Edit tour

Windows Analysis Report
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Overview

General Information

Sample name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Analysis ID:	1586499
MD5:	a25712989100fcdcb627446bcedb6c0a
SHA1:	7577219dfedaaedff8b10dc274b97cff0f2788fb
SHA256:	148b1248f6b89fa446d40890492bf0f9dddfa0b17d1cb9cad9fd84a0f9934890
Tags:	batDHLexeuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe" MD5: A25712989100FCDCB627446BCEDB6C0A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Virustotal: Detection: 45%			Perma Link
Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: global traffic

TCP traffic: 192.168.2.8:57509 -> 162.159.36.2:53

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405461

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Source: initial sample	Static PE information: Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040338F

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00406B15	0_2_00406B15
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004072EC	0_2_004072EC
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00404C9E	0_2_00404C9E
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_73911B5F	0_2_73911B5F
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_0340A5AF	0_2_0340A5AF

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@1/7@1/0

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

0_2_0040338F

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404722

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsjCDE3.tmp

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Virustotal: Detection: 45%
Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File read: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_73911B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73911B5F

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_03396D94 push E4840C47h; retf

0_2_03396D99

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

RDTSC instruction interceptor: First address: 33C5976 second address: 33C5976 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FC410C24D08h 0x00000006 push eax 0x00000007 mov eax, 0512F0F1h 0x0000000c cmp eax, 00000091h 0x00000011 jng 00007FC410C696B7h 0x00000017 pop eax 0x00000018 inc ebp 0x00000019 inc ebx 0x0000001a rdtsc

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004059CC
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_004065FD FindFirstFileW,FindClose,	0_2_004065FD
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4410
Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	API call chain: ExitProcess graph end node			graph_0-4402

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Code function: 0_2_73911B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73911B5F

Source: C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

0_2_0040338F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	46%	Virustotal		Browse
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	34%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586499
Start date and time:	2025-01-09 08:27:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@1/7@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 33 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\Ratgears.spa

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	173644
Entropy (8bit):	4.604565799329235
Encrypted:	false
SSDEEP:	3072:q0tzOnbU0Aaa/V6Zk+0RRnDfcPL+uSPyg7BIxgv9S:q0ZOAvcp5PLqpexgvA
MD5:	5B3DF8436D091B59E8C3F11130FB0FC8
SHA1:	8D6AE6E79E039E0FE9E5EEBD9A66DB3567785B51
SHA-256:	14E5190C91AD97F6A4EC03B50B1E0BB1FFC7C9B968F33C4BDC3D9D9B742976E8
SHA-512:	9399D9FF873A76DF3F205D89158B093E685102A3CE558B6F06A5EDCDFBE2EC67E7C7E8B763A28DAF75208EA09780DF6EDCAE9B13C51662F426A554B92DBA3A71
Malicious:	false
Reputation:	low
Preview:	..ttt.............**....X..............--.....{.......................ee........?............OO.......gg...........................................*....??........+++++........2222222222...!!!..............z.....a.....888......2....................X.........3.qqq..................................N.oo....L.......V..g.qqq.sss.....m...........c........\......$................................22.........w........P.fffff..................vv...........\...................ww..........B....{{.........ff.nnnn............................8.........K..mmm........AAAA....6.`.......aaa.n....QQQ...................8......??.........................................2.D.PPP..zz..7....{{...}..>....................,........BBB....................PPP.p.......\\\\...B............................N.........................................&...............ttt................g.....L.....O..kk.!.F.........Y......=.!!..>.................VV.)...V...;..44..`..........==..M.....#..k.............................r....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\Retterganges.Rat

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	Matlab v4 mat-file (little endian) \376\376\376\376, numeric, rows 36494, columns 3233857728
Category:	dropped
Size (bytes):	332054
Entropy (8bit):	7.578249290217776
Encrypted:	false
SSDEEP:	6144:2Fltsrea3kjbw52a0SSxoD9gvHS7kaC+QcwwVfnJo134KGgLroal:27txa0452apc/SfQcwwN6VGgLrf
MD5:	D877F72AAAAC187E43BE4DA409B54EB9
SHA1:	1BF3C844E2C04D3ACD91F09481FC3F9B013E13D6
SHA-256:	9D3D95BCFDAFCA3F59BF336A34FE6439EE318888C8071AFC8D9CC0A303CDF495
SHA-512:	5DFA7184814D2E4DD4FDDE52DF4A7AEF247D93FBAE1BA9ED3873BFC1C89561B9589F95241F49AFC681CF17AE4460072B026CFC703158499F715C1D53BD55AE4C
Malicious:	false
Reputation:	low
Preview:	............................. ..QQQQQ.>.................ssss...ii...........44..c................."....{..pppp...........,.)).$$$.O..............?.......rr....\\\.............!.^.III..............................J.II...ooo.dd.^.f.....QQ......::....XX.....bb..............................BB.......44......7...p.......y...).........ooo.........a.U..............mmmmm...`........<....cccccc..N.........................................................S...A.......................G..999...```....&&......... ....T.OO..................r...................9999............................E.................!..^^.........Y...................##...................F.............. .....................F...........k......999..I...X...........I......\\\\.....?.........U....C........................}...................""".8........ff..f...........m.............EE.*....................................hh...0......nnn..................[........rrrr.PP...222.....????.................`.....CCCC....W........-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\fusees.sek

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	62355
Entropy (8bit):	1.258826482536988
Encrypted:	false
SSDEEP:	384:MW0KDb3KVOw/j7X+S0KA0ArEsyiOYl3fVXdYJE7udSAzJObdxbYxJ6aV:r08OVd/n0KA5YcZdYmudvQpxboJxV
MD5:	525837D7C36E52AE3BC6211BCCBF5EA1
SHA1:	37850DC35FBD8485D5E1A2AF97EC82F51AEA20DD
SHA-256:	5A4BD2EE31A482045C32C9C9959349AF8B9A25AA0802733353CE8B109FE0F9E2
SHA-512:	07762F5FAB9A7A2A71EE3C63FBF5447EC2E21C9D7445452124B3F392742763533D8C5C13D57D3EF10D72D18DDA7D0D69903C2F0F89665F78C198C19BC2324592
Malicious:	false
Reputation:	low
Preview:	............................................Z..................................................................................R...........D...................................................-........................................._........t.............................U...........................................................................................6............N.........q.................................................................................................._.d................"................................................=.........................................................z.....e.............!............)....................................O.............................................................C.....E.............................3..................................................I..................t.........k........0...P........<..............]...........................4........................................w..........................d......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\sojakagerne.baf

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	485505
Entropy (8bit):	1.2528129101207983
Encrypted:	false
SSDEEP:	1536:EVa8YX2OjjNzeeS9xrLyC0EOUz5teMpuzfAwf03J:EVhOj+nrgMGfAwfOJ
MD5:	555D5C56BDD2315465BECC10397D5764
SHA1:	955DFA2743CC2B49DC493C23C1BC8CB0FF21E6C8
SHA-256:	D81040FF324DC02AE272F7B3EC644F5D988539648C9459B4669C92C95EB8F83B
SHA-512:	8477D70481A576EA3BB2123A3114A3E4C6E5DD3D9A461CED29B63727E71289BEC6982C2B5D59559C15AC875E004872855D90E74999069D2B6E1C1E09C8D13937
Malicious:	false
Reputation:	low
Preview:	...............................3...........................%.....z....................<......................................................6.........................7.....>............................].....A...............w......".................l.T..............................................................B........./.i......................................................................................................+..T...........................................~..........8........................[..................................9...................................%...........................................................F................E.......................................................v....................................;.....................................................r..............................................d...................................u.-........................:.8.....>9.......................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\tommelfingerreglerne.ove

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	336216
Entropy (8bit):	1.2639133058786656
Encrypted:	false
SSDEEP:	768:NzYP1DovnbTLlQx1bwZqqOkw26hthJhXKJ639+HFf8TCoDrT6lmudk5e7rfWC07A:LBG2dqxIJVo6rJIhwTf764dpzz
MD5:	3D6D953D11FDDE966CDA116E27C6BB2F
SHA1:	FD0779E2A60E03EEE4EF2B21DA200A4DEFC549D0
SHA-256:	28B4FF5BDCC66D02A0B19325797AB0EBD58C78D29180DA993FB1551B0650A414
SHA-512:	8302C8DB0BF42DFDA96B6DA42BDA8B189D65AB6A5D2C769B6D9F3A347DD09EA6FDA94CACE00B455810348E02DBD390F1CB406A33E8C846C6D453408F22F5518A
Malicious:	false
Reputation:	low
Preview:	.....p.........[.............g..................]....5......................................u.................................z..........A..........................S.d.....................................................s....................................................................8..............................................................x.......................1........j................................................y...P...............................................................F...........X............................>.................................................U................................`...................#............p.............%.......................#....................#....................?...........................>..............9..........................................................................................{........................................................................J...................................................

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: KO0q4biYfC.exe, Detection: malicious, Browse Filename: Yoranis Setup.exe, Detection: malicious, Browse Filename: Yoranis Setup.exe, Detection: malicious, Browse Filename: Pralevia Setup 1.0.0.exe, Detection: malicious, Browse Filename: Pralevia Setup 1.0.0.exe, Detection: malicious, Browse Filename: NativeApp_G5L1NHZZ.exe, Detection: malicious, Browse Filename: Awb 4586109146.bat.exe, Detection: malicious, Browse Filename: PO 0309494059506060609696007.exe, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse Filename: YF3YnL4ksc.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.665655342643962
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
File size:	764'339 bytes
MD5:	a25712989100fcdcb627446bcedb6c0a
SHA1:	7577219dfedaaedff8b10dc274b97cff0f2788fb
SHA256:	148b1248f6b89fa446d40890492bf0f9dddfa0b17d1cb9cad9fd84a0f9934890
SHA512:	cb73d6e402c985060fa29f19cd8a9c5969fea907be08dace163d30994849eec6da053822959e9b0d2f9e2aac5435381fbef47a6e04cd16e4df038059ba266d04
SSDEEP:	12288:gSsoaNkT5nJ2CDKyunOwmxfydcitSooK0uTddwDAvJaDpuhFQp3nZoThK:gxCnJ7DKZnO5xPK02dYDpmQp3nZac
TLSH:	C6F4F1AAF150A991C08D73B2843F3EDE5668ECCEBD7CD96C198D3A45FBB72C01806855
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h.........

File Icon


Icon Hash:	9b673392d8969765

Static PE Info

General

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F2E [Sat Dec 15 22:24:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007FC41100E263h
push ebx
call 00007FC411011515h
cmp eax, ebx
je 00007FC41100E259h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FC41101148Fh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FC41100E23Ch
push 0000000Ah
call 00007FC4110114E8h
push 00000008h
call 00007FC4110114E1h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007FC4110114D5h
cmp eax, ebx
je 00007FC41100E261h
push 0000001Eh
call eax
test eax, eax
je 00007FC41100E259h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x2a7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	37029c3103747b9cc70c8ecd944a9b83	False	0.6643629807692307	data	6.451784672975888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	eecac1fed9cc6b447d50940d178404d8	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	939516377e7577b622eb1ffdc4b5db4a	False	0.517578125	data	4.03532418489749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x2a7c8	0x2a800	e4f28a45b728cc6119beb84ff29a2c0a	False	0.2807502297794118	data	5.286546909879635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x533e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.23547852833313618
RT_ICON	0x63c10	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2597487912549926
RT_ICON	0x6d0b8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.29551756007393715
RT_ICON	0x72540	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.31317902692489374
RT_ICON	0x76768	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3537344398340249
RT_ICON	0x78d10	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4406660412757974
RT_ICON	0x79db8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.451226012793177
RT_ICON	0x7ac60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4864754098360656
RT_ICON	0x7b5e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.506768953068592
RT_ICON	0x7be90	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5034562211981567
RT_ICON	0x7c558	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3880057803468208
RT_ICON	0x7cac0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5957446808510638
RT_DIALOG	0x7cf28	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7d028	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x7d148	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7d1a8	0xae	data	English	United States	0.6609195402298851
RT_VERSION	0x7d258	0x22c	data	English	United States	0.5323741007194245
RT_MANIFEST	0x7d488	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:29:06.210772038 CET	57509	53	192.168.2.8	162.159.36.2
Jan 9, 2025 08:29:06.215646029 CET	53	57509	162.159.36.2	192.168.2.8
Jan 9, 2025 08:29:06.215769053 CET	57509	53	192.168.2.8	162.159.36.2
Jan 9, 2025 08:29:06.220873117 CET	53	57509	162.159.36.2	192.168.2.8
Jan 9, 2025 08:29:06.669380903 CET	57509	53	192.168.2.8	162.159.36.2
Jan 9, 2025 08:29:06.674410105 CET	53	57509	162.159.36.2	192.168.2.8
Jan 9, 2025 08:29:06.674454927 CET	57509	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:29:06.210203886 CET	53	51846	162.159.36.2	192.168.2.8
Jan 9, 2025 08:29:06.692223072 CET	55353	53	192.168.2.8	1.1.1.1
Jan 9, 2025 08:29:06.699352980 CET	53	55353	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:29:06.692223072 CET	192.168.2.8	1.1.1.1	0xcfcb	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:29:06.699352980 CET	1.1.1.1	192.168.2.8	0xcfcb	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Analysis Process: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exePID: 7728, Parent PID: 4084

General

Target ID:	0
Start time:	02:28:32
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"
Imagebase:	0x400000
File size:	764'339 bytes
MD5 hash:	A25712989100FCDCB627446BCEDB6C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exePID: 7728, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.3%
Total number of Nodes:	1543
Total number of Limit Nodes:	28

Executed Functions

Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004033B2
GetVersion.KERNEL32 ref: 004033B8
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
OleInitialize.OLE32(00000000), ref: 0040342F
SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000020,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040360B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
ExitProcess.KERNEL32 ref: 00403724
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
DeleteFileW.KERNEL32(0042AA08,0042AA08,?,user32::EnumWindows(i r1 ,i 0),00000008,?,00000006,00000008,0000000A), ref: 004037D3
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
AdjustTokenPrivileges.ADVAPI32 ref: 00403882
ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
ExitProcess.KERNEL32 ref: 004038CA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004035C7, 004035CC, 004035E2, 004035EE, 004035FD, 0040360A, 00403616, 0040361E, 00403734, 00403745, 00403750, 0040375C, 00403769, 00403778, 00403829
.tmp, xrefs: 0040374B
\Temp, xrefs: 004035E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 004036E0
C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, xrefs: 004037E2
C:\Users\user\Desktop, xrefs: 00403756, 0040375B, 00403788
Low, xrefs: 00403605
1033, xrefs: 00403633
~nsu, xrefs: 0040372F
TMP, xrefs: 0040361F
Error launching installer, xrefs: 004036BA
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00403466, 0040346C, 00403660
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 004035B5, 004036D5, 0040377F, 00403789
SeShutdownPrivilege, xrefs: 00403859
user32::EnumWindows(i r1 ,i 0), xrefs: 00403797
NSIS Error, xrefs: 00403451
TEMP, xrefs: 00403617
UXTHEME, xrefs: 004033DF, 004033E4, 004033EA

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
API String ID: 3441113951-1266176814
Opcode ID: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
Opcode Fuzzy Hash: c69f0a08dcb2e1d024cd1a682ba050e32cb95b0861efa09548cea5cd73a41d6c
Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E

Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 004059F5
lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A3D
lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A60
lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A66
FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405A76
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
FindClose.KERNEL32(00000000), ref: 00405B25

Strings

"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 004059CC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059DA
\*.*, xrefs: 00405A37

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-776621379
Opcode ID: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
Opcode Fuzzy Hash: b938c9d9068cedab339b19568100d2823c17cca8f6ff83e158d789dc8ab7bbfb
Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E

Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420), ref: 00406608
FindClose.KERNEL32(00000000), ref: 00406614

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C

Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573420,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",00000000), ref: 00403A2B
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
GetFileAttributesW.KERNEL32(Call), ref: 00403AC9
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes), ref: 00403B12

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

RegisterClassW.USER32(00433E80), ref: 00403B4F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
ShowWindow.USER32(00000005,00000000), ref: 00403BD2
GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
RegisterClassW.USER32(00433E80), ref: 00403C14
DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33

Strings

RichEdit, xrefs: 00403C05
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B6
_Nb, xrefs: 00403B2E, 00403B96
RichEd32, xrefs: 00403BE6
Control Panel\Desktop\ResourceLocale, xrefs: 004039DE
RichEdit20W, xrefs: 00403BF6, 00403BFC
1033, xrefs: 004039CA, 00403A26
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 004039AE
RichEd20, xrefs: 00403BD8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 00403A3A, 00403A42, 00403AE5, 00403AEB, 00403AFB
.DEFAULT\Control Panel\International, xrefs: 00403A16
.exe, xrefs: 00403AB8
Call, xrefs: 00403A72, 00403A7B, 00403A89, 00403AD8, 00403ADE

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2509760435
Opcode ID: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
Instruction ID: 9f2b94ab3f1de80a41c8f53b965b22801f2352f665cd6d3f8e6571e1d6c0b700
Opcode Fuzzy Hash: 2904cd21c70d62866cc327d96625cdd9032e7e4c90c5b4ba07f750359117e74a
Instruction Fuzzy Hash: D861B9312407007ED720AF659D46E2B3A6CEB85B4AF40057FF945B51E2CBBD9941CB2D

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

Error launching installer, xrefs: 00402F2D
"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00402EDD
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Null, xrefs: 00402FD4
Inst, xrefs: 00402FC2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
soft, xrefs: 00402FCB

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-411526020
Opcode ID: b750e8e4e7df36a99149f0ab2e150caf8403846cf59efbe219a1874bf977bdf0
Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
Opcode Fuzzy Hash: b750e8e4e7df36a99149f0ab2e150caf8403846cf59efbe219a1874bf977bdf0
Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD

Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040641D
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406430
SHGetSpecialFolderLocation.SHELL32(00405359,0041DA00,00000000,0042C228,?,00405359,0042C228,00000000), ref: 0040646C
SHGetPathFromIDListW.SHELL32(0041DA00,Call), ref: 0040647A
CoTaskMemFree.OLE32(0041DA00), ref: 00406485
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
lstrlenW.KERNEL32(Call,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406503

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004064A5
user32::EnumWindows(i r1 ,i 0), xrefs: 004064D9
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063ED
Call, xrefs: 00406306, 004063E1, 004063E8, 004063EC, 00406406, 00406407, 0040641C, 0040642F, 0040644B, 00406476, 004064AA, 004064B0, 004064CC, 004064DF, 004064FC, 00406502, 0040650E, 00406541

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 717251189-3319343437
Opcode ID: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
Instruction ID: 29f0adb049bea166a756856afc1b7ff582c4fdfd81cc2e884c30b49282791dbd
Opcode Fuzzy Hash: be842abed2e65b63b3d72d51674aff3c14f059aabebd99e4c76d62d1777cce00
Instruction Fuzzy Hash: E6611071A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes,?,?,00000031), ref: 004017D5

Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7

Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A,0040327A,0042C228,00000000,0041DA00,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes$C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp$C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll$Call
API String ID: 1941528284-14295844
Opcode ID: b057a688d914eef7caf18a0e6fee2ba2bce91a0dfa11573c507a656315e6beb6
Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
Opcode Fuzzy Hash: b057a688d914eef7caf18a0e6fee2ba2bce91a0dfa11573c507a656315e6beb6
Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D

Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403227
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403250
wsprintfW.USER32 ref: 00403263

Strings

@, xrefs: 0040319A
... %d%%, xrefs: 0040325D

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$@
API String ID: 551687249-3859443358
Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
wsprintfW.USER32 ref: 00406676
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Strings

%s%S.dll, xrefs: 00406670
\, xrefs: 0040664C
UXTHEME, xrefs: 0040662D

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99

Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834
GetLastError.KERNEL32 ref: 00405848
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
GetLastError.KERNEL32 ref: 00405867

Strings

C:\Users\user\Desktop, xrefs: 004057F1

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1876063424
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9

Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DFD
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9), ref: 00405E18

Strings

"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 00405DDF
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE4, 00405DE8
nsa, xrefs: 00405DEC

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1541355923
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64

Function 73911777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73911B5F: GlobalFree.KERNEL32(?), ref: 73911DB2
Part of subcall function 73911B5F: GlobalFree.KERNEL32(?), ref: 73911DB7
Part of subcall function 73911B5F: GlobalFree.KERNEL32(?), ref: 73911DBC

GlobalFree.KERNEL32(00000000), ref: 73911825
FreeLibrary.KERNEL32(?), ref: 739118AB
GlobalFree.KERNEL32(00000000), ref: 739118D0

Part of subcall function 73912352: GlobalAlloc.KERNEL32(00000040,?), ref: 73912383

Part of subcall function 73912724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,739117F6,00000000), ref: 739127F4

Part of subcall function 739115C6: wsprintfW.USER32 ref: 739115F4

Strings

, xrefs: 739118B1

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: bf7302b7f789fb173900fc7412bbc9572d36f97bca46513bc91a01f860c0a9e8
Instruction ID: 116b60c0d5947e8c96d1d3b76095c38a406131a5c63dd13a666508dbb8c18a90
Opcode Fuzzy Hash: bf7302b7f789fb173900fc7412bbc9572d36f97bca46513bc91a01f860c0a9e8
Instruction Fuzzy Hash: 8141847250030FFBDB11AF649884BD537BCAB04354F1884B5E95ABE1CADBB891A4C762

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: c72d40a864b89179d6177807711ca710c6d7a48354557ea1e55874adbd4ea6b3
Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
Opcode Fuzzy Hash: c72d40a864b89179d6177807711ca710c6d7a48354557ea1e55874adbd4ea6b3
Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,75573420,004059EC,?,C:\Users\user\AppData\Local\Temp\,75573420,00000000), ref: 00405C48
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057F1: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405834

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes
API String ID: 1892508949-736155189
Opcode ID: ccc26fd8040a7d4b53b38cf61a52de36f24ca8f1ae9d4c3caa59a04d4873da4d
Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
Opcode Fuzzy Hash: ccc26fd8040a7d4b53b38cf61a52de36f24ca8f1ae9d4c3caa59a04d4873da4d
Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A,0040327A,0042C228,00000000,0041DA00,755723A0), ref: 0040537D
Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 666f6d8ac427e58388e3d879615a983e5b51d40526e42ae90acfa13b1993aa0d
Instruction ID: 732860e23109d101385e559ec06a1cde6071cd761d8e517fa4c79c7f2b675a05
Opcode Fuzzy Hash: 666f6d8ac427e58388e3d879615a983e5b51d40526e42ae90acfa13b1993aa0d
Instruction Fuzzy Hash: 4421B031D00205EACF20AFA5CE48A9E7A70BF04358F64413BF511B51E0DBBD8981DA6E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 6e579435eca9b4b687e1d7b96289a1719cefcc3e0237eeeb9f7ae371a7a8e2b7
Instruction ID: 2791961e855c801182d2f4b3e101f078c994d4f4985963d794b0561754721dd9
Opcode Fuzzy Hash: 6e579435eca9b4b687e1d7b96289a1719cefcc3e0237eeeb9f7ae371a7a8e2b7
Instruction Fuzzy Hash: E6F09632E045119BE704BBA49B8EABE72A89B44354F29403FFE42F71C1CAF85D41676D

Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
GetProcAddress.KERNEL32(00000000,?), ref: 004066C1

Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D

Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D

Function 73912AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 73912B6B

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 9bf59a235672cf4b08eb73d0a293d9820632e96d862d7571ef8e9feb2cccde66
Instruction ID: e947bf0b295f35a007221a45fc9b22f175276e3b5de25b3ec14fcef588aa953d
Opcode Fuzzy Hash: 9bf59a235672cf4b08eb73d0a293d9820632e96d862d7571ef8e9feb2cccde66
Instruction Fuzzy Hash: B74191F290420EEFFB21FFA9D9417D937A9EB04358F314426E54DBB180D63599A0CB92

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
Instruction ID: 7f9197a1b1888ebfd6de04269447b21ffcaf0972564048b2e7bc6ee4a29003df
Opcode Fuzzy Hash: 2074296acf118ace0f9b9ab2ab8615e2fe297c7dd6636d95e153eafbd2080ce7
Instruction Fuzzy Hash: 29E06D71E04104AAD710EBA5AE098AEB768DB84318B24407FF201B50D1CA7949119E2D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4

Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8

Function 73912993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7391505C,00000004,00000040,7391504C), ref: 739129B1

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 777e1ec94f91260cb86d1dd0267d40826f3dbb32199feabab8da735c2f16465e
Instruction ID: ba0b083898ce09703dc32058e4d9d7254b9fe8da6899f3e603c118d6ecafb2cf
Opcode Fuzzy Hash: 777e1ec94f91260cb86d1dd0267d40826f3dbb32199feabab8da735c2f16465e
Instruction Fuzzy Hash: 70F092F2628285FEC351EFAEC4447193BE0B748204B66463AE19CFF241E3344944CF92

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,004061B5,0042C228,00000000,?,?,Call,?), ref: 0040614B

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 36851d47f29f4e5f8caad751ec2fdfbff3eb3ab123f48471e652e243bc97ec45
Instruction ID: 6c8b7a7afc7aeb3e996b6e5dc2b2c32cd2e79b991574bcf3a276c199f91445cd
Opcode Fuzzy Hash: 36851d47f29f4e5f8caad751ec2fdfbff3eb3ab123f48471e652e243bc97ec45
Instruction Fuzzy Hash: C1D01232B04100D7DB10DBA4AF4899D73A49B84369B344577E102F11D0D6B9D9416A29

Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0bc635984c6f466b42bf69b1192a92afab3c6d6232f2671ab24b9074207b237f
Instruction ID: 4fc8e819a9ec015efa4fb87cb4f3efb4dacce27a9684fd7b71b6c066277d8bf2
Opcode Fuzzy Hash: 0bc635984c6f466b42bf69b1192a92afab3c6d6232f2671ab24b9074207b237f
Instruction Fuzzy Hash: 19D0A773F142008BD710DBB8BE8949E73E8E780329330883BE102F10D1E978D8424E2C

Function 7391121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,7391123B,?,739112DF,00000019,739111BE,-000000A0), ref: 73911225

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 00704d6e8e26557e4c674d028683ca888489e5efa8a46ed5782407db844b207a
Instruction ID: 3263e1dc616c4f09d13d843eba89427dc9df07418fba7d9749140fcccbbf0929
Opcode Fuzzy Hash: 00704d6e8e26557e4c674d028683ca888489e5efa8a46ed5782407db844b207a
Instruction Fuzzy Hash: 40B002B2E48110EFEF40ABEACD46F353664E744705F554060F60DEA185D5645814C575

Non-executed Functions

Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004054BF
GetDlgItem.USER32(?,000003EE), ref: 004054CE
GetClientRect.USER32(?,?), ref: 0040550B
GetSystemMetrics.USER32(00000002), ref: 00405512
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
ShowWindow.USER32(?,00000008), ref: 004055AE
GetDlgItem.USER32(?,000003EC), ref: 004055CF
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
GetDlgItem.USER32(?,000003F8), ref: 004054DD

Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274

GetDlgItem.USER32(?,000003EC), ref: 00405621
CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
CloseHandle.KERNEL32(00000000), ref: 00405636
ShowWindow.USER32(00000000), ref: 0040565A
ShowWindow.USER32(?,00000008), ref: 0040565F
ShowWindow.USER32(00000008), ref: 004056A9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
CreatePopupMenu.USER32 ref: 004056EE
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
GetWindowRect.USER32(?,?), ref: 00405722
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
OpenClipboard.USER32(00000000), ref: 00405783
EmptyClipboard.USER32 ref: 00405789
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
GlobalLock.KERNEL32(00000000), ref: 0040579F
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
GlobalUnlock.KERNEL32(00000000), ref: 004057D3
SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
CloseClipboard.USER32 ref: 004057E4

Strings

{, xrefs: 004056C7

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68

Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CB6
GetDlgItem.USER32(?,00000408), ref: 00404CC1
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
LoadBitmapW.USER32(0000006E), ref: 00404D1E
SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
DeleteObject.GDI32(00000000), ref: 00404D94
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
ShowWindow.USER32(?,00000005), ref: 00404EEE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
ImageList_Destroy.COMCTL32(?), ref: 004050BE
GlobalFree.KERNEL32(?), ref: 004050CE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
ShowWindow.USER32(?,00000000), ref: 0040526D
GetDlgItem.USER32(?,000003FE), ref: 00405278
ShowWindow.USER32(00000000), ref: 0040527F

Strings

, xrefs: 00405257
M, xrefs: 00404E48
N, xrefs: 00404F29

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58

Function 00404722 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404771
SetWindowTextW.USER32(00000000,?), ref: 0040479B
SHBrowseForFolderW.SHELL32(?), ref: 0040484C
CoTaskMemFree.OLE32(00000000), ref: 00404857
lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404889
lstrcatW.KERNEL32(?,Call), ref: 00404895
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7

Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917

Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040496A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985

Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 00404872
A, xrefs: 00404845
user32::EnumWindows(i r1 ,i 0), xrefs: 0040473B
Call, xrefs: 00404883, 00404888, 00404893

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-129677526
Opcode ID: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
Opcode Fuzzy Hash: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D

Function 73911B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7391121B: GlobalAlloc.KERNELBASE(00000040,?,7391123B,?,739112DF,00000019,739111BE,-000000A0), ref: 73911225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73911C6B
lstrcpyW.KERNEL32(00000008,?), ref: 73911CB3
lstrcpyW.KERNEL32(00000808,?), ref: 73911CBD
GlobalFree.KERNEL32(00000000), ref: 73911CD0
GlobalFree.KERNEL32(?), ref: 73911DB2
GlobalFree.KERNEL32(?), ref: 73911DB7
GlobalFree.KERNEL32(?), ref: 73911DBC
GlobalFree.KERNEL32(00000000), ref: 73911FA6
lstrcpyW.KERNEL32(?,?), ref: 73912140
GetModuleHandleW.KERNEL32(00000008), ref: 739121B5
LoadLibraryW.KERNEL32(00000008), ref: 739121C6
GetProcAddress.KERNEL32(?,?), ref: 73912220
lstrlenW.KERNEL32(00000808), ref: 7391223A

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: acf1bf1439acaca62174896b48680df8f7db77e69c8feeb42ca97d8ff80b6b14
Instruction ID: 1a6c2af2e717a05b1016ddf4260fd8c421f75eb36d5a36b52dee8a7be23b64e1
Opcode Fuzzy Hash: acf1bf1439acaca62174896b48680df8f7db77e69c8feeb42ca97d8ff80b6b14
Instruction Fuzzy Hash: B222AA76D0420FEBDB25DFA489807EEB7B9FB08345F50452AD1A6B7284D77096A0CB43

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes
API String ID: 542301482-736155189
Opcode ID: c79f9aaaf2aa45103f2785abe1c238f1ff8b7e426493679be1bb18482ad01322
Instruction ID: 47658dbbd12ee8008517b47355d5d9d52026a5fb35fba2bce99957a22e6c3eef
Opcode Fuzzy Hash: c79f9aaaf2aa45103f2785abe1c238f1ff8b7e426493679be1bb18482ad01322
Instruction Fuzzy Hash: 8B414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44

Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

p!C, xrefs: 00407520
p!C, xrefs: 0040743C, 0040745E, 0040750E, 004074E0, 00407463

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID: p!C$p!C
API String ID: 0-3125587631
Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d976f7a25d9b6cda02430a9c4c43dcf534a7d9685ff1e4a5993e34d41637e130
Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
Opcode Fuzzy Hash: d976f7a25d9b6cda02430a9c4c43dcf534a7d9685ff1e4a5993e34d41637e130
Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29

Function 00406B15 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04

Function 0340A5AF Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3843484881.0000000003392000.00000040.00001000.00020000.00000000.sdmp, Offset: 03392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3392000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe136019684b61499cfd5d49b0794ce8f6e2dd2705c12c5a51e334a54c29f0c2
Instruction ID: 3308c0690d1b94369044fe12b66e992bac7cf4adc7869e229798d9e0c2fa2d93
Opcode Fuzzy Hash: fe136019684b61499cfd5d49b0794ce8f6e2dd2705c12c5a51e334a54c29f0c2
Instruction Fuzzy Hash: FB71AE366043418FEB249E398EA87CB77A7AF553A0F56816ECC959F1D5D730C482CB06

Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
ShowWindow.USER32(?), ref: 00403DB1
DestroyWindow.USER32 ref: 00403DC5
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
GetDlgItem.USER32(?,?), ref: 00403E02
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
IsWindowEnabled.USER32(00000000), ref: 00403E1D
GetDlgItem.USER32(?,00000001), ref: 00403ECB
GetDlgItem.USER32(?,00000002), ref: 00403ED5
SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
GetDlgItem.USER32(?,00000003), ref: 00403FE6
ShowWindow.USER32(00000000,?), ref: 00404007
EnableWindow.USER32(?,?), ref: 00404019
EnableWindow.USER32(?,?), ref: 00404034
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
EnableMenuItem.USER32(00000000), ref: 00404051
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
SetWindowTextW.USER32(?,0042D248), ref: 004040BA
ShowWindow.USER32(?,0000000A), ref: 004041EE

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D

Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
GetDlgItem.USER32(?,000003E8), ref: 004044A2
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
GetSysColor.USER32(?), ref: 004044D0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
lstrlenW.KERNEL32(?), ref: 004044F1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
GetDlgItem.USER32(?,0000040A), ref: 0040456C
SendMessageW.USER32(00000000), ref: 00404573
GetDlgItem.USER32(?,000003E8), ref: 0040459E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
SetCursor.USER32(00000000), ref: 004045F2
LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
SetCursor.USER32(00000000), ref: 0040460E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F

Strings

gC@, xrefs: 004045FA
Call, xrefs: 004045CD
N, xrefs: 0040458C

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$gC@
API String ID: 3103080414-2733886405
Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4

Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A

Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
wsprintfA.USER32 ref: 00405F85
GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
GlobalFree.KERNEL32(00000000), ref: 0040606E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075

Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6

Strings

%ls=%ls, xrefs: 00405F7B
[Rename], xrefs: 00405FEF, 00406001

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD

Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe",0040336A,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8

Strings

"C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe", xrefs: 0040654E
C:\Users\user\AppData\Local\Temp\, xrefs: 0040654F, 00406554
*?|<>/":, xrefs: 004065A0

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2696618645
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD

Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042B5
GetSysColor.USER32(00000000), ref: 004042F3
SetTextColor.GDI32(?,00000000), ref: 004042FF
SetBkMode.GDI32(?,?), ref: 0040430B
GetSysColor.USER32(?), ref: 0040431E
SetBkColor.GDI32(?,?), ref: 0040432E
DeleteObject.GDI32(?), ref: 00404348
CreateBrushIndirect.GDI32(?), ref: 00404352

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54

Function 00405322 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041DA00,755723A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
lstrcatW.KERNEL32(0042C228,0040327A,0040327A,0042C228,00000000,0041DA00,755723A0), ref: 0040537D
SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8

Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
GetMessagePos.USER32 ref: 00404C0F
ScreenToClient.USER32(?,?), ref: 00404C29
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61

Strings

f, xrefs: 00404C3D

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E

Strings

Calibri, xrefs: 00401E24

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000BA9AF,00000064,000BA9B3), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98

Function 73912569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 7391121B: GlobalAlloc.KERNELBASE(00000040,?,7391123B,?,739112DF,00000019,739111BE,-000000A0), ref: 73911225

GlobalFree.KERNEL32(?), ref: 73912657
GlobalFree.KERNEL32(00000000), ref: 7391268C

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a90eb48719415e466a4aab77a1418ec743df7e984c87151310ec5437362f8780
Instruction ID: ac56154d2020126dc6e919e49d39be4803533051cfba187e3228c5c8963faa64
Opcode Fuzzy Hash: a90eb48719415e466a4aab77a1418ec743df7e984c87151310ec5437362f8780
Instruction Fuzzy Hash: 8A31057221810EEFDB16BF55C884FAA77BAFB85384324053AF185B7194C7309825CB53

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 597e252258520be259e8a88870ae804dc8dc3ce230a627ed07a3ee4bfd89a876
Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
Opcode Fuzzy Hash: 597e252258520be259e8a88870ae804dc8dc3ce230a627ed07a3ee4bfd89a876
Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp$C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll
API String ID: 3109718747-3933649940
Opcode ID: 18a92599d19568ff8bc05a4b5855478ddca432145c4c7b47034acc93206d5566
Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
Opcode Fuzzy Hash: 18a92599d19568ff8bc05a4b5855478ddca432145c4c7b47034acc93206d5566
Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E

Function 739118D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 7391193A
GlobalFree.KERNEL32(?), ref: 73911ADA
GlobalFree.KERNEL32(?), ref: 73911ADF

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 9797e6dc0f6b9e91b2374a10f9e3067e7f82842c47ca63b57d37d6df448c53c6
Instruction ID: 8a76e3da2966ac09d06ab7db55873396a0b708551a1d73959f0ff509f539673f
Opcode Fuzzy Hash: 9797e6dc0f6b9e91b2374a10f9e3067e7f82842c47ca63b57d37d6df448c53c6
Instruction Fuzzy Hash: 3851C432D0415FFBEB129FA485407ADBFBEEB44294F08425AD406B3284D670AEF18797

Function 73912394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 739124D6

Part of subcall function 7391122C: lstrcpynW.KERNEL32(00000000,?,739112DF,00000019,739111BE,-000000A0), ref: 7391123C

GlobalAlloc.KERNEL32(00000040), ref: 7391245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73912477

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 19f392ca3efcda186646be2839a7d104a90dd783e7bc90d3709d4ac90918042c
Instruction ID: e218fddac631077c110bf4c33bf88b184037173013d7658b01d6ed86079d89c7
Opcode Fuzzy Hash: 19f392ca3efcda186646be2839a7d104a90dd783e7bc90d3709d4ac90918042c
Instruction Fuzzy Hash: E841D1B100830EEFD315FF65D844BA677B8EB58310B10482DE48AAB584EB30A465DBA3

Function 7391161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,739121EC,?,00000808), ref: 73911635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,739121EC,?,00000808), ref: 7391163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,739121EC,?,00000808), ref: 73911650
GetProcAddress.KERNEL32(739121EC,00000000), ref: 73911657
GlobalFree.KERNEL32(00000000), ref: 73911660

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 980dcbe141eeaeb584ba7770f3e7dabd79fad73c0866b790e0747735f2a25049
Instruction ID: f0aa3edaf2775df93a00a215cb6b34d97a64ff200d12194eb040a7478f52492f
Opcode Fuzzy Hash: 980dcbe141eeaeb584ba7770f3e7dabd79fad73c0866b790e0747735f2a25049
Instruction Fuzzy Hash: 23F0127310A1387BD62026A78C4CD9B7EACDF8F6F5B120221F61CA219095618D01D7F1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0f39d9f12d53ff93ed05ad22e5c2654e25c024a76bc5e8eaad46146554dabe63
Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
Opcode Fuzzy Hash: 0f39d9f12d53ff93ed05ad22e5c2654e25c024a76bc5e8eaad46146554dabe63
Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18

Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
wsprintfW.USER32 ref: 00404B88
SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B

Strings

%u.%u%s%s, xrefs: 00404B69

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
Opcode Fuzzy Hash: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp
API String ID: 2655323295-1415516051
Opcode ID: 476ed8c7c4dcb631ffcdca5b1d3dc3ea86019fa5d160a259efe562ff2e5954af
Instruction ID: 076fdad28fc4eb621c0ae83062707e46e05f76c541c0890e85279b1380dde0ba
Opcode Fuzzy Hash: 476ed8c7c4dcb631ffcdca5b1d3dc3ea86019fa5d160a259efe562ff2e5954af
Instruction Fuzzy Hash: F1118471D00108BEEB10AFA5DE89EAEBA74EB44754F15803BF504F71D1DBB48D409B28

Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405BB1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC

Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052C5
CallWindowProcW.USER32(?,?,?,?), ref: 00405316

Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F

Strings

, xrefs: 004052A6

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E

Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063FC,80000002), ref: 004061CE
RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061D9

Strings

Call, xrefs: 0040618F

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 10557ccebddc974baa13a8be622e9b5680c4afd7942ecc434493cd2fadbdf3ae
Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
Opcode Fuzzy Hash: 10557ccebddc974baa13a8be622e9b5680c4afd7942ecc434493cd2fadbdf3ae
Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4

Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
CloseHandle.KERNEL32(?), ref: 004058D9

Strings

Error launching installer, xrefs: 004058B6

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78

Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75573420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
GlobalFree.KERNEL32(?), ref: 00403936

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403927

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8

Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,C:\Users\user\Desktop\DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1

Strings

C:\Users\user\Desktop, xrefs: 00405BDB

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD

Function 739110E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7391116A
GlobalFree.KERNEL32(00000000), ref: 739111C7
GlobalFree.KERNEL32(00000000), ref: 739111D9
GlobalFree.KERNEL32(?), ref: 73911203

Memory Dump Source

Source File: 00000000.00000002.3845191510.0000000073911000.00000020.00000001.01000000.00000005.sdmp, Offset: 73910000, based on PE: true

Associated: 00000000.00000002.3845140622.0000000073910000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845206386.0000000073914000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3845219748.0000000073916000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73910000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 64ee4f3c392431b641f4823e16b21b8c413f68b03594cc2f658bc9a3e9cb5b55
Instruction ID: f410e1cc925ad590f830f5ee6497cd66a4d518303b5aa3678d17ae11a67931ae
Opcode Fuzzy Hash: 64ee4f3c392431b641f4823e16b21b8c413f68b03594cc2f658bc9a3e9cb5b55
Instruction Fuzzy Hash: B431A1B250820BFFE7419FAAC944B2AB7FCEB452507150529E84AFB254E734D860CB62

Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57

Memory Dump Source

Source File: 00000000.00000002.3842989084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3842968880.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843014488.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843033507.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3843184990.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\Ratgears.spa

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\Retterganges.Rat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\fusees.sek

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\sojakagerne.baf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Livmoderens15\Skuespilforfatternes\tommelfingerreglerne.ove

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\nsfCF9A.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe

Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166
COMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 73911777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON