Windows Analysis Report
documentos DHL.exe

Overview

General Information

Sample Name: documentos DHL.exe
Analysis ID: 755464
MD5: ca1cd0656568af4f58aa28e61a3e3edb
SHA1: 1fde05eb6e587047d8a47950bcb2efdb53409b42
SHA256: 6931d5a8ac6e00c855139d9da394b7895d83a9a18a8974c0b2381c5a28e68678
Infos:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Found stalling execution ending in API Sleep call
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Executable has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: documentos DHL.exe ReversingLabs: Detection: 17%
Uses 32bit PE files
Source: documentos DHL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.74.206:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.65:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: documentos DHL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_004066F3 FindFirstFileW,FindClose, 2_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00402862 FindFirstFileW, 2_2_00402862
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\AppData\Local\Temp\nsd3BF8.tmp Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom Jump to behavior
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-90-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: documentos DHL.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/:
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/=
Source: ExtExport.exe, 00000025.00000002.1822822611.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1821975252.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9u
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/d
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1810628390.000000001E7B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-90-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.74.206:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.65:443 -> 192.168.11.20:49803 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_00405553

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: documentos DHL.exe
Executable has a suspicious name (potential lure to open the executable)
Source: documentos DHL.exe Static file information: Suspicious name
Uses 32bit PE files
Source: documentos DHL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403489
Detected potential crypto function
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00404D90 2_2_00404D90
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00406ABA 2_2_00406ABA
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338F535 2_2_0338F535
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337133E 2_2_0337133E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372B3E 2_2_03372B3E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378B2A 2_2_03378B2A
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377B14 2_2_03377B14
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337231C 2_2_0337231C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372719 2_2_03372719
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371F0F 2_2_03371F0F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372F0E 2_2_03372F0E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B70E 2_2_0337B70E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338E704 2_2_0338E704
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377373 2_2_03377373
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372F7C 2_2_03372F7C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372763 2_2_03372763
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371760 2_2_03371760
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371F6F 2_2_03371F6F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337236E 2_2_0337236E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370750 2_2_03370750
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337675F 2_2_0337675F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370F5A 2_2_03370F5A
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370B42 2_2_03370B42
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033727B7 2_2_033727B7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370BB9 2_2_03370BB9
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372BA4 2_2_03372BA4
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338FB9A 2_2_0338FB9A
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337139F 2_2_0337139F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370799 2_2_03370799
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370383 2_2_03370383
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033703FE 2_2_033703FE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033727F8 2_2_033727F8
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03376FEF 2_2_03376FEF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033717D6 2_2_033717D6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BBD5 2_2_0337BBD5
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371FD4 2_2_03371FD4
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033707DB 2_2_033707DB
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372FDA 2_2_03372FDA
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033723CC 2_2_033723CC
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338EBC3 2_2_0338EBC3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337223F 2_2_0337223F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337263F 2_2_0337263F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370225 2_2_03370225
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0339021B 2_2_0339021B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0339260A 2_2_0339260A
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370601 2_2_03370601
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370A0D 2_2_03370A0D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370E08 2_2_03370E08
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371670 2_2_03371670
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370E7C 2_2_03370E7C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371267 2_2_03371267
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370A62 2_2_03370A62
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372A68 2_2_03372A68
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377258 2_2_03377258
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372E41 2_2_03372E41
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033776B4 2_2_033776B4
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033706A6 2_2_033706A6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372EAF 2_2_03372EAF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378EAF 2_2_03378EAF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377691 2_2_03377691
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371E9D 2_2_03371E9D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337269D 2_2_0337269D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337029B 2_2_0337029B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378AF6 2_2_03378AF6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033716F3 2_2_033716F3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370EFD 2_2_03370EFD
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338E2E8 2_2_0338E2E8
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033706ED 2_2_033706ED
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377EEC 2_2_03377EEC
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372AE9 2_2_03372AE9
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033712DD 2_2_033712DD
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033702D9 2_2_033702D9
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377ED8 2_2_03377ED8
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370AC6 2_2_03370AC6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033722C0 2_2_033722C0
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337293D 2_2_0337293D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D3A 2_2_03372D3A
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370925 2_2_03370925
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377124 2_2_03377124
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372528 2_2_03372528
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D75 2_2_03372D75
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D73 2_2_03372D73
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B57F 2_2_0337B57F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337057E 2_2_0337057E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377578 2_2_03377578
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD78 2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D67 2_2_03372D67
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371566 2_2_03371566
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D65 2_2_03372D65
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D63 2_2_03372D63
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D61 2_2_03372D61
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D6F 2_2_03372D6F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B56F 2_2_0337B56F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D6D 2_2_03372D6D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D6B 2_2_03372D6B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03383D65 2_2_03383D65
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D69 2_2_03372D69
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372169 2_2_03372169
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377569 2_2_03377569
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370155 2_2_03370155
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D55 2_2_03372D55
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D53 2_2_03372D53
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D51 2_2_03372D51
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371150 2_2_03371150
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370D50 2_2_03370D50
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D5F 2_2_03372D5F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378D5E 2_2_03378D5E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337055D 2_2_0337055D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D5D 2_2_03372D5D
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D5B 2_2_03372D5B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D59 2_2_03372D59
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372D4B 2_2_03372D4B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033775B7 2_2_033775B7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372DB2 2_2_03372DB2
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033911B4 2_2_033911B4
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033729A6 2_2_033729A6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372DAC 2_2_03372DAC
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B9AC 2_2_0337B9AC
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033709AA 2_2_033709AA
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378DA9 2_2_03378DA9
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377994 2_2_03377994
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370D92 2_2_03370D92
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD8C 2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033779FF 2_2_033779FF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033715E9 2_2_033715E9
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033721DD 2_2_033721DD
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033701C7 2_2_033701C7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372DC5 2_2_03372DC5
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033725C0 2_2_033725C0
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377038 2_2_03377038
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377027 2_2_03377027
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337082F 2_2_0337082F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03378C2C 2_2_03378C2C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03391419 2_2_03391419
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03371416 2_2_03371416
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370010 2_2_03370010
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372019 2_2_03372019
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370C19 2_2_03370C19
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337C007 2_2_0337C007
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372C04 2_2_03372C04
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337C07E 2_2_0337C07E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337207C 2_2_0337207C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370464 2_2_03370464
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370C63 2_2_03370C63
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337006F 2_2_0337006F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377468 2_2_03377468
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0339085F 2_2_0339085F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B847 2_2_0337B847
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372446 2_2_03372446
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03390044 2_2_03390044
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033714B7 2_2_033714B7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B4B7 2_2_0337B4B7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033728A6 2_2_033728A6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033770A6 2_2_033770A6
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033708A3 2_2_033708A3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033724AE 2_2_033724AE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03384CF8 2_2_03384CF8
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03372CE3 2_2_03372CE3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033700E0 2_2_033700E0
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033720EF 2_2_033720EF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033704DF 2_2_033704DF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03370CDC 2_2_03370CDC
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033728C7 2_2_033728C7
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08897 37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A079DC 37_2_02A079DC
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03D68 37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A206A9 37_2_02A206A9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CB1 37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A02EBF 37_2_02A02EBF
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1B885 37_2_02A1B885
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CE9 37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A058EE 37_2_02A058EE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CFA 37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A046C1 37_2_02A046C1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08CC9 37_2_02A08CC9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1CEDD 37_2_02A1CEDD
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A05A20 37_2_02A05A20
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03421 37_2_02A03421
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0422B 37_2_02A0422B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08231 37_2_02A08231
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04035 37_2_02A04035
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0423A 37_2_02A0423A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A3A 37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A05A6B 37_2_02A05A6B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0866E 37_2_02A0866E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1DE76 37_2_02A1DE76
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04279 37_2_02A04279
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08241 37_2_02A08241
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A4E 37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04656 37_2_02A04656
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1C85C 37_2_02A1C85C
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1AFAA 37_2_02A1AFAA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04BAE 37_2_02A04BAE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A057B8 37_2_02A057B8
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04B9A 37_2_02A04B9A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03DE6 37_2_02A03DE6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A057EC 37_2_02A057EC
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1B3C6 37_2_02A1B3C6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A083D0 37_2_02A083D0
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A047D6 37_2_02A047D6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0412A 37_2_02A0412A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1CD06 37_2_02A1CD06
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08509 37_2_02A08509
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03F1A 37_2_02A03F1A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A05B71 37_2_02A05B71
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04376 37_2_02A04376
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08179 37_2_02A08179
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08D40 37_2_02A08D40
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04353 37_2_02A04353
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1FE97 NtCreateThreadEx, 37_2_02A1FE97
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08897 NtProtectVirtualMemory, 37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A065BA NtSetInformationProcess, 37_2_02A065BA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03D68 NtProtectVirtualMemory, 37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CB1 NtProtectVirtualMemory, 37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CE9 NtProtectVirtualMemory, 37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CFA NtProtectVirtualMemory, 37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0422B NtProtectVirtualMemory, 37_2_02A0422B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04035 NtProtectVirtualMemory, 37_2_02A04035
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0423A NtProtectVirtualMemory, 37_2_02A0423A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04279 NtProtectVirtualMemory, 37_2_02A04279
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A4E NtProtectVirtualMemory, 37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03DE6 NtProtectVirtualMemory, 37_2_02A03DE6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0412A NtProtectVirtualMemory, 37_2_02A0412A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08932 NtProtectVirtualMemory, 37_2_02A08932
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0890D NtProtectVirtualMemory, 37_2_02A0890D
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03F1A NtProtectVirtualMemory, 37_2_02A03F1A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A04376 NtProtectVirtualMemory, 37_2_02A04376
Tries to load missing DLLs
Source: C:\Users\user\Desktop\documentos DHL.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Section loaded: edgegdi.dll Jump to behavior
PE file contains more sections than normal
Source: libpixbufloader-icns.dll.2.dr Static PE information: Number of sections : 11 > 10
Source: documentos DHL.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\documentos DHL.exe File read: C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: documentos DHL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\documentos DHL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\documentos DHL.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403489
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\Zorillinae Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\AppData\Local\Temp\nsd3BF7.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.spyw.evad.winEXE@45/6@2/2
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_004020FE CoCreateInstance, 2_2_004020FE
Source: C:\Users\user\Desktop\documentos DHL.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_00404814
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
Source: C:\Users\user\Desktop\documentos DHL.exe File written: C:\Windows\Resources\0409\Transcriptive.ini Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: documentos DHL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.1618126975.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_10002DE0 push eax; ret 2_2_10002E0E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337977F push cs; iretd 2_2_03379780
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03375F4D push ss; retf 2_2_03375F4E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03373FEA push ss; retf 2_2_0337407F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03376225 push FFFFFFE5h; ret 2_2_03376227
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033765ED push ecx; retf 2_2_033765EE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A00CAC push ss; retf 37_2_02A00D41
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A032AF push ecx; retf 37_2_02A032B0
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A02C0F push ss; retf 37_2_02A02C10
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A06441 push cs; iretd 37_2_02A06442
PE file contains sections with non-standard names
Source: libpixbufloader-icns.dll.2.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect Any.run
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\documentos DHL.exe Dropped PE file which has not been started: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337133E rdtsc 2_2_0337133E
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_004066F3 FindFirstFileW,FindClose, 2_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00402862 FindFirstFileW, 2_2_00402862
Source: C:\Users\user\Desktop\documentos DHL.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\documentos DHL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\AppData\Local\Temp\nsd3BF8.tmp Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom Jump to behavior
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: ExtExport.exe, 00000025.00000002.1822131908.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337133E rdtsc 2_2_0337133E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BF0F mov eax, dword ptr fs:[00000030h] 2_2_0337BF0F
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03376FEF mov eax, dword ptr fs:[00000030h] 2_2_03376FEF
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BBD5 mov eax, dword ptr fs:[00000030h] 2_2_0337BBD5
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337F2D4 mov eax, dword ptr fs:[00000030h] 2_2_0337F2D4
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338F516 mov eax, dword ptr fs:[00000030h] 2_2_0338F516
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD78 mov ebx, dword ptr fs:[00000030h] 2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD78 mov eax, dword ptr fs:[00000030h] 2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD8C mov ebx, dword ptr fs:[00000030h] 2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BD8C mov eax, dword ptr fs:[00000030h] 2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377038 mov eax, dword ptr fs:[00000030h] 2_2_03377038
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03377027 mov eax, dword ptr fs:[00000030h] 2_2_03377027
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_03391419 mov eax, dword ptr fs:[00000030h] 2_2_03391419
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BC70 mov eax, dword ptr fs:[00000030h] 2_2_0337BC70
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337BC4B mov eax, dword ptr fs:[00000030h] 2_2_0337BC4B
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0337B4B7 mov eax, dword ptr fs:[00000030h] 2_2_0337B4B7
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_033770A6 mov eax, dword ptr fs:[00000030h] 2_2_033770A6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08897 mov eax, dword ptr fs:[00000030h] 37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03D68 mov eax, dword ptr fs:[00000030h] 37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CB1 mov eax, dword ptr fs:[00000030h] 37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CE9 mov eax, dword ptr fs:[00000030h] 37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A03CFA mov eax, dword ptr fs:[00000030h] 37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A3A mov ebx, dword ptr fs:[00000030h] 37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A3A mov eax, dword ptr fs:[00000030h] 37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A4E mov ebx, dword ptr fs:[00000030h] 37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08A4E mov eax, dword ptr fs:[00000030h] 37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0BF96 mov eax, dword ptr fs:[00000030h] 37_2_02A0BF96
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08BD1 mov eax, dword ptr fs:[00000030h] 37_2_02A08BD1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A1C1D8 mov eax, dword ptr fs:[00000030h] 37_2_02A1C1D8
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08932 mov eax, dword ptr fs:[00000030h] 37_2_02A08932
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A0890D mov eax, dword ptr fs:[00000030h] 37_2_02A0890D
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Code function: 37_2_02A08179 mov eax, dword ptr fs:[00000030h] 37_2_02A08179
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\documentos DHL.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_0338F535 LdrLoadDll, 2_2_0338F535
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 2_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403489

Stealing of Sensitive Information
barindex
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755464 Sample: documentos DHL.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 88 25 googlehosted.l.googleusercontent.com 2->25 27 drive.google.com 2->27 29 doc-04-90-docs.googleusercontent.com 2->29 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected GuLoader 2->37 39 Executable has a suspicious name (potential lure to open the executable) 2->39 41 2 other signatures 2->41 7 documentos DHL.exe 3 501 2->7         started        signatures3 process4 file5 21 C:\Users\user\...\libpixbufloader-icns.dll, PE32+ 7->21 dropped 23 C:\Users\user\AppData\Local\...\System.dll, PE32 7->23 dropped 43 Tries to detect Any.run 7->43 11 ExtExport.exe 19 7->11         started        15 ieinstal.exe 7->15         started        17 ieinstal.exe 7->17         started        19 19 other processes 7->19 signatures6 process7 dnsIp8 31 googlehosted.l.googleusercontent.com 142.250.186.65, 443, 49803 GOOGLEUS United States 11->31 33 drive.google.com 142.250.74.206, 443, 49802 GOOGLEUS United States 11->33 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.74.206
 drive.google.com United States
15169 GOOGLEUS false
142.250.186.65
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.74.206 true
googlehosted.l.googleusercontent.com 142.250.186.65 true
doc-04-90-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 false
    		high