cbe013d47f17305c3b2e95d
SHA512:	5612ae5dc8056f0fa61b6c6f25ab9eed002db9ffb5860dad3c47466c7530da7e6ba15841d5bd30ef3f53c3f86a9c9a2506bedcaaf013ee6eab45929f6deead3e
SSDEEP:	12288:cAZO544z70HKziHbZj+7izkKLBH7+P2iO:cAY+XqeF+AkKd6P2iO
TLSH:	4E94231A50F793D7E7F28B7034A3EE596B973C211108A64F7754BBCBAEB50C2C949062
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...s..Y.................b.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x40330d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x597FCC73 [Tue Aug 1 00:33:55 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	57e98d9a5a72c8d7ad8fb7a6a58b3daf

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007F19B0802BA3h
push ebx
call 00007F19B0805C72h
cmp eax, ebx
je 00007F19B0802B99h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F19B0805BEEh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F19B0802B7Dh
push 0000000Ah
call 00007F19B0805C46h
push 00000008h
call 00007F19B0805C3Fh
push 00000006h
mov dword ptr [00424724h], eax
call 00007F19B0805C33h
cmp eax, ebx
je 00007F19B0802BA1h
push 0000001Eh
call eax
test eax, eax
je 00007F19B0802B99h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x603c	0x6200	029c8031e2fb36630bb7ccb6d1d379b5	False	0.6572464923469388	data	6.39361655287636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	421f9404c16c75fa4bc7d37da19b3076	False	0.4287109375	data	5.044261339836676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	c93d53142ea782e156ddc6acebdf883d	False	0.6455078125	data	5.223134318413766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x35000	0xa50	0xc00	1b99c5df5aaedc5b60aeacee8a24a0fe	False	0.40234375	data	4.186971853013905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x35190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x35478	0x100	data	English	United States	0.5234375
RT_DIALOG	0x35578	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x35698	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x356f8	0x14	data	English	United States	1.2
RT_MANIFEST	0x35710	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Analysis Process: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exePID: 1072, Parent PID: 2580

General

Target ID:	0
Start time:	07:21:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"
Imagebase:	0x400000
File size:	429'842 bytes
MD5 hash:	3AAA7D691A22EC1B7F9D03D63C7017A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exePID: 1072, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	15.5%
Signature Coverage:	23.9%
Total number of Nodes:	1545
Total number of Limit Nodes:	36

Executed Functions

Function 0040330D Relevance: 94.9, APIs: 33, Strings: 21, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403332
GetVersion.KERNEL32 ref: 00403338
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
#17.COMCTL32(?,00000006,?,0000000A), ref: 004033A7
OleInitialize.OLE32(00000000), ref: 004033AE
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,?,00000000,?,00000006,?,0000000A), ref: 004033CA
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004033DF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,?,00000006,?,0000000A), ref: 004033F2
CharNextA.USER32(00000000,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000020,?,00000006,?,0000000A), ref: 0040341D
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,?,0000000A), ref: 0040351A
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,?,0000000A), ref: 0040352B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 00403537
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 0040354B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403553
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403564
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 0040356C
DeleteFileA.KERNELBASE(1033,?,00000006,?,0000000A), ref: 00403580

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 004038E9: GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000), ref: 00403903
Part of subcall function 004038E9: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410), ref: 004039D9
Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(Call), ref: 004039F7
Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne), ref: 00403A40
Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D

Part of subcall function 004037F7: CloseHandle.KERNEL32(000002B4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 00403809
Part of subcall function 004037F7: CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 0040381D

OleUninitialize.OLE32(?,?,00000006,?,0000000A), ref: 0040362E
ExitProcess.KERNEL32 ref: 0040364F
GetCurrentProcess.KERNEL32(?,?,00000006,?,0000000A), ref: 0040376C
OpenProcessToken.ADVAPI32(00000000), ref: 00403773
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
ExitProcess.KERNEL32 ref: 004037F1

Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810

Strings

1033, xrefs: 0040357B
Error launching installer, xrefs: 004035E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 004034FF, 00403600, 004036AA, 004036B3
.tmp, xrefs: 00403676
\Temp, xrefs: 00403531
UXTHEME, xrefs: 0040335F, 00403364, 0040336A
49610752, xrefs: 004036E5, 00403748
Low, xrefs: 0040354D
user32::EnumWindows(i r1 ,i 0), xrefs: 004036C1
~nsu, xrefs: 0040365A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 0040360B
SeShutdownPrivilege, xrefs: 00403785
C:\Users\user\Desktop, xrefs: 00403681, 00403686, 004036B2
TMP, xrefs: 00403567
C:\Users\user\AppData\Local\Temp\, xrefs: 0040350F, 00403514, 0040352A, 00403536, 00403545, 00403552, 0040355E, 00403566, 0040365F, 00403670, 0040367B, 00403687, 00403694, 004036A3, 00403752
", xrefs: 00403442
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403321
NSIS Error, xrefs: 004033D0
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 004033E5, 004033EB, 004035A4
C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, xrefs: 0040370C
TEMP, xrefs: 0040355F

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$.tmp$1033$49610752$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
API String ID: 1129060429-2709583667
Opcode ID: 80222e2a1608f68e9a01e2d4467cb4f437ef41324d85fef8055a94e839ea45f6
Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
Opcode Fuzzy Hash: 80222e2a1608f68e9a01e2d4467cb4f437ef41324d85fef8055a94e839ea45f6
Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\nsw94A.tmp, xrefs: 004017A3, 00401812, 00401830
user32::EnumWindows(i r1 ,i 0), xrefs: 0040180D, 00401819, 00401831
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\nsw94A.tmp$C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 1941528284-1753177355
Opcode ID: 6d4c10959a53388a6810b5416c206514c44b4a0d35f0a660f1aca1b6d6b68858
Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
Opcode Fuzzy Hash: 6d4c10959a53388a6810b5416c206514c44b4a0d35f0a660f1aca1b6d6b68858
Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,00000000), ref: 0040588A
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004058D2
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004058F3
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 004058F9
FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,74DF3410,74DF2EE0,00000000), ref: 0040590A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
FindClose.KERNEL32(00000000), ref: 004059C8

Strings

\*.*, xrefs: 004058CC
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00405861

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$\*.*
API String ID: 2035342205-370014428
Opcode ID: e51b648568a1e5a9b47539b24ed2716d15288ef485a4508b80519d1c974b3528
Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
Opcode Fuzzy Hash: e51b648568a1e5a9b47539b24ed2716d15288ef485a4508b80519d1c974b3528
Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,00422580,C:\,00405B62,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405881,?,74DF3410,74DF2EE0), ref: 004063A7
FindClose.KERNEL32(00000000), ref: 004063B3

Strings

C:\, xrefs: 0040639C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD

Function 033921E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0339229F

Strings

Yn, xrefs: 0339226E

Memory Dump Source

Source File: 00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp, Offset: 03046000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3046000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Yn
API String ID: 2167126740-2158672061
Opcode ID: 881ee08e26b22e315f274d01f8d05b25576b517f408f0b0b09087002b8d7c057
Instruction ID: a4ade938b3693516907f9c2429c4e17446c5abbd7f0894be6995ad97c8ef21e2
Opcode Fuzzy Hash: 881ee08e26b22e315f274d01f8d05b25576b517f408f0b0b09087002b8d7c057
Instruction Fuzzy Hash: CB015734A00B4ADFDF29EE7489D42EE77A2AF89344F51492ACD85CE618DB3098858A00

Function 004038E9 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000), ref: 00403903

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

lstrcatA.KERNEL32(1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000), ref: 00403964
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,74DF3410), ref: 004039D9
lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
GetFileAttributesA.KERNEL32(Call), ref: 004039F7
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne), ref: 00403A40
RegisterClassA.USER32(00423EC0), ref: 00403A7D
SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 00403A95
CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
ShowWindow.USER32(00000005,00000000), ref: 00403B00
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
RegisterClassA.USER32(00423EC0), ref: 00403B42
DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61

Strings

1033, xrefs: 00403909, 0040395F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 00403973, 0040397B, 00403A13, 00403A19, 00403A29
RichEdit, xrefs: 00403B33
RichEd32, xrefs: 00403B14
.DEFAULT\Control Panel\International, xrefs: 0040394F
RichEdit20A, xrefs: 00403B24, 00403B2A
Control Panel\Desktop\ResourceLocale, xrefs: 0040391D
RichEd20, xrefs: 00403B06
.exe, xrefs: 004039E6
0B, xrefs: 00403915
Call, xrefs: 004039A7, 004039AF, 004039BC, 00403A06, 00403A0C
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EE
_Nb, xrefs: 00403A5C, 00403AC4
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 004038ED

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$.DEFAULT\Control Panel\International$.exe$0B$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-446042241
Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DAC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,00000400), ref: 00402DC8

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00402E11
GlobalAlloc.KERNEL32(?,0040A130), ref: 00402F58

Strings

C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE
Error launching installer, xrefs: 00402DE8
soft, xrefs: 00402E88
Inst, xrefs: 00402E7F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00402D98
Null, xrefs: 00402E91
C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-297479754
Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C

Function 004060BB Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004061E6
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,00420510,00000000,004051F8,00420510,00000000), ref: 004061F9
SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,00420510,00000000,004051F8,00420510,00000000), ref: 00406235
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406243
CoTaskMemFree.OLE32(00000000), ref: 0040624F
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
lstrlenA.KERNEL32(Call,?,00420510,00000000,004051F8,00420510,00000000,00000000,00000000,00000000), ref: 004062C5

Strings

M, xrefs: 004060C8
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061B5
Call, xrefs: 004060E5, 004061B2, 004061B3, 004061B4, 004061D0, 004061E5, 004061F8, 00406214, 0040623F, 00406272, 00406278, 00406290, 004062A3, 004062BE, 004062C4, 004062CC, 004062F6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040626D
user32::EnumWindows(i r1 ,i 0), xrefs: 0040629D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)$M
API String ID: 717251189-190614682
Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
GetLastError.KERNEL32 ref: 004056DD
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
GetLastError.KERNEL32 ref: 004056FC

Strings

C:\Users\user\Desktop, xrefs: 00405686
C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
wsprintfA.USER32 ref: 00406413
LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406427

Strings

UXTHEME, xrefs: 004063CC
\, xrefs: 004063EB
%s%s.dll, xrefs: 0040640D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98

Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,?), ref: 00402028

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

LoadLibraryExA.KERNELBASE(00000000,?,?,00000001,?), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 004020B2

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 0040207C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: user32::EnumWindows(i r1 ,i 0)
API String ID: 2987980305-797600110
Opcode ID: 60fb46ecd7be2e423669211bfc99dba76962e3cb0b4c4fdd8d202bc87f238218
Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
Opcode Fuzzy Hash: 60fb46ecd7be2e423669211bfc99dba76962e3cb0b4c4fdd8d202bc87f238218
Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C75
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,?,0000000A), ref: 00405C8F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00405C61
nsa, xrefs: 00405C6C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2545641651
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(?,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw94A.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw94A.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw94A.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nsw94A.tmp, xrefs: 0040240C, 0040241A, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw94A.tmp
API String ID: 2655323295-2303157643
Opcode ID: 97315e2270c4fa8c14221e85b70d1482120828f961fc2ed06137c593c8c56db8
Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
Opcode Fuzzy Hash: 97315e2270c4fa8c14221e85b70d1482120828f961fc2ed06137c593c8c56db8
Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29

Function 004015CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,?,?,?), ref: 0040160D

Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9

SetCurrentDirectoryA.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne
API String ID: 2075002604-534986317
Opcode ID: 74f6a17f5a2169b7d4ce497a97ab3ad334f2cf828c1790a636ca55a9d9f680d7
Instruction ID: af62f180ee62bfda1351b7d55936977a3264c064610e85f8965f3656ce2abef5
Opcode Fuzzy Hash: 74f6a17f5a2169b7d4ce497a97ab3ad334f2cf828c1790a636ca55a9d9f680d7
Instruction Fuzzy Hash: 87110631608152EBCF216FA54D405BF66B09A92314B28093FE9D2B22E2D63D4943A62F

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,?,0000000A), ref: 004060A6

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,74DF3410,?,74DF2EE0,00405881,?,74DF3410,74DF2EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405881,?,74DF3410,74DF2EE0,00000000), ref: 00405B72
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405881,?,74DF3410,74DF2EE0), ref: 00405B82

Strings

C:\, xrefs: 00405B25, 00405B2A, 00405B30, 00405B6B, 00405B71, 00405B79, 00405B81

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44

Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44

Function 00403146 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040315A

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
SetFilePointer.KERNELBASE(000D038C,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D

Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw94A.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: fe8fd4e513e4e616d4eb5e2fb0ddd0ee11b0ac4f4ac673c702b8733e8fb061e1
Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
Opcode Fuzzy Hash: fe8fd4e513e4e616d4eb5e2fb0ddd0ee11b0ac4f4ac673c702b8733e8fb061e1
Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729

Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw94A.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: ad300b22dd5f7cf06ede3240ba929c96a40a23854c2b6697e9be571cd6d1636f
Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
Opcode Fuzzy Hash: ad300b22dd5f7cf06ede3240ba929c96a40a23854c2b6697e9be571cd6d1636f
Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C

Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406427

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE

Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405C36
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19

Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405709
GetLastError.KERNEL32(?,00000006,?,0000000A), ref: 00405717

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction ID: 014ce3e67ccbc0a67955049e33e6e2fc18f0270869ac9b4e1a99f60d8e299e74
Opcode Fuzzy Hash: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction Fuzzy Hash: CC21F970D04295BEDF318B699948AAEBF749F11304F04457FE4D0B62D5C6BE8A82CF19

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction ID: daba68e88d81473494fab100d986bdd4d5457abcde4f4dc52411d400b48531e4
Opcode Fuzzy Hash: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction Fuzzy Hash: BCE09B71B04116ABD700FB95AA4997E7768DF40304F10403FF515F00C1CA7D4C025B2D

Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9

Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74

Function 00405CD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040C66A,0040B8D8,00403246,0040B8D8,0040C66A,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8

Function 00405CAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,0040B8D8,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4

Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,?,?,1000403C), ref: 10002727

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040236D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction ID: 8896498bc3bf22cdd75c41d4cee83ceff5cc5a9cf36b2948d6df5d4522980b60
Opcode Fuzzy Hash: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction Fuzzy Hash: 82E08634B44308BADF10AFA19D49EAD3668AF41710F14403AFD547B0E2EEB844429B2D

Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,00420510,?,?,00405FAD,00420510,?,?,?,00000002,Call), ref: 00405F43

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,?), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e7fa766cc053bfdbcc21595e48a1bcd3d4c0b026ba3eff1e1b85954f558f6b14
Instruction ID: ce3aa80a16c353682a4fc60f6c60757a41c4294f2dd63ac0650dc91194aad8f9
Opcode Fuzzy Hash: e7fa766cc053bfdbcc21595e48a1bcd3d4c0b026ba3eff1e1b85954f558f6b14
Instruction Fuzzy Hash: E1D0127270811197CB10DBA8AB4869D77A4EB80325B318137D515F21D1E6B9C945671D

Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Non-executed Functions

Function 00404B3D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B55
GetDlgItem.USER32(?,00000408), ref: 00404B60
GlobalAlloc.KERNEL32(?,?), ref: 00404BAA
LoadBitmapA.USER32(0000006E), ref: 00404BBD
SetWindowLongA.USER32(?,?,00405134), ref: 00404BD6
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404BEA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404C30
DeleteObject.GDI32(00000000), ref: 00404C33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
GetWindowLongA.USER32(?,?), ref: 00404D6D
SetWindowLongA.USER32(?,?,00000000), ref: 00404D7B
ShowWindow.USER32(?,00000005), ref: 00404D8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
SendMessageA.USER32(?,?,00000000,00000000), ref: 00404F03
SendMessageA.USER32(?,00000420,00000000,?), ref: 00404F27
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
ImageList_Destroy.COMCTL32(?), ref: 00404F5C
GlobalFree.KERNEL32(?), ref: 00404F6C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
ShowWindow.USER32(?,00000000), ref: 0040510B
GetDlgItem.USER32(?,000003FE), ref: 00405116
ShowWindow.USER32(00000000), ref: 0040511D

Strings

, xrefs: 004050F5
M, xrefs: 004050C3
M, xrefs: 00404CE6
N, xrefs: 00404DC7

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$M
API String ID: 1638840714-2013270251
Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040535D
GetDlgItem.USER32(?,000003EE), ref: 0040536C
GetClientRect.USER32(?,?), ref: 004053A9
GetSystemMetrics.USER32(00000002), ref: 004053B0
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
ShowWindow.USER32(?,?), ref: 0040544C
GetDlgItem.USER32(?,000003EC), ref: 0040546D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
GetDlgItem.USER32(?,000003F8), ref: 0040537B

Part of subcall function 0040418F: SendMessageA.USER32(?,?,00000001,00403FBF), ref: 0040419D

GetDlgItem.USER32(?,000003EC), ref: 004054BE
CreateThread.KERNEL32(00000000,00000000,Function_00005292,00000000), ref: 004054CC
CloseHandle.KERNEL32(00000000), ref: 004054D3
ShowWindow.USER32(00000000), ref: 004054F6
ShowWindow.USER32(?,?), ref: 004054FD
ShowWindow.USER32(?), ref: 00405543
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
CreatePopupMenu.USER32 ref: 00405588
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
GetWindowRect.USER32(?,000000FF), ref: 004055BD
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004055D6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
OpenClipboard.USER32(00000000), ref: 00405622
EmptyClipboard.USER32 ref: 00405628
GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
GlobalLock.KERNEL32(00000000), ref: 0040563B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
GlobalUnlock.KERNEL32(00000000), ref: 00405668
SetClipboardData.USER32(00000001,00000000), ref: 00405673
CloseClipboard.USER32 ref: 00405679

Strings

0B, xrefs: 004055EE

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 590372296-4132856435
Opcode ID: 799acff668d1406a393a64cfa932ce4a107f44924d59ebcbf16f3d2c856b27c8
Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
Opcode Fuzzy Hash: 799acff668d1406a393a64cfa932ce4a107f44924d59ebcbf16f3d2c856b27c8
Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68

Function 004045CA Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404619
SetWindowTextA.USER32(00000000,?), ref: 00404643
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
CoTaskMemFree.OLE32(00000000), ref: 004046FF
lstrcmpiA.KERNEL32(Call,00420D30), ref: 00404731
lstrcatA.KERNEL32(?,Call), ref: 0040473D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F

Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC

Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040635B
Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406368
Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040636D
Part of subcall function 00406303: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040637D

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828

Part of subcall function 00404981: lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
Part of subcall function 00404981: SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A

Strings

M, xrefs: 00404884
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 0040471A
Call, xrefs: 0040472B, 00404730, 0040473B
user32::EnumWindows(i r1 ,i 0), xrefs: 004045E3
A, xrefs: 004046ED
0B, xrefs: 004046C7

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: 0B$A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$Call$user32::EnumWindows(i r1 ,i 0)$M
API String ID: 2624150263-2562472055
Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(?,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,?), ref: 004021FC

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne
API String ID: 123533781-534986317
Opcode ID: 1f4e783d33bd6e9172d284d0e230be815ba95689a56598640df84db978dd7c10
Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
Opcode Fuzzy Hash: 1f4e783d33bd6e9172d284d0e230be815ba95689a56598640df84db978dd7c10
Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54

Function 03392404 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

(, xrefs: 033925EE

Memory Dump Source

Source File: 00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp, Offset: 03046000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3046000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-92557136
Opcode ID: c6c5e9520f70c5611b15a3a9360dd9f160484365514acee5eaf4a84375745546
Instruction ID: c4d2f60ee9067529a29fc23e339d1cfa88e92a65ac8afd293016eb0fb46b4e39
Opcode Fuzzy Hash: c6c5e9520f70c5611b15a3a9360dd9f160484365514acee5eaf4a84375745546
Instruction Fuzzy Hash: 42B18836504349DFEB259E38CCD97EB7BA2AF02350F4A456EDCC18B596D7358486CB02

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8bb92b40096ce253c1feb66c156ee41281b8be3657acaa0f53a495f9db4c8228
Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
Opcode Fuzzy Hash: 8bb92b40096ce253c1feb66c156ee41281b8be3657acaa0f53a495f9db4c8228
Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A

Function 03365667 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

QKQ, xrefs: 03365885

Memory Dump Source

Source File: 00000000.00000002.4096311949.0000000003046000.00000040.00001000.00020000.00000000.sdmp, Offset: 03046000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3046000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Yara matches

Similarity

API ID:
String ID: QKQ
API String ID: 0-1237365341
Opcode ID: 5f9c8ef3640e3be87150f9059254476c5e0099abb199a63dc90ac1fd32d556f4
Instruction ID: a36ad0d5f0e61a5b1dc0adf4f5235b01055bf68b1b957035964fed29009e806a
Opcode Fuzzy Hash: 5f9c8ef3640e3be87150f9059254476c5e0099abb199a63dc90ac1fd32d556f4
Instruction Fuzzy Hash: 6A81EC3590438A9FDB34EF24C8E57EA7BB6EF45360F95412EDC8A8B155C7314A86CB01

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
ShowWindow.USER32(?), ref: 00403CDF
DestroyWindow.USER32 ref: 00403CF3
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
GetDlgItem.USER32(?,?), ref: 00403D30
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
IsWindowEnabled.USER32(00000000), ref: 00403D4B
GetDlgItem.USER32(?,00000001), ref: 00403DF9
GetDlgItem.USER32(?,00000002), ref: 00403E03
SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
GetDlgItem.USER32(?,00000003), ref: 00403F14
ShowWindow.USER32(00000000,?), ref: 00403F35
EnableWindow.USER32(?,?), ref: 00403F47
EnableWindow.USER32(?,?), ref: 00403F62
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
EnableMenuItem.USER32(00000000), ref: 00403F7F
SendMessageA.USER32(?,?,00000000,00000001), ref: 00403F97
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
lstrlenA.KERNEL32(00420D30,?,00420D30,00000000), ref: 00403FD4
SetWindowTextA.USER32(?,00420D30), ref: 00403FE3
ShowWindow.USER32(?,0000000A), ref: 00404117

Strings

0B, xrefs: 00403FC4

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: 0B
API String ID: 184305955-4132856435
Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D

Function 004042A3 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
GetDlgItem.USER32(00000000,000003E8), ref: 00404342
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
GetSysColor.USER32(?), ref: 00404371
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenA.KERNEL32(?), ref: 00404392
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
GetDlgItem.USER32(?,0000040A), ref: 00404418
SendMessageA.USER32(00000000), ref: 0040441B
GetDlgItem.USER32(?,000003E8), ref: 00404446
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
LoadCursorA.USER32(00000000,00007F02), ref: 00404495
SetCursor.USER32(00000000), ref: 0040449E
LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
SetCursor.USER32(00000000), ref: 004044B7
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
SendMessageA.USER32(?,00000000,00000000), ref: 004044F7

Strings

nB@, xrefs: 004044A2
M, xrefs: 004042C3
Call, xrefs: 00404471
N, xrefs: 00404434

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$nB@$M
API String ID: 3103080414-102202749
Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4

Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42

Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
wsprintfA.USER32 ref: 00405D7D
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,?,00422EC0,?,?,?,?,?), ref: 00405DB8
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00405DC7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
GlobalFree.KERNEL32(00000000), ref: 00405E66
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Strings

%s=%s, xrefs: 00405D73
[Rename], xrefs: 00405DE7, 00405DF9

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD

Function 100021FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(?,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(?,?), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32(00000000), ref: 100022FE

Strings

@Hmu, xrefs: 100022F7

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @Hmu
API String ID: 3730416702-887474944
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040635B
CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406368
CharNextA.USER32(?,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040636D
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 0040637D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406304
*?|<>/":, xrefs: 0040634B
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 0040633F

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1776944453
Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD

Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041DE
GetSysColor.USER32(00000000), ref: 004041FA
SetTextColor.GDI32(?,00000000), ref: 00404206
SetBkMode.GDI32(?,?), ref: 00404212
GetSysColor.USER32(?), ref: 00404225
SetBkColor.GDI32(?,?), ref: 00404235
DeleteObject.GDI32(?), ref: 0040424F
CreateBrushIndirect.GDI32(?), ref: 00404259

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64

Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(?,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B3
GlobalFree.KERNEL32(00000000), ref: 100024ED

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Function 004051C0 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8

Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D11
GetTickCount.KERNEL32 ref: 00402D2F
wsprintfA.USER32 ref: 00402D5D

Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
ShowWindow.USER32(00000000,00000005), ref: 00402D8F

Part of subcall function 00402CDD: MulDiv.KERNEL32(00000000,?,00000D92), ref: 00402CF2

Strings

... %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
Opcode Fuzzy Hash: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E

Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
GetMessagePos.USER32 ref: 00404AAE
ScreenToClient.USER32(?,?), ref: 00404AC8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00

Strings

f, xrefs: 00404ADC

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94

Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
wsprintfA.USER32 ref: 00402CB0
SetWindowTextA.USER32(?,?), ref: 00402CC0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2

Strings

unpacking data: %d%%, xrefs: 00402C9E
verifying installer: %d%%, xrefs: 00402CA5, 00402CAE

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99

Function 00402766 Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GlobalAlloc.KERNEL32(?,?), ref: 0040278A
CloseHandle.KERNEL32(?), ref: 00402810

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8

Part of subcall function 0040303E: SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

DeleteFileA.KERNEL32(?), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$Global$AllocFreePointer$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 488507980-0
Opcode ID: c91c9bd5815d1241bbceb1c2895bdf00b75426eacf14b09c248079251ff6b1a7
Instruction ID: 1fe78f37701cbcc77283e4ca16615c536d0e0ac6238c74e6acd79bc50f6aaca8
Opcode Fuzzy Hash: c91c9bd5815d1241bbceb1c2895bdf00b75426eacf14b09c248079251ff6b1a7
Instruction Fuzzy Hash: 54219D72800128BBCF116FA5DE48DAE7F79EF05360B14423EF554B62E0CA794D419BA8

Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
wsprintfA.USER32 ref: 00404A27
SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A

Strings

0B, xrefs: 00404A11
%u.%u%s%s, xrefs: 00404A09

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$0B
API String ID: 3540041739-2032437577
Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: fc1458dcfc400969bed1c091e5691bcd3d4000c1b62ed4e40ea1ea561ade4028
Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
Opcode Fuzzy Hash: fc1458dcfc400969bed1c091e5691bcd3d4000c1b62ed4e40ea1ea561ade4028
Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28

Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405A37
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,?,0000000A), ref: 00405A40
lstrcatA.KERNEL32(?,0040A014,?,00000006,?,0000000A), ref: 00405A51

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68

Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,74DF3410,?,74DF2EE0,00405881,?,74DF3410,74DF2EE0,00000000), ref: 00405AD8
CharNextA.USER32(00000000), ref: 00405ADD
CharNextA.USER32(00000000), ref: 00405AF1

Strings

C:\, xrefs: 00405ACB

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A

Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002B4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 00403809
CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 0040381D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
C:\Users\user\AppData\Local\Temp\nsw94A.tmp, xrefs: 0040382D

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsw94A.tmp
API String ID: 2962429428-1118326888
Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9

Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405163
CallWindowProcA.USER32(?,?,?,?), ref: 004051B4

Part of subcall function 004041A6: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041B8

Strings

, xrefs: 00405144

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D

Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,00420510,?,?,?,00000002,Call,?,004061C4,80000002), ref: 00405FC6
RegCloseKey.ADVAPI32(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,00420510), ref: 00405FD1

Strings

Call, xrefs: 00405F83, 00405FB7

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
CloseHandle.KERNEL32(?), ref: 0040576E

Strings

Error launching installer, xrefs: 0040574B

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78

Function 00403854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000,74DF3410,00000000,74DF2EE0,0040382B,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,?,0000000A), ref: 0040386E
GlobalFree.KERNEL32(004D7628), ref: 00403875

Strings

(vM, xrefs: 00403855, 00403880

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: (vM
API String ID: 1100898210-3088526615
Opcode ID: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
Instruction ID: 5a7e105abd1ff501ddbafdab51ff1ddcb88a66ee3eeb0d8e06bf853bef0fe42f
Opcode Fuzzy Hash: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
Instruction Fuzzy Hash: 9AE08C3380112097C6212F25EA0475AB7A86F44B22F1180BAFC807B2608B741C428AC8

Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405A7E
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003), ref: 00405A8C

Strings

C:\Users\user\Desktop, xrefs: 00405A78

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.4097643168.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4097630701.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097654830.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4097666710.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

Memory Dump Source

Source File: 00000000.00000002.4095708870.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4095692731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095724320.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095735715.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4095820882.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Biri.skr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Bolledejenes.Oct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Skrabs.Alv23

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\cambalo.inh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\oink.tyk

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\nsw8FB.tmp

C:\Users\user\AppData\Local\Temp\nsw94A.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Function 0040330D Relevance: 94.9, APIs: 33, Strings: 21, Instructions: 368
stringcomfileCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 004038E9 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 004060BB Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004015CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
COMMON

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON